PDA

View Full Version : Nasty stuff, Virtumonde among other infections. Help please. Logs included



methtical
2008-02-29, 08:31
Hi, 1st time poster here, and may i say that u guys are awesome for taking the time to help!

To start it off, here's some general observations recently (started happening a few days ago):

1. Upon starting the computer and logging into the desktop, the 1st thing that pops up is the following error message:

"RUNDLL
Error loading C:/WINDOWS/system32/kuncfggg.dll
The specified module could not be found"

2. I've been running Spybot S&D for the past few days straight, and allowing it to fix the found problems, but Virtumonde keeps recurring. The latest Spybot S&D scan found these:
-Virtumonde
-MailSkinner.rtk

Now, here's part of the Kaspersky Scan Report Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 9:15:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 586391
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 144573
Number of viruses found: 44
Number of infected objects: 969
Number of suspicious objects: 3
Duration of the scan process: 02:42:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip/wlxumnlh.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde1.zip/vtlvxspu.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde104.zip/awlakaup.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde104.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde105.zip/mlljk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tm skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde105.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde2.zip/sqltpcec.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde29.zip/ypmserrp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde29.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde3.zip/qxqhhkox.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde30.zip/xwdihqsp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde30.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde31.zip/xuecqlym.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde31.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde32.zip/vxoplttj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde32.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde33.zip/vopbuwhf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde33.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde34.zip/vidhneld.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde34.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde35.zip/vcqtnshx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde35.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde36.zip/urjphndu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde36.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde37.zip/ucsxucmq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde37.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde38.zip/tygvuydk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde38.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde39.zip/tsdfovqu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde39.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde40.zip/tiuhfuel.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde40.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde41.zip/scylxtta.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde41.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde42.zip/rrktofwu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde42.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde43.zip/qeuxmvfg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde43.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde44.zip/pwfijpdh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde44.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde45.zip/puvebjkw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde45.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde46.zip/pndxlybd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde46.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde47.zip/ohghmmtw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde47.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde48.zip/oaaebqkl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde48.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde49.zip/nvuygtac.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde49.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde50.zip/nqpswpye.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde50.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde51.zip/nnaxlavu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde51.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde52.zip/ndcdhrri.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde52.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde53.zip/nbsbfgai.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde53.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde54.zip/mygkopke.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde54.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde55.zip/mydjpioa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde55.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde56.zip/mrtosile.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde56.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde57.zip/mnufswiw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde57.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde58.zip/mamgphso.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde58.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde59.zip/lqjkunpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde59.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde60.zip/lfncfnyw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde60.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde61.zip/kkadvfww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde61.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde62.zip/kiololhi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde62.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde63.zip/jyspppqu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde63.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde64.zip/hbeqqyvm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde64.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde65.zip/gkeyovys.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde65.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde66.zip/frxbriup.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde66.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde67.zip/frnojfjc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde67.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde68.zip/fpopxmnu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde68.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde69.zip/fpmjulvb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde69.zip ZIP: infected - 1 skipped

NOTE: I have the rest of the Kaspersky log as well as the HJT log saved & ready to post, but I'll limit my initial post here. I'll post it if it's needed. Thanks

random/random
2008-03-01, 14:12
Please post the Kaspersky and HijackThis logs. If the kaspersky log is too large to post, you can zip it up(Right click>send to>compressed (zipped) folder) and upload it as an attachment

methtical
2008-03-01, 23:03
Hey Random/Random, here's the Kaspersky log in compressed zip form attachment

methtical
2008-03-01, 23:04
and here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:02 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 80.239.151.231 db1.rapidshare.com
O1 - Hosts: 80.239.151.232 db2.rapidshare.com
O1 - Hosts: 80.239.151.233 db3.rapidshare.com
O1 - Hosts: 80.239.151.234 db4.rapidshare.com
O1 - Hosts: 80.239.151.235 db5.rapidshare.com
O1 - Hosts: 80.239.151.253 games.rapidshare.com
O1 - Hosts: 80.239.151.251 images.rapidshare.com
O1 - Hosts: 80.239.151.240 images2.rapidshare.com
O1 - Hosts: 82.129.39.245 kvm1.rapidshare.com
O1 - Hosts: 82.129.39.246 kvm2.rapidshare.com
O1 - Hosts: 82.129.39.247 kvm3.rapidshare.com
O1 - Hosts: 82.129.39.248 kvm4.rapidshare.com
O1 - Hosts: 82.129.39.249 kvm5.rapidshare.com
O1 - Hosts: 80.239.151.250 mail.rapidshare.com
O1 - Hosts: 80.239.151.250 ns1.rapidshare.com
O1 - Hosts: 80.239.151.234 ns2.rapidshare.com
O1 - Hosts: 80.239.151.250 pay.rapidshare.com
O1 - Hosts: 80.239.151.240 rem1.rapidshare.com
O1 - Hosts: 82.129.39.2 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.3 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.4 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.5 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.6 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.7 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.8 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.9 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.10 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.11 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.12 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.13 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.14 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.15 rs0cg.rapidshare.com
O1 - Hosts: 82.129.35.2 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.3 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.4 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.5 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.6 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.7 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.8 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.9 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.10 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.11 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.12 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.13 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.14 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.15 rs0cg2.rapidshare.com
O1 - Hosts: 80.152.62.2 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.3 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.4 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.5 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.6 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.7 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.8 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.9 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.10 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.11 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.12 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.13 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.14 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.15 rs0dt.rapidshare.com
O1 - Hosts: 64.215.245.2 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.3 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.4 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.5 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.6 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.7 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.8 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.9 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.10 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.11 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.12 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.13 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.14 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.15 rs0gc.rapidshare.com
O1 - Hosts: 207.138.168.2 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.3 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.4 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.5 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.6 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.7 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.8 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.9 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.10 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.11 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.12 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.13 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.14 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.15 rs0gc2.rapidshare.com
O1 - Hosts: 80.239.151.2 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.3 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.4 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.5 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.6 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.7 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.8 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.9 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.10 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.11 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.12 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.13 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.14 rs0l3.rapidshare.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {23bb667b-d70f-791b-8c94-2a42a2f7c743} - {347c7f2a-24a2-49c8-b197-f07db766bb32} - C:\WINDOWS\system32\sstdsbfb.dll
O2 - BHO: (no name) - {39E3C444-84B7-4DE6-A49E-AFD3D6FC3D46} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F2789578-501E-4C76-8D3F-27D73A59E9C1} - C:\WINDOWS\system32\esunpmkd.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [j3271830] rundll32 C:\WINDOWS\system32\j3271830.dll sook
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [rceatidum] c:\windows\system32\rceatidum.exe rceatidum
O4 - HKLM\..\Run: [886bea6d] rundll32.exe "C:\WINDOWS\system32\kuncfggg.dll",b
O4 - HKLM\..\Run: [BM8b58d9f1] Rundll32.exe "C:\WINDOWS\system32\tgryjfwg.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O20 - Winlogon Notify: pjvytjfd - C:\WINDOWS\SYSTEM32\pjvytjfd.dll
O20 - Winlogon Notify: tuvvwvu - tuvvwvu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 13266 bytes

random/random
2008-03-02, 11:47
Right click here (http://downloads.subratam.org/ResetTeaTimer.bat) and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post the combofix log and a new HijackThis log as a reply to this topic.

methtical
2008-03-02, 21:22
Random/Random, do I need to follow all the suggestions on that link before running ComboFix such as installing Windows Recovery Console? I ask this because i've read some other similar threads where the security helper just instructs to download ComboFix and run it and post the resulting log. Can I run the ComboFix without installing the Windows Recovery Console? Thanks

random/random
2008-03-02, 22:22
I recommend that you do install the recovery console, since it makes it much easier to recover your PC if it unable to boot.

Having said that, as far as I know, none of my advice has ever caused a PC to become unbootable.

methtical
2008-03-03, 00:18
alright, I've installed the Windows Recovery Console as you've recommended. Here's the ComfoFix log:

ComboFix 08-03-03.6 - Blazin Azian 2008-03-02 14:57:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -7:00]
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\w.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abaojcsg.dll
C:\WINDOWS\system32\abbuikpj.dll
C:\WINDOWS\system32\agqwdovl.dll
C:\WINDOWS\system32\aitkpynu.dll
C:\WINDOWS\system32\ajgjlahq.dll
C:\WINDOWS\system32\akxsitcl.dll
C:\WINDOWS\SYSTEM32\avwgtovl.ini
C:\WINDOWS\system32\bbmblqqj.dll
C:\WINDOWS\SYSTEM32\bloigjvs.ini
C:\WINDOWS\SYSTEM32\btufaubi.ini
C:\WINDOWS\system32\bucqobbj.dll
C:\WINDOWS\system32\cauaclwd.dll
C:\WINDOWS\SYSTEM32\cqduhxyi.ini
C:\WINDOWS\SYSTEM32\cxovqwdh.ini
C:\WINDOWS\system32\djbkyiyd.dll
C:\WINDOWS\system32\dloeursp.dll
C:\WINDOWS\system32\dlrdwmcx.dll
C:\WINDOWS\system32\dwcrrcqj.dll
C:\WINDOWS\SYSTEM32\dyiykbjd.ini
C:\WINDOWS\system32\ebjymykk.dll
C:\WINDOWS\system32\erjmardb.dll
C:\WINDOWS\system32\esunpmkd.dll
C:\WINDOWS\system32\euhgedry.dll
C:\WINDOWS\system32\fdtbslpa.dll
C:\WINDOWS\SYSTEM32\feimjyvv.ini
C:\WINDOWS\system32\fglgsklf.dll
C:\WINDOWS\system32\fgnldhdr.dll
C:\WINDOWS\system32\fhomacfr.dll
C:\WINDOWS\SYSTEM32\flksglgf.ini
C:\WINDOWS\system32\fpnucyyh.dll
C:\WINDOWS\system32\fpphgfrf.dll
C:\WINDOWS\SYSTEM32\fqnwsoim.ini
C:\WINDOWS\system32\fsfgikef.dll
C:\WINDOWS\system32\fvbtkrxh.dll
C:\WINDOWS\system32\gbwopxhe.dll
C:\WINDOWS\system32\gghfyyah.dll
C:\WINDOWS\SYSTEM32\glwrxovv.ini
C:\WINDOWS\system32\gpywehwe.dll
C:\WINDOWS\SYSTEM32\gscjoaba.ini
C:\WINDOWS\system32\gydbndvh.dll
C:\WINDOWS\system32\hcgmxqon.dll
C:\WINDOWS\SYSTEM32\hckyogkl.ini
C:\WINDOWS\system32\hdwqvoxc.dll
C:\WINDOWS\system32\hgjycbrl.dll
C:\WINDOWS\system32\hmcdphwf.dll
C:\WINDOWS\system32\ibuafutb.dll
C:\WINDOWS\system32\ijtaebiw.dll
C:\WINDOWS\SYSTEM32\ikgrquoi.ini
C:\WINDOWS\system32\iouqrgki.dll
C:\WINDOWS\system32\iseunrip.dll
C:\WINDOWS\SYSTEM32\iwujbreq.ini
C:\WINDOWS\system32\iyxhudqc.dll
C:\WINDOWS\system32\j3271830.dll
C:\WINDOWS\SYSTEM32\jbboqcub.ini
C:\WINDOWS\system32\jmotpfhs.dll
C:\WINDOWS\system32\kamwgsbd.dll
C:\WINDOWS\system32\kawcdrym.dll
C:\WINDOWS\SYSTEM32\kjllm.bak1
C:\WINDOWS\SYSTEM32\kjllm.bak2
C:\WINDOWS\SYSTEM32\kjllm.ini
C:\WINDOWS\SYSTEM32\kjllm.ini2
C:\WINDOWS\SYSTEM32\kjllm.tmp
C:\WINDOWS\system32\kovuaxxj.dll
C:\WINDOWS\SYSTEM32\lctisxka.ini
C:\WINDOWS\system32\lkgoykch.dll
C:\WINDOWS\SYSTEM32\lrbcyjgh.ini
C:\WINDOWS\system32\lucwmaok.dll
C:\WINDOWS\SYSTEM32\lvodwqga.ini
C:\WINDOWS\system32\lvotgwva.dll
C:\WINDOWS\system32\lyquvsyn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mioswnqf.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mudsmuoe.dll
C:\WINDOWS\SYSTEM32\muwyvebt.ini
C:\WINDOWS\system32\nduglwxe.dll
C:\WINDOWS\SYSTEM32\nkbxvjax.ini
C:\WINDOWS\SYSTEM32\noqxmgch.ini
C:\WINDOWS\system32\obviboxm.dll
C:\WINDOWS\system32\osuheuyn.dll
C:\WINDOWS\system32\pgoiuyfw.dll
C:\WINDOWS\system32\puclgkjy.dll
C:\WINDOWS\system32\pvmvlhkb.dll
C:\WINDOWS\system32\pywtlmtu.dll
C:\WINDOWS\system32\qerbjuwi.dll
C:\WINDOWS\system32\qmmcbmou.dll
C:\WINDOWS\SYSTEM32\qqkiklpu.ini
C:\WINDOWS\system32\rfgpbgqd.dll
C:\WINDOWS\system32\rodqdlyc.dll
C:\WINDOWS\system32\roguxufu.dll
C:\WINDOWS\system32\rspsguax.dll
C:\WINDOWS\system32\sosrdfch.dll
C:\WINDOWS\system32\sstdsbfb.dll
C:\WINDOWS\system32\stxrtoni.dll
C:\WINDOWS\system32\svjgiolb.dll
C:\WINDOWS\system32\tbevywum.dll
C:\WINDOWS\system32\tgryjfwg.dll
C:\WINDOWS\system32\tirqsxoo.dll
C:\WINDOWS\system32\tjthorcr.dll
C:\WINDOWS\system32\tuccrkst.dll
C:\WINDOWS\system32\tuouxkuq.dll
C:\WINDOWS\system32\ugydocfd.dll
C:\WINDOWS\system32\uibfuark.dll
C:\WINDOWS\system32\uiihyzg.dat
C:\WINDOWS\system32\uiihyzg_nav.dat
C:\WINDOWS\system32\uiihyzg_navps.dat
C:\WINDOWS\system32\uiiwebcs.dll
C:\WINDOWS\system32\ukdxosne.dll
C:\WINDOWS\SYSTEM32\unypktia.ini
C:\WINDOWS\SYSTEM32\uombcmmq.ini
C:\WINDOWS\system32\uplkikqq.dll
C:\WINDOWS\system32\uttfudns.dll
C:\WINDOWS\system32\vahtiqcl.dll
C:\WINDOWS\system32\vaxliluj.dll
C:\WINDOWS\system32\vekecdph.dll
C:\WINDOWS\system32\vvoxrwlg.dll
C:\WINDOWS\system32\vvyjmief.dll
C:\WINDOWS\SYSTEM32\wfyuiogp.ini
C:\WINDOWS\SYSTEM32\wgkkaqdx.ini
C:\WINDOWS\system32\wgmpdepl.dll
C:\WINDOWS\system32\wkjwhthy.dll
C:\WINDOWS\system32\wsaesxmr.dll
C:\WINDOWS\system32\xajvxbkn.dll
C:\WINDOWS\SYSTEM32\xaugspsr.ini
C:\WINDOWS\system32\xcuprayg.dll
C:\WINDOWS\system32\xdqakkgw.dll
C:\WINDOWS\system32\xxxgipik.dll
C:\WINDOWS\system32\ygaqfnyi.dll
C:\WINDOWS\system32\yjsuvqnv.dll
C:\WINDOWS\system32\ymbpkkaf.dll
C:\WINDOWS\system32\yxpukfwp.dll
C:\WINDOWS\system32\yykjvvim.dll
C:\WINDOWS\system32\zjxxwe.dat
C:\WINDOWS\system32\zjxxwe.exe
C:\WINDOWS\system32\zjxxwe_nav.dat
C:\WINDOWS\system32\zjxxwe_navps.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-02-27 12:52 . 2008-02-27 14:14 1,418 ---hs---- C:\WINDOWS\SYSTEM32\gggfcnuk.ini
2008-02-27 11:45 . 2008-02-27 12:46 1,298 --ahs---- C:\WINDOWS\SYSTEM32\nkrdouqq.ini
2008-02-27 09:50 . 2008-02-27 11:40 1,178 --ahs---- C:\WINDOWS\SYSTEM32\fbjsdfqd.ini
2008-02-26 22:31 . 2008-02-26 22:53 594 --ahs---- C:\WINDOWS\SYSTEM32\krppxeha.ini
2008-02-26 21:21 . 2008-02-26 22:29 474 --ahs---- C:\WINDOWS\SYSTEM32\nucsjukr.ini
2008-02-26 18:38 . 2008-02-26 21:15 354 --ahs---- C:\WINDOWS\SYSTEM32\iyjymtpq.ini
2008-02-26 18:32 . 2008-03-03 14:57 21 --a------ C:\WINDOWS\pskt.ini
2008-02-26 10:18 . 2008-03-03 14:57 99,338 --a------ C:\WINDOWS\BM8b58d9f1.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2008-01-03 07:45 --------- d-----w C:\Program Files\Zoom Player
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39E3C444-84B7-4DE6-A49E-AFD3D6FC3D46}]
C:\WINDOWS\system32\mlljk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"886bea6d"="C:\WINDOWS\system32\kuncfggg.dll" [ ]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]
C:\WINDOWS\system32\mlljk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
pjvytjfd.dll 2006-09-11 17:02 188436 C:\WINDOWS\SYSTEM32\pjvytjfd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvwvu]
tuvvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\WINDOWS\system32\lunckyrw.exe"= C:\WINDOWS\system32\lun
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*:Disabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*:Disabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCP:port
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 15:05:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pjvytjfd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2008-03-03 15:12:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 22:12:33
.
2008-02-28 22:01:43 --- E O F ---

methtical
2008-03-03, 00:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:33 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39E3C444-84B7-4DE6-A49E-AFD3D6FC3D46} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [886bea6d] rundll32.exe "C:\WINDOWS\system32\kuncfggg.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O20 - Winlogon Notify: pjvytjfd - C:\WINDOWS\SYSTEM32\pjvytjfd.dll
O20 - Winlogon Notify: tuvvwvu - tuvvwvu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 8014 bytes

random/random
2008-03-03, 21:05
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.


You are running a P2P filesharing programme.

Many of these programmes come with unwanted components bundled with them.
If you wish to find out whether the one you're using does click here (http://p2p.malwareremoval.com/).


Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you uninstall it.

From your log I can see you've installed poker programs. A lot of poker programs are infected/can infect you with malware.

I would advise you to go to Add/Remove programs and uninstall your poker programs.

A list of known bad poker sites can be found here:

http://forum.malwareremoval.com/viewtopic.php?t=23145

Please note that just because a poker site is not listed on the above list, that doesn't mean that it's not bad


Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

File::
C:\WINDOWS\SYSTEM32\gggfcnuk.ini
C:\WINDOWS\SYSTEM32\nkrdouqq.ini
C:\WINDOWS\SYSTEM32\fbjsdfqd.ini
C:\WINDOWS\SYSTEM32\krppxeha.ini
C:\WINDOWS\SYSTEM32\nucsjukr.ini
C:\WINDOWS\SYSTEM32\iyjymtpq.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\BM8b58d9f1.xml
C:\WINDOWS\SYSTEM32\pjvytjfd.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39E3C444-84B7-4DE6-A49E-AFD3D6FC3D46}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"886bea6d"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvwvu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe
Folder::
C:\Program Files\Save
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

methtical
2008-03-04, 01:48
- I've updated to latest JRE 6
- I've decided to keep p2p program UTorrent as it's in the list of "safe" programs, but I will be very cautious of what i download
- I've uninstalled Poker Stars program

ComboFix 08-03-03.6 - Blazin Azian 2008-03-04 16:15:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -7:00]
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blazin Azian\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM8b58d9f1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\fbjsdfqd.ini
C:\WINDOWS\SYSTEM32\gggfcnuk.ini
C:\WINDOWS\SYSTEM32\iyjymtpq.ini
C:\WINDOWS\SYSTEM32\krppxeha.ini
C:\WINDOWS\SYSTEM32\nkrdouqq.ini
C:\WINDOWS\SYSTEM32\nucsjukr.ini
C:\WINDOWS\SYSTEM32\pjvytjfd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8b58d9f1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\fbjsdfqd.ini
C:\WINDOWS\SYSTEM32\gggfcnuk.ini
C:\WINDOWS\SYSTEM32\iyjymtpq.ini
C:\WINDOWS\SYSTEM32\krppxeha.ini
C:\WINDOWS\SYSTEM32\nkrdouqq.ini
C:\WINDOWS\SYSTEM32\nucsjukr.ini
C:\WINDOWS\SYSTEM32\pjvytjfd.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 15:59 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:59 --------- d-----w C:\Program Files\Java
2008-03-04 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
pjvytjfd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\WINDOWS\system32\lunckyrw.exe"= C:\WINDOWS\system32\lun
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*:Disabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*:Disabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCP:port
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 16:23:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pjvytjfd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-04 16:30:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 23:30:02
ComboFix2.txt 2008-03-03 22:12:37
.
2008-02-28 22:01:43 --- E O F ---

methtical
2008-03-04, 01:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:45 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: pjvytjfd - pjvytjfd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7349 bytes

random/random
2008-03-04, 17:46
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\WINDOWS\system32\lunckyrw.exe"=-
File::
C:\WINDOWS\system32\pjvytjfd.dll
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

methtical
2008-03-04, 19:39
ComboFix 08-03-03.6 - Blazin Azian 2008-03-05 10:23:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -7:00]
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blazin Azian\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\pjvytjfd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\pjvytjfd.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-04 15:59 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:59 --------- d-----w C:\Program Files\Java
2008-03-04 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
pjvytjfd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\WINDOWS\system32\lunckyrw.exe"= C:\WINDOWS\system32\lun
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*:Disabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*:Disabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCP:port
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 10:30:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pjvytjfd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-05 10:36:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-05 17:36:53
ComboFix2.txt 2008-03-04 23:30:06
ComboFix3.txt 2008-03-03 22:12:37
.
2008-02-28 22:01:43 --- E O F ---

methtical
2008-03-04, 19:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:25 AM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: pjvytjfd - pjvytjfd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7304 bytes

random/random
2008-03-04, 20:39
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

methtical
2008-03-04, 21:38
SDFix: Version 1.152

Run by Blazin Azian on Tue 03/04/2008 at 12:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 12:29:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:cd,79,fc,68,4a,5e,22,36,b0,cf,30,68,f0,9d,bb,be,26,c9,5c,2a,26,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,9c,06,f9,34,ed,ca,f3,9e,3c,29,ce,3e,c0,93,0d,2e,f2,..
"khjeh"=hex:df,fe,a4,c4,ce,30,81,fe,16,73,18,25,9d,8f,a2,de,3d,29,6b,0f,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,60,be,14,49,4d,42,3b,8b,6f,6e,59,f2,d3,fc,e7,00,fd,fd,b0,f7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:cd,79,fc,68,4a,5e,22,36,b0,cf,30,68,f0,9d,bb,be,26,c9,5c,2a,26,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,9c,06,f9,34,ed,ca,f3,9e,3c,29,ce,3e,c0,93,0d,2e,f2,..
"khjeh"=hex:df,fe,a4,c4,ce,30,81,fe,16,73,18,25,9d,8f,a2,de,3d,29,6b,0f,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,60,be,14,49,4d,42,3b,8b,6f,6e,59,f2,d3,fc,e7,00,fd,fd,b0,f7,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\lunckyrw.exe"="C:\\WINDOWS\\system32\\lun"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Sat 10 Nov 2007 48 ..SH. --- "C:\WINDOWS\S029AB104.tmp"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 30 Nov 2006 1,638,498 A.SH. --- "C:\WINDOWS\Fonts\dcmpft.tmp"
Sun 15 Apr 2007 1,634,913 A.SH. --- "C:\WINDOWS\SYSTEM32\agkrogmv.tmp"
Thu 19 Jan 2006 423,995 A.SH. --- "C:\WINDOWS\SYSTEM32\ttutv.tmp"
Mon 20 Jun 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT6.tmp"
Tue 22 Feb 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 22 Feb 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 2 Mar 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 2 Mar 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

methtical
2008-03-04, 21:39
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:59 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: pjvytjfd - C:\WINDOWS\SYSTEM32\pjvytjfd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7355 bytes

random/random
2008-03-04, 21:59
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

File::
C:\WINDOWS\Fonts\dcmpft.tmp
C:\WINDOWS\SYSTEM32\agkrogmv.tmp
C:\WINDOWS\SYSTEM32\ttutv.tmp
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\lunckyrw.exe"=-
Rootkit::
C:\WINDOWS\SYSTEM32\pjvytjfd.dll
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

methtical
2008-03-04, 23:06
ComboFix 08-03-03.6 - Blazin Azian 2008-03-04 13:55:19.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.230 [GMT -7:00]
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blazin Azian\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Fonts\dcmpft.tmp
C:\WINDOWS\SYSTEM32\agkrogmv.tmp
C:\WINDOWS\SYSTEM32\ttutv.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\dcmpft.tmp
C:\WINDOWS\SYSTEM32\agkrogmv.tmp
C:\WINDOWS\SYSTEM32\pjvytjfd.dll
C:\WINDOWS\SYSTEM32\ttutv.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 15:59 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-04 12:16 . 2008-03-04 12:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-04 12:07 . 2008-03-04 12:36 <DIR> d----c--- C:\SDFix
2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:59 --------- d-----w C:\Program Files\Java
2008-03-04 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*:Disabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*:Disabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCP:port
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 14:02:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-04 14:08:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 21:08:41
ComboFix2.txt 2008-03-05 17:36:57
ComboFix3.txt 2008-03-04 23:30:06
ComboFix4.txt 2008-03-03 22:12:37
.
2008-02-28 22:01:43 --- E O F ---

methtical
2008-03-04, 23:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:30 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7253 bytes

random/random
2008-03-05, 00:25
You do not appear to be running a realtime antivirus, this is leaving you open to infection
Please install one of the following free antivirus programs:

AVG (http://free.grisoft.com/doc/1)
Avast! (http://www.avast.com/eng/avast_4_home.html)
Antivir (http://www.free-av.com/)


Note: The above programs are free only for personal, non-commercial use.

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com

Then close all windows except HijackThis and click Fix Checked

Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log.

methtical
2008-03-05, 03:03
- I downloaded AVG and updated the files, but did not run a scan
- i had to turn off AVG from desktop icon tray during the ESET scan, because I kept getting pop-ups of "Threat Found" or something like that from AVG

Here's the ESET log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2921 (20080304)
# vers_arch_module=1.032 (20050726)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=d9a4abba021643478a050c8d7bf91912
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-03-05 12:44:03
# local_time=2008-03-04 05:44:03 (-0700, US Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=350625
# found=206
# scan_time=5954
C:\asdf.exe a variant of Win32/TrojanDownloader.ConHook trojan A7B1D72B651A8C26E5BF09C1841E77D7
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034 multiple infiltrations 875155A089FA8C58F46250A070EA3A40
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034 »ZIP »BaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034 »ZIP »VaaaaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034 »ZIP »Dvnny.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034 »ZIP »Baaaaa.class Java/ClassLoader.AO trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034 »ZIP »Dex.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034 »ZIP »Dix.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034 »ZIP »Dux.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41 multiple infiltrations 08DB9AB85FB3E264230FC6E606433FE0
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41 »ZIP »BaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41 »ZIP »VaaaaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41 »ZIP »Dvnny.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41 »ZIP »Baaaaa.class Java/ClassLoader.AO trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41 »ZIP »Dex.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41 »ZIP »Dix.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41 »ZIP »Dux.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794 multiple infiltrations 875155A089FA8C58F46250A070EA3A40
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794 »ZIP »BaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794 »ZIP »VaaaaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794 »ZIP »Dvnny.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794 »ZIP »Baaaaa.class Java/ClassLoader.AO trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794 »ZIP »Dex.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794 »ZIP »Dix.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794 »ZIP »Dux.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\38\66b42b26-78cc8b07 multiple infiltrations 7C562F5C6C9D6F8B06888786AC38A6A6
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\38\66b42b26-78cc8b07 »ZIP »GetAccess.class Java/TrojanDownloader.OpenConnection.AJ trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\38\66b42b26-78cc8b07 »ZIP »Installer.class Java/TrojanDownloader.OpenConnection trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\38\66b42b26-78cc8b07 »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\38\66b42b26-78cc8b07 »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\49\4db115b1-5962ea38 multiple infiltrations 23710DFD177A073CFB9A4FB3DD14832D
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\49\4db115b1-5962ea38 »ZIP »SandBoxEscape.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\49\4db115b1-5962ea38 »ZIP »SuperMSClassLoader.class a variant of Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\49\4db115b1-5962ea38 »ZIP »Installer.class Java/TrojanDownloader.OpenStream.Z trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\59\5001e5fb-7ea53d86 Java/ClassLoader.AA trojan 7B1484415BD02DFD7741B4FC4EF9FA82
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\59\5001e5fb-7ea53d86 »ZIP »BlackBox.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\59\5001e5fb-7ea53d86 »ZIP »VerifierBug.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\59\5001e5fb-7ea53d86 »ZIP »Dummy.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\59\5001e5fb-7ea53d86 »ZIP »Beyond.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\1d55cbd-187ad396 multiple infiltrations 23710DFD177A073CFB9A4FB3DD14832D
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\1d55cbd-187ad396 »ZIP »SandBoxEscape.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\1d55cbd-187ad396 »ZIP »SuperMSClassLoader.class a variant of Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\1d55cbd-187ad396 »ZIP »Installer.class Java/TrojanDownloader.OpenStream.Z trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982 multiple infiltrations 08DB9AB85FB3E264230FC6E606433FE0
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982 »ZIP »BaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982 »ZIP »VaaaaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982 »ZIP »Dvnny.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982 »ZIP »Baaaaa.class Java/ClassLoader.AO trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982 »ZIP »Dex.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982 »ZIP »Dix.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982 »ZIP »Dux.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-43fcd038-451e4c96.zip Java/ClassLoader.AA trojan 7B1484415BD02DFD7741B4FC4EF9FA82
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-43fcd038-451e4c96.zip »ZIP »BlackBox.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-43fcd038-451e4c96.zip »ZIP »VerifierBug.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-43fcd038-451e4c96.zip »ZIP »Dummy.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-43fcd038-451e4c96.zip »ZIP »Beyond.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip multiple infiltrations 875155A089FA8C58F46250A070EA3A40
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip »ZIP »BaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip »ZIP »VaaaaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip »ZIP »Dvnny.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip »ZIP »Baaaaa.class Java/ClassLoader.AO trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip »ZIP »Dex.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip »ZIP »Dix.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip »ZIP »Dux.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip multiple infiltrations 875155A089FA8C58F46250A070EA3A40
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip »ZIP »BaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip »ZIP »VaaaaaaaBaa.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip »ZIP »Dvnny.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip »ZIP »Baaaaa.class Java/ClassLoader.AO trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip »ZIP »Dex.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip »ZIP »Dix.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip »ZIP »Dux.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4bf88346.zip multiple infiltrations 23710DFD177A073CFB9A4FB3DD14832D
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4bf88346.zip »ZIP »SandBoxEscape.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4bf88346.zip »ZIP »SuperMSClassLoader.class a variant of Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4bf88346.zip »ZIP »Installer.class Java/TrojanDownloader.OpenStream.Z trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4eb73447.zip multiple infiltrations 23710DFD177A073CFB9A4FB3DD14832D
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4eb73447.zip »ZIP »SandBoxEscape.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4eb73447.zip »ZIP »SuperMSClassLoader.class a variant of Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4eb73447.zip »ZIP »Installer.class Java/TrojanDownloader.OpenStream.Z trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-34efff0d.zip multiple infiltrations 7C562F5C6C9D6F8B06888786AC38A6A6
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-34efff0d.zip »ZIP »GetAccess.class Java/TrojanDownloader.OpenConnection.AJ trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-34efff0d.zip »ZIP »Installer.class Java/TrojanDownloader.OpenConnection trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-34efff0d.zip »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-34efff0d.zip »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application 5CB0279BC8B35D99E79764293D279C85
C:\QooBox\Quarantine\catchme2008-03-04_140214.78.zip Win32/TrojanProxy.Agent.JZ trojan CE483B3E3FBD4166878E7A952CB50B90

methtical
2008-03-05, 03:04
C:\QooBox\Quarantine\catchme2008-03-04_140214.78.zip »ZIP »pjvytjfd.dll Win32/TrojanProxy.Agent.JZ trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\C\w.exe.vir Win32/TrojanDownloader.Agent.AIE trojan 935F0ECA6B0B5571366CC6CAF4C5AEC7
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\abaojcsg.dll.vir Win32/Adware.Virtumonde application 9E955AF2C2DA3823865BA5B1B793371A
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\abbuikpj.dll.vir probably a variant of Win32/Adware.BHO.V application 2C73976FC0276A37467FA11C2CE56D24
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\agqwdovl.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aitkpynu.dll.vir Win32/BHO.BD trojan CF21D45B04493EF27F7804F3C8914980
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ajgjlahq.dll.vir Win32/Adware.Virtumonde application 313BC529A7E1190D7983BEE98A7FF518
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\akxsitcl.dll.vir Win32/Adware.Virtumonde application 41368031CE3576DBE1C6B5F04DA1B436
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bbmblqqj.dll.vir probably a variant of Win32/Adware.BHO.V application DF5AFE388C97026A10200F7E74A5CAE8
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bucqobbj.dll.vir Win32/Adware.Virtumonde.KI application A6528B8A081D58329FCBECCC8F18BFFA
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cauaclwd.dll.vir Win32/Adware.Virtumonde application 9E955AF2C2DA3823865BA5B1B793371A
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\djbkyiyd.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dloeursp.dll.vir probably a variant of Win32/Adware.BHO.V application 2C73976FC0276A37467FA11C2CE56D24
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dlrdwmcx.dll.vir probably a variant of Win32/Adware.BHO.V application 4B384188D49701B0054ADC04750C9897
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dwcrrcqj.dll.vir Win32/Adware.Virtumonde application 313BC529A7E1190D7983BEE98A7FF518
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ebjymykk.dll.vir Win32/BHO.NAH trojan 4C5AB44B6475CDCD90EE40825F3B77BF
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\erjmardb.dll.vir Win32/Adware.Virtumonde application D4614FD4015BA965B3D1F520E9436B5D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\esunpmkd.dll.vir probably a variant of Win32/Adware.BHO.V application 086AEF0B61CD2901425AAB5EEA7C3E91
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\euhgedry.dll.vir Win32/Adware.Virtumonde application 313BC529A7E1190D7983BEE98A7FF518
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fdtbslpa.dll.vir probably a variant of Win32/Adware.BHO.V application 6985E22B3A0E576B34323430B01F8D6F
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fglgsklf.dll.vir Win32/BHO.BD trojan CF21D45B04493EF27F7804F3C8914980
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fgnldhdr.dll.vir probably a variant of Win32/Adware.BHO.V application DF5AFE388C97026A10200F7E74A5CAE8
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fhomacfr.dll.vir Win32/Adware.Virtumonde application 313BC529A7E1190D7983BEE98A7FF518
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fpnucyyh.dll.vir probably a variant of Win32/Adware.BHO.V application 67F9A3A2677902B7435DDBA6F509A0AC
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fpphgfrf.dll.vir Win32/Adware.Virtumonde application D4614FD4015BA965B3D1F520E9436B5D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fsfgikef.dll.vir probably a variant of Win32/Adware.BHO.V application 777D85F1B459E4BE572267C7F8925BC6
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fvbtkrxh.dll.vir Win32/Adware.BHO.V application 2E630FFF0DC4D1296CF43BD4CA471784
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gbwopxhe.dll.vir a variant of Win32/BHO.G trojan FEC137A1AED9D96BA7A599A2B35BEFFE
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gghfyyah.dll.vir Win32/Adware.Virtumonde application 9E955AF2C2DA3823865BA5B1B793371A
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gpywehwe.dll.vir Win32/BHO.G trojan 1FF1970628FFA4EA93A6A53F3C11E380
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gydbndvh.dll.vir probably a variant of Win32/Adware.BHO.V application 9C7DF5B2C29FE2341C33284D7D385724
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hcgmxqon.dll.vir Win32/BHO.BD trojan CF21D45B04493EF27F7804F3C8914980
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hdwqvoxc.dll.vir Win32/BHO.BD trojan CF21D45B04493EF27F7804F3C8914980
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hgjycbrl.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hmcdphwf.dll.vir Win32/BHO.G trojan 832D8758E0D341C13578EABC851EE199
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ibuafutb.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijtaebiw.dll.vir probably a variant of Win32/Adware.BHO.V application 2C73976FC0276A37467FA11C2CE56D24
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iouqrgki.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iseunrip.dll.vir a variant of Win32/BHO.G trojan C3F9F68A42012B3FCD083D8AF8486141
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iyxhudqc.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\j3271830.dll.vir Win32/TrojanClicker.Agent.NBZ trojan 6F64522AE031E1AE9C9FCACE271B03B2
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jmotpfhs.dll.vir probably a variant of Win32/Adware.BHO.V application 702871C6064C7796015703FAF9145D35
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kamwgsbd.dll.vir Win32/Adware.AdMedia application 5F7577F9EF82FC2ECA78CF94E3A818F0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kawcdrym.dll.vir probably a variant of Win32/Adware.BHO.V application 6985E22B3A0E576B34323430B01F8D6F
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kovuaxxj.dll.vir probably a variant of Win32/Adware.BHO.V application 00CD12E4C5CA808EAE5FA7B66ADF00EF
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lkgoykch.dll.vir Win32/Adware.Virtumonde.KI application A6528B8A081D58329FCBECCC8F18BFFA
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lucwmaok.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lvotgwva.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lyquvsyn.dll.vir Win32/BHO.G trojan EEF3660647959D0AD62E06A13592AF54
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mioswnqf.dll.vir Win32/BHO.BD trojan CF21D45B04493EF27F7804F3C8914980
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mljge.dll.vir a variant of Win32/TrojanDownloader.ConHook trojan B4523BB9B6FC520C3723AB8E0797EDDD
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mudsmuoe.dll.vir Win32/BHO.NAH trojan 4C5AB44B6475CDCD90EE40825F3B77BF
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nduglwxe.dll.vir Win32/BHO.G trojan 26B32782E67499F7D9167A0BCE178602
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\obviboxm.dll.vir Win32/Adware.AdMedia application 5F7577F9EF82FC2ECA78CF94E3A818F0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\osuheuyn.dll.vir Win32/BHO.G trojan 5331AD03311A0D18EFADB9FA7FB982D3
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pgoiuyfw.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\puclgkjy.dll.vir Win32/Adware.Virtumonde application 9E955AF2C2DA3823865BA5B1B793371A
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pvmvlhkb.dll.vir Win32/BHO.G trojan DCC563602BC860864DE8FBC90C577882
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pywtlmtu.dll.vir Win32/Adware.AdMedia application 5F7577F9EF82FC2ECA78CF94E3A818F0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qerbjuwi.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qmmcbmou.dll.vir Win32/Adware.Virtumonde application 0F7AC6569A46B531CD4FDE8B9024336F
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rfgpbgqd.dll.vir Win32/BHO.G trojan 88791055B5EFBEC02B673D70DA7A4EAE
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rodqdlyc.dll.vir probably a variant of Win32/Adware.BHO.V application 80339664A5E697D8C376E3BFCF578493
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\roguxufu.dll.vir probably a variant of Win32/Adware.BHO.V application 777D85F1B459E4BE572267C7F8925BC6
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rspsguax.dll.vir Win32/Adware.Virtumonde application 41368031CE3576DBE1C6B5F04DA1B436
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sosrdfch.dll.vir Win32/Adware.AdMedia application 5F7577F9EF82FC2ECA78CF94E3A818F0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sstdsbfb.dll.vir Win32/Adware.Virtumonde application D4614FD4015BA965B3D1F520E9436B5D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\stxrtoni.dll.vir Win32/BHO.G trojan E83FC3883C9B6C1D6ED822CBEE9C8520
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tbevywum.dll.vir Win32/Adware.Virtumonde application 41368031CE3576DBE1C6B5F04DA1B436
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tgryjfwg.dll.vir Win32/Adware.AdMedia application 5F7577F9EF82FC2ECA78CF94E3A818F0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tirqsxoo.dll.vir Win32/BHO.G trojan C97CB485CCABB6CA2AB96036648BF137
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tjthorcr.dll.vir Win32/Adware.BHO.V application 4C98671E89D3015A91508F7B00C8148B
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuccrkst.dll.vir probably a variant of Win32/Adware.BHO.V application 80339664A5E697D8C376E3BFCF578493
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuouxkuq.dll.vir Win32/Adware.AdMedia application 5F7577F9EF82FC2ECA78CF94E3A818F0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ugydocfd.dll.vir Win32/Adware.BHO.V application 6B70D2A601040DB209E1BAF62EA32AF0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uibfuark.dll.vir Win32/Adware.Virtumonde application 9E955AF2C2DA3823865BA5B1B793371A
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uiiwebcs.dll.vir Win32/Adware.Virtumonde application 9E955AF2C2DA3823865BA5B1B793371A
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ukdxosne.dll.vir Win32/BHO.G trojan 7EA6E7BB73888317C5A2A10629194FA7
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uplkikqq.dll.vir Win32/Adware.Virtumonde application 41368031CE3576DBE1C6B5F04DA1B436
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uttfudns.dll.vir Win32/Adware.Virtumonde application 9E955AF2C2DA3823865BA5B1B793371A
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vahtiqcl.dll.vir Win32/Adware.BHO.V application DDD51ADB55550FF8E0B21A8E82800376
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vaxliluj.dll.vir a variant of Win32/BHO.G trojan C217F32871C00699D460D526561DCB2E
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vekecdph.dll.vir Win32/Adware.AdMedia application 5F7577F9EF82FC2ECA78CF94E3A818F0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vvoxrwlg.dll.vir Win32/BHO.BD trojan CF21D45B04493EF27F7804F3C8914980
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vvyjmief.dll.vir Win32/Adware.Virtumonde application 41368031CE3576DBE1C6B5F04DA1B436
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wgmpdepl.dll.vir Win32/Adware.AdMedia application 5F7577F9EF82FC2ECA78CF94E3A818F0
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wkjwhthy.dll.vir Win32/Adware.BHO.V application 2E630FFF0DC4D1296CF43BD4CA471784
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wsaesxmr.dll.vir Win32/Adware.Virtumonde application 9E955AF2C2DA3823865BA5B1B793371A
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xajvxbkn.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xcuprayg.dll.vir Win32/Adware.Virtumonde application D4614FD4015BA965B3D1F520E9436B5D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xdqakkgw.dll.vir Win32/Adware.Virtumonde application 8E1661D159A7CAE5348DFA56757DBC9D
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xxxgipik.dll.vir probably a variant of Win32/Adware.BHO.V application 6E352EA93FFFAEB073AB79BD238ACF13
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ygaqfnyi.dll.vir probably a variant of Win32/Adware.BHO.V application 9C1F6405FDF6480AE752D651A3F8D927
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yjsuvqnv.dll.vir Win32/Adware.Virtumonde application 06C465BAC89CA26CAD501678FFC87AFA
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ymbpkkaf.dll.vir probably a variant of Win32/Adware.BHO.V application FAC99DFB39A94AAADFC55430A60D6137
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yxpukfwp.dll.vir Win32/BHO.G trojan D437B71566068F08C4B632A848B0E4C5
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yykjvvim.dll.vir probably a variant of Win32/Adware.BHO.V application DF5AFE388C97026A10200F7E74A5CAE8
C:\WINDOWS\SYSTEM32\abnfhplt.exe Win32/Adware.Toolbar.SearchColours application 7B327FA15503630FFBC4599FFD2FAA82
C:\WINDOWS\SYSTEM32\akqnkkfb.dll Win32/Adware.BHO.V application ECB61FA95CDBD3FC241CCE00D5A49DE1
C:\WINDOWS\SYSTEM32\dblkhogq.exe Win32/Adware.Toolbar.SearchColours application 7B327FA15503630FFBC4599FFD2FAA82
C:\WINDOWS\SYSTEM32\dnfiffrl.exe Win32/Adware.Toolbar.SearchColours application 7B327FA15503630FFBC4599FFD2FAA82
C:\WINDOWS\SYSTEM32\iinabmgn.dll probably a variant of Win32/Adware.BHO.V application CEA2CCD0881DD5226D7F32BD0F8E35D6
C:\WINDOWS\SYSTEM32\kdpwgnwj.exe Win32/Adware.Toolbar.SearchColours application 7B327FA15503630FFBC4599FFD2FAA82
C:\WINDOWS\SYSTEM32\kokhfsvp.dll probably a variant of Win32/Adware.BHO.V application 16645AB7F7188B9E818D84787EA5A37E
C:\WINDOWS\SYSTEM32\kukksvcb.exe Win32/Adware.Toolbar.SearchColours application 5B15CFD25006A29E1E0498C49B61109A
C:\WINDOWS\SYSTEM32\lcvhadcj.exe Win32/Adware.Toolbar.SearchColours application 7B327FA15503630FFBC4599FFD2FAA82
C:\WINDOWS\SYSTEM32\nvihnamc.exe Win32/Adware.Toolbar.SearchColours application 5B15CFD25006A29E1E0498C49B61109A
C:\WINDOWS\SYSTEM32\ofqqribh.exe Win32/Adware.Toolbar.SearchColours application 5B15CFD25006A29E1E0498C49B61109A
C:\WINDOWS\SYSTEM32\rvxedwiv.exe Win32/Adware.Toolbar.SearchColours application 5B15CFD25006A29E1E0498C49B61109A
C:\WINDOWS\SYSTEM32\rxedlghy.exe Win32/Adware.Toolbar.SearchColours application A10AB1E49729BBF9A47A30AD1186EECE
C:\WINDOWS\SYSTEM32\sgvllrwe.exe Win32/Adware.Toolbar.SearchColours application 83B7D6F031A78F0CCFC48F1A29C44E9A
C:\WINDOWS\SYSTEM32\tqybbjby.dll probably a variant of Win32/Adware.BHO.V application CEA2CCD0881DD5226D7F32BD0F8E35D6
C:\WINDOWS\SYSTEM32\ttopusql.exe Win32/Adware.Toolbar.SearchColours application 7B327FA15503630FFBC4599FFD2FAA82
C:\WINDOWS\SYSTEM32\twmmuyop.exe Win32/Adware.Toolbar.SearchColours application 5B15CFD25006A29E1E0498C49B61109A
C:\WINDOWS\SYSTEM32\txexomgg.exe Win32/Adware.Toolbar.SearchColours application 5B15CFD25006A29E1E0498C49B61109A
C:\WINDOWS\SYSTEM32\wauahbia.exe Win32/Adware.Toolbar.SearchColours application 7B327FA15503630FFBC4599FFD2FAA82
C:\WINDOWS\SYSTEM32\wfesmvae.dll probably a variant of Win32/Adware.BHO.V application 16645AB7F7188B9E818D84787EA5A37E
C:\WINDOWS\SYSTEM32\wihgddsi.exe Win32/Adware.Toolbar.SearchColours application 5B15CFD25006A29E1E0498C49B61109A
C:\WINDOWS\Temp\1.tmp Win32/TrojanProxy.Agent.JZ trojan 3421328544A8B2F4A138C733F887BE67

methtical
2008-03-05, 03:05
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:27 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7958 bytes

methtical
2008-03-05, 03:07
Random/Random,

Should I turn on the AVG, or should I wait until we're done with the cleanup process? Like I said, it kept shooting out pop-ups of "Threat Found" and I turned it off as I didn't know whether I should click on the "ignore" or "heal" button. Thanks

random/random
2008-03-05, 23:02
Turn AVG after following the instructions in this post. If it finds anything, click heal


Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

File::
C:\asdf.exe
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\38\66b42b26-78cc8b07
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\49\4db115b1-5962ea38
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\59\5001e5fb-7ea53d86
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\1d55cbd-187ad396
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-43fcd038-451e4c96.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4bf88346.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4eb73447.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-34efff0d.zip
C:\WINDOWS\SYSTEM32\abnfhplt.exe
C:\WINDOWS\SYSTEM32\akqnkkfb.dll
C:\WINDOWS\SYSTEM32\dblkhogq.exe
C:\WINDOWS\SYSTEM32\dnfiffrl.exe
C:\WINDOWS\SYSTEM32\iinabmgn.dll
C:\WINDOWS\SYSTEM32\kdpwgnwj.exe
C:\WINDOWS\SYSTEM32\kokhfsvp.dll
C:\WINDOWS\SYSTEM32\kukksvcb.exe
C:\WINDOWS\SYSTEM32\lcvhadcj.exe
C:\WINDOWS\SYSTEM32\nvihnamc.exe
C:\WINDOWS\SYSTEM32\ofqqribh.exe
C:\WINDOWS\SYSTEM32\rvxedwiv.exe
C:\WINDOWS\SYSTEM32\rxedlghy.exe
C:\WINDOWS\SYSTEM32\sgvllrwe.exe
C:\WINDOWS\SYSTEM32\tqybbjby.dll
C:\WINDOWS\SYSTEM32\ttopusql.exe
C:\WINDOWS\SYSTEM32\twmmuyop.exe
C:\WINDOWS\SYSTEM32\txexomgg.exe
C:\WINDOWS\SYSTEM32\wauahbia.exe
C:\WINDOWS\SYSTEM32\wfesmvae.dll
C:\WINDOWS\SYSTEM32\wihgddsi.exe
C:\WINDOWS\Temp\1.tmp
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

methtical
2008-03-05, 23:59
Note: One thing I've noticed this time during the ComboFix run is that my computer did not restart before producing the log. In the previous times I ran ComboFix, the computer restarted before ComboFix finished in order to produce a log. I don't know if this is good or bad though:scratch:

ComboFix 08-03-03.6 - Blazin Azian 2008-03-05 14:48:56.5 - NTFSx86
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blazin Azian\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\asdf.exe
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\38\66b42b26-78cc8b07
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\49\4db115b1-5962ea38
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\59\5001e5fb-7ea53d86
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\1d55cbd-187ad396
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-43fcd038-451e4c96.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4bf88346.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4eb73447.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-34efff0d.zip
C:\WINDOWS\SYSTEM32\abnfhplt.exe
C:\WINDOWS\SYSTEM32\akqnkkfb.dll
C:\WINDOWS\SYSTEM32\dblkhogq.exe
C:\WINDOWS\SYSTEM32\dnfiffrl.exe
C:\WINDOWS\SYSTEM32\iinabmgn.dll
C:\WINDOWS\SYSTEM32\kdpwgnwj.exe
C:\WINDOWS\SYSTEM32\kokhfsvp.dll
C:\WINDOWS\SYSTEM32\kukksvcb.exe
C:\WINDOWS\SYSTEM32\lcvhadcj.exe
C:\WINDOWS\SYSTEM32\nvihnamc.exe
C:\WINDOWS\SYSTEM32\ofqqribh.exe
C:\WINDOWS\SYSTEM32\rvxedwiv.exe
C:\WINDOWS\SYSTEM32\rxedlghy.exe
C:\WINDOWS\SYSTEM32\sgvllrwe.exe
C:\WINDOWS\SYSTEM32\tqybbjby.dll
C:\WINDOWS\SYSTEM32\ttopusql.exe
C:\WINDOWS\SYSTEM32\twmmuyop.exe
C:\WINDOWS\SYSTEM32\txexomgg.exe
C:\WINDOWS\SYSTEM32\wauahbia.exe
C:\WINDOWS\SYSTEM32\wfesmvae.dll
C:\WINDOWS\SYSTEM32\wihgddsi.exe
C:\WINDOWS\Temp\1.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\asdf.exe
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-14dd0034
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1d420d41
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\37\66a57ae5-6a448794
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\38\66b42b26-78cc8b07
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\49\4db115b1-5962ea38
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\59\5001e5fb-7ea53d86
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\1d55cbd-187ad396
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-552cb982
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-43fcd038-451e4c96.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-51b57f7-67dbd052.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-4dfc338e.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4bf88346.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-2d1f118a-4eb73447.zip
C:\Documents and Settings\Blazin Azian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-34efff0d.zip
C:\WINDOWS\SYSTEM32\abnfhplt.exe
C:\WINDOWS\SYSTEM32\akqnkkfb.dll
C:\WINDOWS\SYSTEM32\dblkhogq.exe
C:\WINDOWS\SYSTEM32\dnfiffrl.exe
C:\WINDOWS\SYSTEM32\iinabmgn.dll
C:\WINDOWS\SYSTEM32\kdpwgnwj.exe
C:\WINDOWS\SYSTEM32\kokhfsvp.dll
C:\WINDOWS\SYSTEM32\kukksvcb.exe
C:\WINDOWS\SYSTEM32\lcvhadcj.exe
C:\WINDOWS\SYSTEM32\nvihnamc.exe
C:\WINDOWS\SYSTEM32\ofqqribh.exe
C:\WINDOWS\SYSTEM32\rvxedwiv.exe
C:\WINDOWS\SYSTEM32\rxedlghy.exe
C:\WINDOWS\SYSTEM32\sgvllrwe.exe
C:\WINDOWS\SYSTEM32\tqybbjby.dll
C:\WINDOWS\SYSTEM32\ttopusql.exe
C:\WINDOWS\SYSTEM32\twmmuyop.exe
C:\WINDOWS\SYSTEM32\txexomgg.exe
C:\WINDOWS\SYSTEM32\wauahbia.exe
C:\WINDOWS\SYSTEM32\wfesmvae.dll
C:\WINDOWS\SYSTEM32\wihgddsi.exe
C:\WINDOWS\Temp\1.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-04 16:02 . 2008-03-04 17:44 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-04 15:59 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-04 15:49 . 2008-03-05 09:33 <DIR> d-------- C:\Documents and Settings\Blazin Azian\Application Data\AVG7
2008-03-04 15:48 . 2008-03-04 15:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-04 15:48 . 2008-03-04 15:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-03-04 15:48 . 2008-03-05 09:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-03-04 12:16 . 2008-03-04 12:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-04 12:07 . 2008-03-04 12:36 <DIR> d----c--- C:\SDFix
2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-02-11 09:40 . 2008-02-11 09:40 2,715,648 --a------ C:\WINDOWS\SYSTEM32\OnlineScanner.ocx
2008-02-11 09:39 . 2008-02-11 09:39 253,952 --a------ C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
2008-02-11 09:39 . 2008-02-11 09:39 237,568 --a------ C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
2008-02-08 13:53 . 2008-02-08 13:53 110,592 --a------ C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
2008-02-05 08:48 . 2008-02-05 08:48 77,824 --a------ C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:59 --------- d-----w C:\Program Files\Java
2008-03-04 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-12-07 00:44 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-12-07 00:44 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-12-07 00:44 1,499,136 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-12-07 00:44 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-12-07 00:44 1,024,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-04 15:51 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-04 15:48 219136]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*:Disabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*:Disabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCP:port
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 14:55:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 14:56:15
ComboFix-quarantined-files.txt 2008-03-05 21:55:48
ComboFix2.txt 2008-03-04 21:08:45
ComboFix3.txt 2008-03-05 17:36:57
ComboFix4.txt 2008-03-04 23:30:06
ComboFix5.txt 2008-03-03 22:12:37
.
2008-02-28 22:01:43 --- E O F ---

methtical
2008-03-06, 00:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:03 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7909 bytes

random/random
2008-03-06, 19:10
You now appear to be clean. Congratulations!

You can delete combofix.exe & sdfix.exe. You can also delete the C:\sdfix and C:\qoobox folders

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (http://www.personalfirewall.comodo.com/)or Online armor (http://www.tallemu.com/online_armor_free.html)
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Install a-squared Free & update and scan with it regularly
a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here (http://www.emsisoft.com/en/software/free/)
Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer (http://www.emsisoft.com/en/software/antidialer/) which provides some real time protection against premium rate dialers
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

methtical
2008-03-07, 03:03
Random/Random, first off THANK YOU for helping to clean my PC!! I wish I can buy you a drink :D:

I just have 2 more questions:

1. Can I delete HJTInstall.exe, jre-6u4-windows-i586-p.exe, ResetTeaTimer.bat, WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe, and CF-RC.txt from my desktop?

2. I've followed your advice in downloading ComodoFirewall, SpywareBlaster, AVG Antivirus, Spybot (which i already had), and a-squared Free. My question is will having all of these security measures slow down my PC or will these programs get in the way of each other?

Thanks, and once again, I appreciated your help. Cheers:D:

random/random
2008-03-07, 19:36
1. Can I delete HJTInstall.exe, jre-6u4-windows-i586-p.exe, ResetTeaTimer.bat, WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe, and CF-RC.txt from my desktop?

Yes




2. I've followed your advice in downloading ComodoFirewall, SpywareBlaster, AVG Antivirus, Spybot (which i already had), and a-squared Free. My question is will having all of these security measures slow down my PC or will these programs get in the way of each other?

As far as I know, there are no known conflicts between these programs. The slowdown caused by these programs should not be noticeable, and should certainly be less than the slowdown caused by malware.