Nasty stuff, Virtumonde among other infections. Help please. Logs included

[methtical]

Hi, 1st time poster here, and may i say that u guys are awesome for taking the time to help!

To start it off, here's some general observations recently (started happening a few days ago):

1. Upon starting the computer and logging into the desktop, the 1st thing that pops up is the following error message:

"RUNDLL
Error loading C:/WINDOWS/system32/kuncfggg.dll
The specified module could not be found"

2. I've been running Spybot S&D for the past few days straight, and allowing it to fix the found problems, but Virtumonde keeps recurring. The latest Spybot S&D scan found these:
-Virtumonde
-MailSkinner.rtk

Now, here's part of the Kaspersky Scan Report Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 9:15:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 586391
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 144573
Number of viruses found: 44
Number of infected objects: 969
Number of suspicious objects: 3
Duration of the scan process: 02:42:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip/wlxumnlh.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde1.zip/vtlvxspu.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde104.zip/awlakaup.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde104.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde105.zip/mlljk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tm skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde105.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde2.zip/sqltpcec.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde29.zip/ypmserrp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde29.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde3.zip/qxqhhkox.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde30.zip/xwdihqsp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde30.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde31.zip/xuecqlym.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde31.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde32.zip/vxoplttj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde32.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde33.zip/vopbuwhf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde33.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde34.zip/vidhneld.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde34.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde35.zip/vcqtnshx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde35.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde36.zip/urjphndu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde36.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde37.zip/ucsxucmq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde37.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde38.zip/tygvuydk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde38.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde39.zip/tsdfovqu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde39.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde40.zip/tiuhfuel.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde40.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde41.zip/scylxtta.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde41.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde42.zip/rrktofwu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde42.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde43.zip/qeuxmvfg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde43.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde44.zip/pwfijpdh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde44.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde45.zip/puvebjkw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde45.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde46.zip/pndxlybd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde46.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde47.zip/ohghmmtw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde47.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde48.zip/oaaebqkl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde48.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde49.zip/nvuygtac.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde49.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde50.zip/nqpswpye.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde50.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde51.zip/nnaxlavu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde51.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde52.zip/ndcdhrri.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde52.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde53.zip/nbsbfgai.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde53.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde54.zip/mygkopke.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde54.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde55.zip/mydjpioa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde55.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde56.zip/mrtosile.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde56.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde57.zip/mnufswiw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde57.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde58.zip/mamgphso.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde58.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde59.zip/lqjkunpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde59.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde60.zip/lfncfnyw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde60.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde61.zip/kkadvfww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde61.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde62.zip/kiololhi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde62.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde63.zip/jyspppqu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde63.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde64.zip/hbeqqyvm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde64.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde65.zip/gkeyovys.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde65.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde66.zip/frxbriup.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde66.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde67.zip/frnojfjc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde67.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde68.zip/fpopxmnu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde68.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde69.zip/fpmjulvb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde69.zip ZIP: infected - 1 skipped

NOTE: I have the rest of the Kaspersky log as well as the HJT log saved & ready to post, but I'll limit my initial post here. I'll post it if it's needed. Thanks

 

[random/random]

Please post the Kaspersky and HijackThis logs. If the kaspersky log is too large to post, you can zip it up(Right click>send to>compressed (zipped) folder) and upload it as an attachment

 

[methtical]

Kaspersky log continued

Hey Random/Random, here's the Kaspersky log in compressed zip form attachment

 

[methtical]

HJT log

and here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:02 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 80.239.151.231 db1.rapidshare.com
O1 - Hosts: 80.239.151.232 db2.rapidshare.com
O1 - Hosts: 80.239.151.233 db3.rapidshare.com
O1 - Hosts: 80.239.151.234 db4.rapidshare.com
O1 - Hosts: 80.239.151.235 db5.rapidshare.com
O1 - Hosts: 80.239.151.253 games.rapidshare.com
O1 - Hosts: 80.239.151.251 images.rapidshare.com
O1 - Hosts: 80.239.151.240 images2.rapidshare.com
O1 - Hosts: 82.129.39.245 kvm1.rapidshare.com
O1 - Hosts: 82.129.39.246 kvm2.rapidshare.com
O1 - Hosts: 82.129.39.247 kvm3.rapidshare.com
O1 - Hosts: 82.129.39.248 kvm4.rapidshare.com
O1 - Hosts: 82.129.39.249 kvm5.rapidshare.com
O1 - Hosts: 80.239.151.250 mail.rapidshare.com
O1 - Hosts: 80.239.151.250 ns1.rapidshare.com
O1 - Hosts: 80.239.151.234 ns2.rapidshare.com
O1 - Hosts: 80.239.151.250 pay.rapidshare.com
O1 - Hosts: 80.239.151.240 rem1.rapidshare.com
O1 - Hosts: 82.129.39.2 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.3 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.4 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.5 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.6 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.7 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.8 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.9 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.10 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.11 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.12 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.13 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.14 rs0cg.rapidshare.com
O1 - Hosts: 82.129.39.15 rs0cg.rapidshare.com
O1 - Hosts: 82.129.35.2 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.3 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.4 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.5 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.6 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.7 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.8 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.9 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.10 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.11 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.12 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.13 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.14 rs0cg2.rapidshare.com
O1 - Hosts: 82.129.35.15 rs0cg2.rapidshare.com
O1 - Hosts: 80.152.62.2 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.3 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.4 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.5 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.6 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.7 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.8 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.9 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.10 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.11 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.12 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.13 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.14 rs0dt.rapidshare.com
O1 - Hosts: 80.152.62.15 rs0dt.rapidshare.com
O1 - Hosts: 64.215.245.2 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.3 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.4 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.5 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.6 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.7 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.8 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.9 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.10 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.11 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.12 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.13 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.14 rs0gc.rapidshare.com
O1 - Hosts: 64.215.245.15 rs0gc.rapidshare.com
O1 - Hosts: 207.138.168.2 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.3 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.4 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.5 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.6 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.7 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.8 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.9 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.10 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.11 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.12 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.13 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.14 rs0gc2.rapidshare.com
O1 - Hosts: 207.138.168.15 rs0gc2.rapidshare.com
O1 - Hosts: 80.239.151.2 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.3 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.4 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.5 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.6 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.7 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.8 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.9 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.10 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.11 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.12 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.13 rs0l3.rapidshare.com
O1 - Hosts: 80.239.151.14 rs0l3.rapidshare.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {23bb667b-d70f-791b-8c94-2a42a2f7c743} - {347c7f2a-24a2-49c8-b197-f07db766bb32} - C:\WINDOWS\system32\sstdsbfb.dll
O2 - BHO: (no name) - {39E3C444-84B7-4DE6-A49E-AFD3D6FC3D46} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F2789578-501E-4C76-8D3F-27D73A59E9C1} - C:\WINDOWS\system32\esunpmkd.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [j3271830] rundll32 C:\WINDOWS\system32\j3271830.dll sook
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [rceatidum] c:\windows\system32\rceatidum.exe rceatidum
O4 - HKLM\..\Run: [886bea6d] rundll32.exe "C:\WINDOWS\system32\kuncfggg.dll",b
O4 - HKLM\..\Run: [BM8b58d9f1] Rundll32.exe "C:\WINDOWS\system32\tgryjfwg.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O20 - Winlogon Notify: pjvytjfd - C:\WINDOWS\SYSTEM32\pjvytjfd.dll
O20 - Winlogon Notify: tuvvwvu - tuvvwvu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 13266 bytes

 

[random/random]

Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.

 

[methtical]

question about combofix

Random/Random, do I need to follow all the suggestions on that link before running ComboFix such as installing Windows Recovery Console? I ask this because i've read some other similar threads where the security helper just instructs to download ComboFix and run it and post the resulting log. Can I run the ComboFix without installing the Windows Recovery Console? Thanks

 

[random/random]

I recommend that you do install the recovery console, since it makes it much easier to recover your PC if it unable to boot.

Having said that, as far as I know, none of my advice has ever caused a PC to become unbootable.

 

[methtical]

ComboFix Log

alright, I've installed the Windows Recovery Console as you've recommended. Here's the ComfoFix log:

ComboFix 08-03-03.6 - Blazin Azian 2008-03-02 14:57:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -7:00]
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\w.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abaojcsg.dll
C:\WINDOWS\system32\abbuikpj.dll
C:\WINDOWS\system32\agqwdovl.dll
C:\WINDOWS\system32\aitkpynu.dll
C:\WINDOWS\system32\ajgjlahq.dll
C:\WINDOWS\system32\akxsitcl.dll
C:\WINDOWS\SYSTEM32\avwgtovl.ini
C:\WINDOWS\system32\bbmblqqj.dll
C:\WINDOWS\SYSTEM32\bloigjvs.ini
C:\WINDOWS\SYSTEM32\btufaubi.ini
C:\WINDOWS\system32\bucqobbj.dll
C:\WINDOWS\system32\cauaclwd.dll
C:\WINDOWS\SYSTEM32\cqduhxyi.ini
C:\WINDOWS\SYSTEM32\cxovqwdh.ini
C:\WINDOWS\system32\djbkyiyd.dll
C:\WINDOWS\system32\dloeursp.dll
C:\WINDOWS\system32\dlrdwmcx.dll
C:\WINDOWS\system32\dwcrrcqj.dll
C:\WINDOWS\SYSTEM32\dyiykbjd.ini
C:\WINDOWS\system32\ebjymykk.dll
C:\WINDOWS\system32\erjmardb.dll
C:\WINDOWS\system32\esunpmkd.dll
C:\WINDOWS\system32\euhgedry.dll
C:\WINDOWS\system32\fdtbslpa.dll
C:\WINDOWS\SYSTEM32\feimjyvv.ini
C:\WINDOWS\system32\fglgsklf.dll
C:\WINDOWS\system32\fgnldhdr.dll
C:\WINDOWS\system32\fhomacfr.dll
C:\WINDOWS\SYSTEM32\flksglgf.ini
C:\WINDOWS\system32\fpnucyyh.dll
C:\WINDOWS\system32\fpphgfrf.dll
C:\WINDOWS\SYSTEM32\fqnwsoim.ini
C:\WINDOWS\system32\fsfgikef.dll
C:\WINDOWS\system32\fvbtkrxh.dll
C:\WINDOWS\system32\gbwopxhe.dll
C:\WINDOWS\system32\gghfyyah.dll
C:\WINDOWS\SYSTEM32\glwrxovv.ini
C:\WINDOWS\system32\gpywehwe.dll
C:\WINDOWS\SYSTEM32\gscjoaba.ini
C:\WINDOWS\system32\gydbndvh.dll
C:\WINDOWS\system32\hcgmxqon.dll
C:\WINDOWS\SYSTEM32\hckyogkl.ini
C:\WINDOWS\system32\hdwqvoxc.dll
C:\WINDOWS\system32\hgjycbrl.dll
C:\WINDOWS\system32\hmcdphwf.dll
C:\WINDOWS\system32\ibuafutb.dll
C:\WINDOWS\system32\ijtaebiw.dll
C:\WINDOWS\SYSTEM32\ikgrquoi.ini
C:\WINDOWS\system32\iouqrgki.dll
C:\WINDOWS\system32\iseunrip.dll
C:\WINDOWS\SYSTEM32\iwujbreq.ini
C:\WINDOWS\system32\iyxhudqc.dll
C:\WINDOWS\system32\j3271830.dll
C:\WINDOWS\SYSTEM32\jbboqcub.ini
C:\WINDOWS\system32\jmotpfhs.dll
C:\WINDOWS\system32\kamwgsbd.dll
C:\WINDOWS\system32\kawcdrym.dll
C:\WINDOWS\SYSTEM32\kjllm.bak1
C:\WINDOWS\SYSTEM32\kjllm.bak2
C:\WINDOWS\SYSTEM32\kjllm.ini
C:\WINDOWS\SYSTEM32\kjllm.ini2
C:\WINDOWS\SYSTEM32\kjllm.tmp
C:\WINDOWS\system32\kovuaxxj.dll
C:\WINDOWS\SYSTEM32\lctisxka.ini
C:\WINDOWS\system32\lkgoykch.dll
C:\WINDOWS\SYSTEM32\lrbcyjgh.ini
C:\WINDOWS\system32\lucwmaok.dll
C:\WINDOWS\SYSTEM32\lvodwqga.ini
C:\WINDOWS\system32\lvotgwva.dll
C:\WINDOWS\system32\lyquvsyn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mioswnqf.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mudsmuoe.dll
C:\WINDOWS\SYSTEM32\muwyvebt.ini
C:\WINDOWS\system32\nduglwxe.dll
C:\WINDOWS\SYSTEM32\nkbxvjax.ini
C:\WINDOWS\SYSTEM32\noqxmgch.ini
C:\WINDOWS\system32\obviboxm.dll
C:\WINDOWS\system32\osuheuyn.dll
C:\WINDOWS\system32\pgoiuyfw.dll
C:\WINDOWS\system32\puclgkjy.dll
C:\WINDOWS\system32\pvmvlhkb.dll
C:\WINDOWS\system32\pywtlmtu.dll
C:\WINDOWS\system32\qerbjuwi.dll
C:\WINDOWS\system32\qmmcbmou.dll
C:\WINDOWS\SYSTEM32\qqkiklpu.ini
C:\WINDOWS\system32\rfgpbgqd.dll
C:\WINDOWS\system32\rodqdlyc.dll
C:\WINDOWS\system32\roguxufu.dll
C:\WINDOWS\system32\rspsguax.dll
C:\WINDOWS\system32\sosrdfch.dll
C:\WINDOWS\system32\sstdsbfb.dll
C:\WINDOWS\system32\stxrtoni.dll
C:\WINDOWS\system32\svjgiolb.dll
C:\WINDOWS\system32\tbevywum.dll
C:\WINDOWS\system32\tgryjfwg.dll
C:\WINDOWS\system32\tirqsxoo.dll
C:\WINDOWS\system32\tjthorcr.dll
C:\WINDOWS\system32\tuccrkst.dll
C:\WINDOWS\system32\tuouxkuq.dll
C:\WINDOWS\system32\ugydocfd.dll
C:\WINDOWS\system32\uibfuark.dll
C:\WINDOWS\system32\uiihyzg.dat
C:\WINDOWS\system32\uiihyzg_nav.dat
C:\WINDOWS\system32\uiihyzg_navps.dat
C:\WINDOWS\system32\uiiwebcs.dll
C:\WINDOWS\system32\ukdxosne.dll
C:\WINDOWS\SYSTEM32\unypktia.ini
C:\WINDOWS\SYSTEM32\uombcmmq.ini
C:\WINDOWS\system32\uplkikqq.dll
C:\WINDOWS\system32\uttfudns.dll
C:\WINDOWS\system32\vahtiqcl.dll
C:\WINDOWS\system32\vaxliluj.dll
C:\WINDOWS\system32\vekecdph.dll
C:\WINDOWS\system32\vvoxrwlg.dll
C:\WINDOWS\system32\vvyjmief.dll
C:\WINDOWS\SYSTEM32\wfyuiogp.ini
C:\WINDOWS\SYSTEM32\wgkkaqdx.ini
C:\WINDOWS\system32\wgmpdepl.dll
C:\WINDOWS\system32\wkjwhthy.dll
C:\WINDOWS\system32\wsaesxmr.dll
C:\WINDOWS\system32\xajvxbkn.dll
C:\WINDOWS\SYSTEM32\xaugspsr.ini
C:\WINDOWS\system32\xcuprayg.dll
C:\WINDOWS\system32\xdqakkgw.dll
C:\WINDOWS\system32\xxxgipik.dll
C:\WINDOWS\system32\ygaqfnyi.dll
C:\WINDOWS\system32\yjsuvqnv.dll
C:\WINDOWS\system32\ymbpkkaf.dll
C:\WINDOWS\system32\yxpukfwp.dll
C:\WINDOWS\system32\yykjvvim.dll
C:\WINDOWS\system32\zjxxwe.dat
C:\WINDOWS\system32\zjxxwe.exe
C:\WINDOWS\system32\zjxxwe_nav.dat
C:\WINDOWS\system32\zjxxwe_navps.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-02-27 12:52 . 2008-02-27 14:14 1,418 ---hs---- C:\WINDOWS\SYSTEM32\gggfcnuk.ini
2008-02-27 11:45 . 2008-02-27 12:46 1,298 --ahs---- C:\WINDOWS\SYSTEM32\nkrdouqq.ini
2008-02-27 09:50 . 2008-02-27 11:40 1,178 --ahs---- C:\WINDOWS\SYSTEM32\fbjsdfqd.ini
2008-02-26 22:31 . 2008-02-26 22:53 594 --ahs---- C:\WINDOWS\SYSTEM32\krppxeha.ini
2008-02-26 21:21 . 2008-02-26 22:29 474 --ahs---- C:\WINDOWS\SYSTEM32\nucsjukr.ini
2008-02-26 18:38 . 2008-02-26 21:15 354 --ahs---- C:\WINDOWS\SYSTEM32\iyjymtpq.ini
2008-02-26 18:32 . 2008-03-03 14:57 21 --a------ C:\WINDOWS\pskt.ini
2008-02-26 10:18 . 2008-03-03 14:57 99,338 --a------ C:\WINDOWS\BM8b58d9f1.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2008-01-03 07:45 --------- d-----w C:\Program Files\Zoom Player
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39E3C444-84B7-4DE6-A49E-AFD3D6FC3D46}]
C:\WINDOWS\system32\mlljk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"886bea6d"="C:\WINDOWS\system32\kuncfggg.dll" [ ]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]
C:\WINDOWS\system32\mlljk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
pjvytjfd.dll 2006-09-11 17:02 188436 C:\WINDOWS\SYSTEM32\pjvytjfd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvwvu]
tuvvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\WINDOWS\system32\lunckyrw.exe"= C:\WINDOWS\system32\lun
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*isabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*isabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCPort
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 15:05:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pjvytjfd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2008-03-03 15:12:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 22:12:33
.
2008-02-28 22:01:43 --- E O F ---

 

[methtical]

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:33 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39E3C444-84B7-4DE6-A49E-AFD3D6FC3D46} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [886bea6d] rundll32.exe "C:\WINDOWS\system32\kuncfggg.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O20 - Winlogon Notify: pjvytjfd - C:\WINDOWS\SYSTEM32\pjvytjfd.dll
O20 - Winlogon Notify: tuvvwvu - tuvvwvu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 8014 bytes

 

[random/random]

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 .
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

You are running a P2P filesharing programme.

• Many of these programmes come with unwanted components bundled with them.
• If you wish to find out whether the one you're using does click here.

Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you uninstall it.

From your log I can see you've installed poker programs. A lot of poker programs are infected/can infect you with malware.

I would advise you to go to Add/Remove programs and uninstall your poker programs.

A list of known bad poker sites can be found here:

http://forum.malwareremoval.com/viewtopic.php?t=23145

Please note that just because a poker site is not listed on the above list, that doesn't mean that it's not bad

• Open a new notepad window (Start>All programs>accessories>notepad)
• Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
  

  File::
  C:\WINDOWS\SYSTEM32\gggfcnuk.ini
  C:\WINDOWS\SYSTEM32\nkrdouqq.ini
  C:\WINDOWS\SYSTEM32\fbjsdfqd.ini
  C:\WINDOWS\SYSTEM32\krppxeha.ini
  C:\WINDOWS\SYSTEM32\nucsjukr.ini
  C:\WINDOWS\SYSTEM32\iyjymtpq.ini
  C:\WINDOWS\pskt.ini
  C:\WINDOWS\BM8b58d9f1.xml
  C:\WINDOWS\SYSTEM32\pjvytjfd.dll
  Registry::
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39E3C444-84B7-4DE6-A49E-AFD3D6FC3D46}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "886bea6d"=-
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvwvu]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
  C:\Program Files\Save\Save.exe
  Folder::
  C:\Program Files\Save

• Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
• Save it to the desktop as CFscript.txt
• Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
  
  
• When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
  Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

[methtical]

new ComboFix Log

- I've updated to latest JRE 6
- I've decided to keep p2p program UTorrent as it's in the list of "safe" programs, but I will be very cautious of what i download
- I've uninstalled Poker Stars program

ComboFix 08-03-03.6 - Blazin Azian 2008-03-04 16:15:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -7:00]
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blazin Azian\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM8b58d9f1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\fbjsdfqd.ini
C:\WINDOWS\SYSTEM32\gggfcnuk.ini
C:\WINDOWS\SYSTEM32\iyjymtpq.ini
C:\WINDOWS\SYSTEM32\krppxeha.ini
C:\WINDOWS\SYSTEM32\nkrdouqq.ini
C:\WINDOWS\SYSTEM32\nucsjukr.ini
C:\WINDOWS\SYSTEM32\pjvytjfd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8b58d9f1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\fbjsdfqd.ini
C:\WINDOWS\SYSTEM32\gggfcnuk.ini
C:\WINDOWS\SYSTEM32\iyjymtpq.ini
C:\WINDOWS\SYSTEM32\krppxeha.ini
C:\WINDOWS\SYSTEM32\nkrdouqq.ini
C:\WINDOWS\SYSTEM32\nucsjukr.ini
C:\WINDOWS\SYSTEM32\pjvytjfd.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 15:59 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:59 --------- d-----w C:\Program Files\Java
2008-03-04 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
pjvytjfd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\WINDOWS\system32\lunckyrw.exe"= C:\WINDOWS\system32\lun
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*isabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*isabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCPort
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 16:23:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pjvytjfd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-04 16:30:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 23:30:02
ComboFix2.txt 2008-03-03 22:12:37
.
2008-02-28 22:01:43 --- E O F ---

 

[methtical]

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:45 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: pjvytjfd - pjvytjfd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7349 bytes

 

[random/random]

• Open a new notepad window (Start>All programs>accessories>notepad)
• Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
  

  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "C:\WINDOWS\system32\lunckyrw.exe"=-
  File::
  C:\WINDOWS\system32\pjvytjfd.dll

• Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
• Save it to the desktop as CFscript.txt
• Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
  
  
• When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
  Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

[methtical]

new ComboFix log

ComboFix 08-03-03.6 - Blazin Azian 2008-03-05 10:23:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -7:00]
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blazin Azian\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\pjvytjfd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\pjvytjfd.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-04 15:59 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:59 --------- d-----w C:\Program Files\Java
2008-03-04 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
pjvytjfd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\WINDOWS\system32\lunckyrw.exe"= C:\WINDOWS\system32\lun
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*isabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*isabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCPort
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 10:30:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pjvytjfd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-05 10:36:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-05 17:36:53
ComboFix2.txt 2008-03-04 23:30:06
ComboFix3.txt 2008-03-03 22:12:37
.
2008-02-28 22:01:43 --- E O F ---

 

[methtical]

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:25 AM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: pjvytjfd - pjvytjfd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7304 bytes

 

[random/random]

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

[methtical]

SDFix Report.txt

SDFix: Version 1.152

Run by Blazin Azian on Tue 03/04/2008 at 12:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 12:29:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:cd,79,fc,68,4a,5e,22,36,b0,cf,30,68,f0,9d,bb,be,26,c9,5c,2a,26,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,9c,06,f9,34,ed,ca,f3,9e,3c,29,ce,3e,c0,93,0d,2e,f2,..
"khjeh"=hex:df,fe,a4,c4,ce,30,81,fe,16,73,18,25,9d,8f,a2,de,3d,29,6b,0f,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,60,be,14,49,4d,42,3b,8b,6f,6e,59,f2,d3,fc,e7,00,fd,fd,b0,f7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:cd,79,fc,68,4a,5e,22,36,b0,cf,30,68,f0,9d,bb,be,26,c9,5c,2a,26,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,9c,06,f9,34,ed,ca,f3,9e,3c,29,ce,3e,c0,93,0d,2e,f2,..
"khjeh"=hex:df,fe,a4,c4,ce,30,81,fe,16,73,18,25,9d,8f,a2,de,3d,29,6b,0f,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,60,be,14,49,4d,42,3b,8b,6f,6e,59,f2,d3,fc,e7,00,fd,fd,b0,f7,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\lunckyrw.exe"="C:\\WINDOWS\\system32\\lun"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Sat 10 Nov 2007 48 ..SH. --- "C:\WINDOWS\S029AB104.tmp"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 30 Nov 2006 1,638,498 A.SH. --- "C:\WINDOWS\Fonts\dcmpft.tmp"
Sun 15 Apr 2007 1,634,913 A.SH. --- "C:\WINDOWS\SYSTEM32\agkrogmv.tmp"
Thu 19 Jan 2006 423,995 A.SH. --- "C:\WINDOWS\SYSTEM32\ttutv.tmp"
Mon 20 Jun 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT6.tmp"
Tue 22 Feb 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 22 Feb 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 2 Mar 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 2 Mar 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

 

[methtical]

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:59 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835E94F7-0AB0-45F6-A9FA-587A9AC86788}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: pjvytjfd - C:\WINDOWS\SYSTEM32\pjvytjfd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7355 bytes

 

[random/random]

• Open a new notepad window (Start>All programs>accessories>notepad)
• Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
  

  File::
  C:\WINDOWS\Fonts\dcmpft.tmp
  C:\WINDOWS\SYSTEM32\agkrogmv.tmp
  C:\WINDOWS\SYSTEM32\ttutv.tmp
  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pjvytjfd]
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "C:\\WINDOWS\\system32\\lunckyrw.exe"=-
  Rootkit::
  C:\WINDOWS\SYSTEM32\pjvytjfd.dll

• Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
• Save it to the desktop as CFscript.txt
• Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
  
  
• When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
  Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

[methtical]

new ComboFix Log

ComboFix 08-03-03.6 - Blazin Azian 2008-03-04 13:55:19.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.230 [GMT -7:00]
Running from: C:\Documents and Settings\Blazin Azian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blazin Azian\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Fonts\dcmpft.tmp
C:\WINDOWS\SYSTEM32\agkrogmv.tmp
C:\WINDOWS\SYSTEM32\ttutv.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\dcmpft.tmp
C:\WINDOWS\SYSTEM32\agkrogmv.tmp
C:\WINDOWS\SYSTEM32\pjvytjfd.dll
C:\WINDOWS\SYSTEM32\ttutv.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 15:59 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-04 12:16 . 2008-03-04 12:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-04 12:07 . 2008-03-04 12:36 <DIR> d----c--- C:\SDFix
2008-03-02 14:49 . 2004-08-04 04:00 388,608 --a------ C:\CF16.exe
2008-02-28 22:51 . 2008-02-28 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-28 17:32 . 2008-02-28 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:59 --------- d-----w C:\Program Files\Java
2008-03-04 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 20:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-27 20:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 16:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-27 16:30 --------- d-----w C:\Program Files\Google
2008-02-27 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\1ClickDVDCopy
2008-02-15 23:15 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\CopyToDvd
2008-02-09 21:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 17:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2008-01-17 21:54 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\AdobeUM
2008-01-17 01:22 --------- d-----w C:\Documents and Settings\Blazin Azian\Application Data\uTorrent
2007-07-07 17:24 60,816,768 ----a-w C:\Program Files\setpoint400.exe
2007-04-18 21:30 1,806,232 ----a-w C:\Program Files\daemon-4091-x86.exe
2006-08-18 03:48 52,664 ----a-w C:\Documents and Settings\Blazin Azian\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 10:51 1600448]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-26 22:48 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 00:20 372736]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-27 15:02 339968 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22 35328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-07 10:26:56 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23609:TCP"= 23609:TCP:*isabled:BitComet 23609 TCP
"23609:UDP"= 23609:UDP:*isabled:BitComet 23609 UDP
"54201:TCP"= 54201:TCPort
"54231:TCP"= 54231:TCP:azureus port


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 14:02:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-04 14:08:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 21:08:41
ComboFix2.txt 2008-03-05 17:36:57
ComboFix3.txt 2008-03-04 23:30:06
ComboFix4.txt 2008-03-03 22:12:37
.
2008-02-28 22:01:43 --- E O F ---