something in my system 32, creating pop ups

This is one of the hardest infections to remove that I have come across in quite awhile.

Remove this entry with HJT.
O4 - HKLM\..\Run: [F7F4FBF8FBFDF903F] B1AEB5B2B5B7B3B.exe

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: 
Files to Delete:
C:\Documents and Settings\Owner\Local Settings\Temp\mst455101.exe.dll
C:\WINDOWS\system32\B1AEB5B2B5B7B3B.exe
C:\Temp\liHco0109.exe
Folders to delete:
C:\Program Files\Yahoo!
C:\Program Files\Yahoo!
C:\Program Files\Zango Programs

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply



Then run Combofix again and lets see if there gone.

Post the Avenger log, the Combofix log and a New HJT log please
 
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\awwhbgji

*******************

Script file located at: \??\C:\ftkxbsnm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Documents and Settings\Owner\Local Settings\Temp\mst455101.exe.dll not found!
Deletion of file C:\Documents and Settings\Owner\Local Settings\Temp\mst455101.exe.dll failed!

Could not process line:
C:\Documents and Settings\Owner\Local Settings\Temp\mst455101.exe.dll
Status: 0xc0000034



File C:\WINDOWS\system32\B1AEB5B2B5B7B3B.exe not found!
Deletion of file C:\WINDOWS\system32\B1AEB5B2B5B7B3B.exe failed!

Could not process line:
C:\WINDOWS\system32\B1AEB5B2B5B7B3B.exe
Status: 0xc0000034

File C:\Temp\liHco0109.exe deleted successfully.
Folder C:\Program Files\Yahoo! deleted successfully.


Folder C:\Program Files\Yahoo! not found!
Deletion of folder C:\Program Files\Yahoo! failed!

Could not process line:
C:\Program Files\Yahoo!
Status: 0xc0000034

Folder C:\Program Files\Zango Programs deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bhhphabc

*******************

Script file located at: \??\C:\Documents and Settings\eqxwtidr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Documents and Settings\Owner\Local Settings\Temp\mst455101.exe.dll not found!
Deletion of file C:\Documents and Settings\Owner\Local Settings\Temp\mst455101.exe.dll failed!

Could not process line:
C:\Documents and Settings\Owner\Local Settings\Temp\mst455101.exe.dll
Status: 0xc0000034



File C:\WINDOWS\system32\B1AEB5B2B5B7B3B.exe not found!
Deletion of file C:\WINDOWS\system32\B1AEB5B2B5B7B3B.exe failed!

Could not process line:
C:\WINDOWS\system32\B1AEB5B2B5B7B3B.exe
Status: 0xc0000034



File C:\Temp\liHco0109.exe not found!
Deletion of file C:\Temp\liHco0109.exe failed!

Could not process line:
C:\Temp\liHco0109.exe
Status: 0xc0000034



Folder C:\Program Files\Yahoo! not found!
Deletion of folder C:\Program Files\Yahoo! failed!

Could not process line:
C:\Program Files\Yahoo!
Status: 0xc0000034



Folder C:\Program Files\Yahoo! not found!
Deletion of folder C:\Program Files\Yahoo! failed!

Could not process line:
C:\Program Files\Yahoo!
Status: 0xc0000034



Folder C:\Program Files\Zango Programs not found!
Deletion of folder C:\Program Files\Zango Programs failed!

Could not process line:
C:\Program Files\Zango Programs
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.




Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:02:56 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kim\Desktop\hijack this and other spyware stuff\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8106 bytes
 
ComboFix 08-01-23.1C - Kim 2008-01-24 20:03:27.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.64 [GMT -5:00]
Running from: C:\Documents and Settings\Kim\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-24 18:49 . 2008-01-24 18:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-24 00:21 . 2008-01-24 00:21 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-23 23:32 . 2008-01-23 23:43 <DIR> d-------- C:\Program Files\RegCure
2008-01-23 22:52 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-01-23 22:52 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-01-23 22:40 . 2008-01-23 22:40 <DIR> d-------- C:\WINDOWS\system32\AEABB2AFB2B4B0B
2008-01-23 21:34 . 2008-01-23 21:34 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-23 21:31 . 2008-01-23 21:31 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-23 21:31 . 2008-01-23 21:31 <DIR> d-------- C:\temp\cXzz9
2008-01-23 15:26 . 2008-01-23 15:26 <DIR> d-------- C:\Program Files\Google
2008-01-23 10:43 . 2008-01-23 10:43 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-01-23 10:26 . 2008-01-23 10:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-22 22:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 22:18 . 2008-01-22 22:18 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-22 14:42 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-01-17 16:48 . 2007-07-09 08:09 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-17 16:42 . 2008-01-17 16:42 <DIR> d-------- C:\Deckard
2008-01-17 16:00 . 2008-01-23 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-17 15:18 . 2008-01-17 15:18 164 --a------ C:\install.dat
2008-01-15 08:50 . 2008-01-15 08:50 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-01-11 18:42 . 2008-01-11 18:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-11 18:42 . 2008-01-11 18:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 13:31 . 2006-04-04 15:45 2,400,648 --a------ C:\WINDOWS\system32\madiousb.dll
2008-01-11 13:31 . 2006-04-04 14:42 186,368 --a------ C:\WINDOWS\system32\M-AudioFastTrackControlPanelApplet.cpl
2008-01-11 13:31 . 2006-04-04 14:42 106,112 --a------ C:\WINDOWS\system32\drivers\mausbft.sys
2008-01-11 13:31 . 2006-04-04 14:42 19,456 --a------ C:\WINDOWS\system32\mausbasio.dll
2008-01-11 13:30 . 2008-01-11 13:30 <DIR> d-------- C:\Program Files\M-Audio Fast Track USB
2008-01-10 20:15 . 2008-01-15 08:44 483,328 --a------ C:\WINDOWS\system32\hphmon05.exe
2008-01-10 20:15 . 2008-01-15 08:44 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-10 20:15 . 2008-01-15 08:44 118,784 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-10 20:15 . 2008-01-11 13:21 99,840 --a------ C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
2008-01-10 20:15 . 2008-01-12 03:26 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
2008-01-10 18:46 . 2008-01-10 18:46 337,408 --a------ C:\WINDOWS\system32\RCX148.tmp
2008-01-10 15:41 . 2008-01-10 15:41 337,408 --a------ C:\WINDOWS\system32\RCX135.tmp
2008-01-10 11:14 . 2008-01-12 03:39 181 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2008-01-10 01:41 . 2008-01-10 01:41 <DIR> d-------- C:\WINDOWS\system32\vt8
2008-01-10 01:41 . 2008-01-10 01:41 <DIR> d-------- C:\WINDOWS\system32\ob3
2008-01-10 01:41 . 2008-01-10 01:41 <DIR> d-------- C:\WINDOWS\system32\mp2
2008-01-10 01:41 . 2008-01-10 01:41 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-10 01:41 . 2008-01-10 01:41 <DIR> d-------- C:\WINDOWS\system32\che9
2008-01-10 01:41 . 2008-01-10 01:41 <DIR> d-------- C:\temp\Ryuan1
2008-01-06 14:30 . 2004-08-04 00:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-06 14:30 . 2004-08-04 00:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-05 16:49 . 2007-01-31 10:58 6,246 --a------ C:\WINDOWS\atty.ico
2008-01-05 16:48 . 2008-01-05 16:48 <DIR> d-------- C:\WINDOWS\Motive
2008-01-05 16:48 . 2008-01-07 19:46 <DIR> d-------- C:\Program Files\SBC Self Support Tool
2008-01-05 16:48 . 2008-01-07 19:46 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-01-05 16:48 . 2005-05-10 01:36 81,920 --a------ C:\WINDOWS\system32\W32n50.dll
2008-01-05 16:48 . 2005-05-10 01:36 17,162 --a------ C:\WINDOWS\system32\Pcandis5.sys
2008-01-05 16:48 . 2005-05-10 01:36 16,848 --a------ C:\WINDOWS\system32\Pcandis4.sys
2008-01-05 16:48 . 2005-05-10 01:36 16,073 --a------ C:\WINDOWS\system32\Pcandis3.vxd
2008-01-05 16:30 . 2008-01-05 16:30 <DIR> d-------- C:\Program Files\BroadJump
2008-01-05 16:13 . 2001-01-12 16:09 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2008-01-05 16:13 . 2001-01-12 18:04 171,280 --a------ C:\WINDOWS\system32\jit.dll
2008-01-05 16:13 . 2001-01-12 18:04 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-01-05 16:13 . 2001-01-12 18:04 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-01-05 16:13 . 2001-01-12 16:27 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-01-05 16:13 . 2001-01-12 16:10 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-01-05 16:08 . 2007-01-31 10:58 266,240 --------- C:\WINDOWS\SBCDSL.exe
2008-01-05 16:08 . 2007-01-31 10:58 6,345 -ra------ C:\WINDOWS\system32\DevMngr.vxd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 05:23 --------- d-----w C:\Program Files\MSN Messenger
2008-01-23 15:24 --------- d-----w C:\Program Files\WildTangent
2008-01-23 15:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-11 18:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 16:14 498,176 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
2008-01-09 16:17 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-06 19:32 --------- d-----w C:\Program Files\M-Audio
2008-01-05 21:13 155,995 ----a-w C:\WINDOWS\Java\Packages\KLFVT75N.ZIP
2007-12-19 13:24 --------- d-----w C:\Program Files\FreeSolitaire
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot_2008-01-24_19.05.26.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-25 00:59:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [ ]
"NVIEW"="nview.dll" [2003-08-19 04:56 852038 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 20:47 8720384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-15 08:44 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-15 08:44 118784]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2008-01-15 08:44 483328]
"VTTimer"="VTTimer.exe" [2003-05-08 01:32 36864 C:\WINDOWS\system32\VTTimer.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 19:52 40960 C:\WINDOWS\ltmsg.exe]
"NetscapeClient"="" []
"nwiz"="nwiz.exe" [2003-08-19 04:56 323584 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 13:28 29696 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"RegistryMechanic"="" []
"YPC"="C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 20:47 8720384]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 18:50:52 53248]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-15 16:48:46 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2007-01-07 14:56:00 581632]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2008-01-22 14:30 24576 c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2004-10-21 13:28 29696 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
--a------ 2008-01-11 13:21 99840 C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 20:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-08-19 04:56 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-19 19:13 98304 C:\Program Files\QuickTime\qttask.exe

S1 ati1xbxxx;ati1xbxxx;C:\WINDOWS\system32\drivers\ati1xbxxx.sys []
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 04:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 04:15]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 DzlUsb;Dazzle DVC USB Device;C:\WINDOWS\system32\DRIVERS\DzlUsb.sys [1999-09-17 11:28]
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys [2006-04-04 14:42]

.
Contents of the 'Scheduled Tasks' folder
"2006-10-04 22:22:46 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-01-24 22:00:00 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-24 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 20:07:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2008-01-24 20:08:53
ComboFix-quarantined-files.txt 2008-01-25 01:08:50
ComboFix2.txt 2008-01-25 00:05:51
ComboFix3.txt 2008-01-24 16:45:31
ComboFix4.txt 2008-01-23 22:25:55
ComboFix5.txt 2008-01-23 19:21:05
.
2008-01-22 09:02:07 --- E O F ---
 
also, when i tried to do the kaspersky it wouldnt work, the last line it gave was:
Update process FAILED. No further antivirus actions can be performed!

and thank you so much for all the help your giving, it woulda taken me months to figure this out on my own
 
Nelson,

It looks like we got it , its gone from Combofix and your HJT log looks fine :bigthumb:

You can go ahead and download and install any Yahoo software you like.

How are things running now???
 
well everything seems to be working fine, exept when i reinstalled yahoo messenger it installed it but when i try to open messenger it still says the same thing

CoCreateInstance for the MyYahoo DLL failed!

im not sure what that means
 
Hello,

Run this system cleaner, its a free program and I run it on my systems about once a week or so.

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!


Some info about your Yahoo problem.

http://www.ntcompatible.com/CoCreateInstance_for_my_yahoo_DLL_failed_t29034.html

http://help.yahoo.com/help/in/mesg/twin/twin-42.html

http://help.yahoo.com/l/us/yahoo/messenger/messenger8/messenger/index.html


You can post in there forum.
http://forums.digitalpoint.com/forumdisplay.php?f=6



Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
Click to expand...


Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Click to expand...

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.5
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 2.0.0.6 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
  • Zone Alarm Here is a free Firewall from Zone Labs

Glad we could help

Safe Surfn
Ken
 
ok, so everything is working fine now including yahoo messenger (i just had to install an older version)
thank you so much for your time and help.

-David :cowboy:
 
You must log in or register to reply here.
Back
Top