Virtumonde, please help!

J

jockereh

New member
Hey all, i got this problem a few hours ago and tried to solve it for a time now but i can't do it! I don't know how! Explorer.exe reboots all the time.. Well, i guess you know the problem :)

1. Hijackthis log
2. Kaspersky memory log
3. I'dbereallyhappyifyoucouldhelpme

1.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:25, on 2008-05-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\SCardSvr.exe
C:\Program\Eset\nod32krn.exe
C:\windows\system32\svchost.exe
C:\windows\System32\alg.exe
C:\windows\system32\WgaTray.exe
C:\Program\Eset\nod32kui.exe
C:\windows\CTHELPER.EXE
C:\windows\system32\RUNDLL32.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\ctfmon.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program\uTorrent\uTorrent.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program\ESET\nod32.exe
C:\Program\Trend Micro\HijackThis\HijaThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 222.235.64.182:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 65.25.53.152 nprotect.battlelands.net
O1 - Hosts: 91.121.13.46 nprotect.ryl.com.my
O2 - BHO: (no name) - {04EEC742-52AB-43FB-BA82-39765A95194F} - C:\windows\system32\awtttsqQ.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\windows\system32\xXPgeEut.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA724] command /c del "C:\WINDOWS\system32\awtttsqQ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7978] cmd /c del "C:\WINDOWS\system32\awtttsqQ.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8365] command /c del "C:\WINDOWS\system32\awtttsqQ.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9281] cmd /c del "C:\WINDOWS\system32\awtttsqQ.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Client Default.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: xXPgeEut - C:\windows\SYSTEM32\xXPgeEut.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

--
End of file - 7239 bytes

xXPgeEut.dll evil thing! :devil:

2.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 01, 2008 12:47:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/05/2008
Kaspersky Anti-Virus database records: 656168
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Memory:

Scan Statistics:
Total number of scanned objects: 1570
Number of viruses found: 1
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 00:00:30

Infected Object Name / Virus Name / Last Action
[0] [System Process] => C:\windows\system32\xXPgeEut.dll Infected: Packed.Win32.Monder.gen skipped
[680] winlogon.exe => C:\windows\system32\xXPgeEut.dll Infected: Packed.Win32.Monder.gen skipped
[2712] firefox.exe => C:\windows\system32\xXPgeEut.dll Infected: Packed.Win32.Monder.gen skipped
[3608] SpyHunter3.exe => C:\windows\system32\xXPgeEut.dll Infected: Packed.Win32.Monder.gen skipped
[704] IEXPLORE.EXE => C:\windows\system32\xXPgeEut.dll Infected: Packed.Win32.Monder.gen skipped

Scan process completed.


3. I'd be really happy if you could help me, thanks in advance!
Best regards, Jockereh
 
Posting another Kaspersky report on c:/windows

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 01, 2008 1:07:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/05/2008
Kaspersky Anti-Virus database records: 656168
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\WINDOWS\

Scan Statistics:
Total number of scanned objects: 19460
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:12:15

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\awtttsqQ.dll_old Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\server.exe Infected: Trojan-Spy.Win32.Delf.jq skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xXPgeEut.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\wdqnd.dll Infected: Trojan-Spy.Win32.Delf.jq skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000003-00000000-00000006-00001102-00000004-20051102}.CDF Object is locked skipped

Scan process completed.
 
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    [kill explorer]
C:\WINDOWS\system32\awtttsqQ.dll_old 
C:\WINDOWS\system32\server.exe
C:\WINDOWS\system32\xXPgeEut.dll 
C:\WINDOWS\wdqnd.dll
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
 
Did a combofix run and it seems to be fine now, but i'll write the reports and if there's still problems i'll do what you said bout' OTMoveIt. :)


ComboFix 08-04-29.5 - ^_______^ 2008-05-01 13:23:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.538 [GMT 2:00]
Running from: C:\Documents and Settings\^_______^\Skrivbord\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\windows\17PHolmes1753.exe
C:\windows\system32\Qqstttwa.ini
C:\WINDOWS\system32\Qqstttwa.ini2
C:\windows\system32\server.exe
C:\windows\system32\xXPgeEut.dll

----- BITS: Possible infected sites -----

hxxp://patch.everquest2.com
.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-05-01 12:38 . 2008-05-01 12:38 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-01 12:38 . 2008-05-01 12:38 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-01 12:30 . 2008-05-01 12:30 95 --a------ C:\WINDOWS\wininit.ini
2008-05-01 11:54 . 2008-05-01 11:54 <KAT> d-------- C:\Program\Spybot - Search & Destroy
2008-05-01 11:54 . 2008-05-01 12:45 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 11:43 . 2008-05-01 11:43 <KAT> d-------- C:\VundoFix Backups
2008-05-01 11:33 . 2008-05-01 11:33 <KAT> d-------- C:\Program\Enigma Software Group
2008-05-01 11:28 . 2008-05-01 11:28 <KAT> d-------- C:\Program\Trend Micro
2008-04-30 23:24 . 2008-04-30 23:24 283,136 --------- C:\WINDOWS\system32\awtttsqQ.dll_old
2008-04-29 17:19 . 2008-04-29 17:34 <KAT> d-------- C:\Program\Nidesoft MP4 Video Converter v2.0
2008-04-29 17:03 . 2008-04-29 17:03 <KAT> d-------- C:\Program\XVideoConverter
2008-04-29 17:03 . 2008-04-29 17:03 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 22:49 . 2008-04-11 22:52 <KAT> d-------- C:\Program\TVTool2
2008-04-06 16:32 . 2008-04-06 16:32 <KAT> d-------- C:\Program\achtung
2008-04-04 15:48 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-04 15:48 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-04 15:48 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-04 15:48 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-04 15:48 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-04 00:57 . 2008-04-04 00:57 <KAT> d-------- C:\Program\Delade filer\Nokia
2008-04-04 00:57 . 2008-04-04 00:57 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-04-04 00:06 . 2008-04-04 00:17 <KAT> d-------- C:\Documents and Settings\^_______^\Application Data\NSeries
2008-04-02 18:02 . 2008-04-14 14:33 794,009 --a------ C:\Documents and Settings\^_______^\Application Data\NMM-MetaData.db
2008-04-02 17:54 . 2008-04-02 17:54 <KAT> d-------- C:\Documents and Settings\^_______^\Application Data\Nokia Multimedia Player
2008-04-02 17:53 . 2008-04-02 17:53 <KAT> d-------- C:\Program\SimpleCenter
2008-04-02 17:53 . 2008-04-02 17:53 <KAT> d-------- C:\Program\Delade filer\i4j_jres
2008-04-02 17:53 . 2008-04-02 17:53 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-04-02 17:51 . 2008-04-02 17:51 <KAT> d-------- C:\Program\DIFX
2008-04-02 17:51 . 2008-04-02 17:51 <KAT> d-------- C:\Program\Delade filer\PCSuite
2008-04-02 17:51 . 2008-04-02 18:28 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-02 17:51 . 2008-04-02 18:02 <KAT> d-------- C:\Documents and Settings\^_______^\Application Data\Nokia
2008-04-02 17:47 . 2008-04-02 17:47 <KAT> d-------- C:\Program\PC Connectivity Solution
2008-04-02 17:47 . 2008-04-02 17:47 <KAT> d-------- C:\Documents and Settings\^_______^\Application Data\PC Suite
2008-04-02 17:46 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 11:30 --------- d-----w C:\Documents and Settings\^_______^\Application Data\uTorrent
2008-05-01 08:16 --------- d-----w C:\Program\ESET
2008-04-30 21:27 --------- d-----w C:\Program\DC++
2008-04-27 21:58 --------- d-----w C:\Program\Vstplugins
2008-04-27 16:46 --------- d-----w C:\Documents and Settings\^_______^\Application Data\UseNeXT
2008-04-19 17:17 --------- d-----w C:\Program\Steam
2008-04-16 07:19 --------- d-----w C:\Program\UseNeXT
2008-04-11 21:15 --------- d-----w C:\Documents and Settings\^_______^\Application Data\dvdcss
2008-04-10 14:39 --------- d--h--w C:\Program\InstallShield Installation Information
2008-04-08 09:08 --------- d-----w C:\Program\IRC
2008-04-04 13:48 --------- d-----w C:\Program\Nokia
2008-03-31 18:49 --------- d-----w C:\Documents and Settings\^_______^\Application Data\SmartDraw
2008-03-31 16:22 --------- d-----w C:\Program\HighGrow
2008-03-31 15:32 --------- d-----w C:\Program\SmartDraw 2008
2008-03-31 15:31 --------- d-----w C:\Program\home plan software
2008-03-28 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-28 10:49 --------- d-----w C:\Documents and Settings\^_______^\Application Data\Ahead
2008-03-25 11:04 --------- d-----w C:\Program\TVTool
2008-03-21 13:51 --------- d-----w C:\Program\Ventrilo
2008-03-21 13:51 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2008-03-16 23:24 --------- d-----w C:\Program\Playlogic
2008-03-13 14:00 --------- d-----w C:\Program\iZotope
2008-03-13 09:40 --------- d-----w C:\Program\Winamp
2008-03-09 18:25 --------- d-----w C:\Program\Native Instruments
2008-03-09 18:25 --------- d-----w C:\Program\Digidesign
2008-03-09 17:25 --------- d-----w C:\Program\Trafikskolan TEO 2008
2008-03-06 12:22 --------- d-----w C:\Program\Sony
2008-03-06 12:20 --------- d-----w C:\Program\THQ
2008-03-05 13:20 --------- d-----w C:\Program\RegCleaner
2008-03-05 12:53 --------- d-----w C:\Program\VirtualDJ
2008-03-05 12:36 --------- d-----w C:\Program\Electronome
2008-03-05 12:36 --------- d-----w C:\Program\BpmChecker
2008-03-05 12:36 --------- d-----w C:\Program\Auto MP3 Player
2008-03-03 22:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-03-03 22:54 --------- d-----w C:\Documents and Settings\^_______^\Application Data\Ubisoft
2007-11-23 21:40 22,328 ----a-w C:\Documents and Settings\^_______^\Application Data\PnkBstrK.sys
2007-03-29 10:48 1 ----a-w C:\Documents and Settings\^_______^\SI.bin
2006-05-06 16:42 7,260,160 ----a-w C:\Program\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04EEC742-52AB-43FB-BA82-39765A95194F}]
C:\windows\system32\awtttsqQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 22:06 1135968 --a------ C:\Program\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program\Winamp Toolbar\winamptb.dll" [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [2004-08-04 01:34 15360]
"SpybotSD TeaTimer"="C:\Program\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program\Eset\nod32kui.exe" [2007-03-07 00:04 950664]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program\Delade filer\Real\Update_OB\realsched.exe" [2007-06-24 07:07 185896]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:34 158720]
"SpyHunter Security Suite"="C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:34 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xXPgeEut]
xXPgeEut.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^^_______^^Start-meny^Program^Autostart^Adobe Gamma.lnk]
path=C:\Documents and Settings\^_______^\Start-meny\Program\Autostart\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^^_______^^Start-meny^Program^Autostart^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\^_______^\Start-meny\Program\Autostart\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
C:\Program\Anonymizer\Anonymizer Software\Anonymizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 15:08 136136 C:\Program\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSaveNow_Installer]
C:\Program\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
--a------ 2006-04-29 07:36 2834432 C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 2007-09-07 14:44 3100672 C:\Program\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\windows\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-27 00:03 1266936 C:\Program\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VC8Player]
C:\Program\Virtual CD v8\System\VC8Play.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
--a------ 2006-12-26 04:08 11783168 C:\Program\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"VC9SecS"=2 (0x2)
"usnjsvc"=3 (0x3)
"sfrem01"=2 (0x2)
"ServiceLayer"=3 (0x3)
"rpcapd"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\utorrent\\utorrent.exe"=
"C:\\Program\\IRC\\mirc.exe"=
"C:\\Program\\Steam\\steamapps\\chili_boy90@hotmail.com\\counter-strike\\hl.exe"=
"C:\\Program\\DC++\\DCPlusPlus.exe"=
"C:\\Program\\Steam\\steamapps\\chili_boy90@hotmail.com\\team fortress classic\\hl.exe"=
"C:\\Program\\VentSrv\\ventrilo_srv.exe"=
"C:\\Program\\Steam\\steamapps\\chili_boy90@hotmail.com\\dedicated server\\hlds.exe"=
"C:\\Program\\Winamp\\winamp.exe"=
"C:\\Program\\Octoshape Streaming Services\\^_______^\\OctoshapeClient.exe"=
"C:\\Program\\SopCast\\SopCast.exe"=
"C:\\Documents and Settings\\^_______^\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program\\LimeWire\\LimeWire.exe"=
"C:\\Program\\Steam\\steam.exe"=
"C:\\Program\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program\\Mozilla Firefox\\firefox.exe"=
"C:\\Program\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program\\warcraft3\\Warcraft III.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"C:\\Program\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program\\Delade filer\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 SSHDRV65;SSHDRV65;C:\windows\system32\drivers\SSHDRV65.sys [2008-02-19 22:22]
R1 vdrv9000;vdrv9000;C:\windows\system32\DRIVERS\vdrv9000.sys [2007-11-14 13:42]
R3 CLEDX;Team H2O CLEDX service;C:\windows\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
S1 lusbaudio;Logitech USB-mikrofon;C:\windows\system32\drivers\OVSound2.sys [2001-08-17 23:05]
S3 HH9Help.sys;HH9Help.sys;C:\windows\system32\drivers\HH9Help.sys [2006-09-20 12:42]
S3 NPF;NetGroup Packet Filter Driver;C:\windows\system32\drivers\npf.sys [2005-08-02 23:10]
S3 QCEmerald;Logitech QuickCam Web;C:\windows\system32\DRIVERS\OVCE.sys [2001-08-17 23:05]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\windows\system32\DRIVERS\s115bus.sys [2007-04-23 16:54]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 16:54]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\windows\system32\DRIVERS\s115mdm.sys [2007-04-23 16:54]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 16:54]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\windows\system32\DRIVERS\s115obex.sys [2007-04-23 16:54]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 12:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 12:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\windows\system32\DRIVERS\s125mdm.sys [2007-04-24 12:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 12:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 12:33]
S4 VC9SecS;Virtual CD v9 Management Service;C:\Program\Virtual CD v9\System\vc9secs.exe [2007-12-03 15:03]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{fuyttocx-kwdo-xplt-jfbs-mswqwmalbvca}]
C:\WINDOWS\system32\wdqnd.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 13:12:18 C:\windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
"2008-05-01 11:40:16 C:\windows\Tasks\SDMsgUpdate (TE).job"
- C:\Program\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 13:40:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 69

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\windows\\system32\\NvMcTray.dll,NvTaskbarInit"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\windows\explorer.exe
-> C:\windows\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\Program\ESET\nod32krn.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-01 13:46:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 11:46:01

Pre-Run: 8,641,093,632 byte ledigt
Post-Run: 19,407,577,088 byte ledigt

287 --- E O F --- 2008-04-11 21:50:38


HIJACK:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:15:36, on 2008-05-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program\Eset\nod32krn.exe
C:\windows\system32\svchost.exe
C:\windows\system32\WgaTray.exe
C:\Program\Eset\nod32kui.exe
C:\windows\CTHELPER.EXE
C:\windows\system32\RUNDLL32.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\ctfmon.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijaThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 222.235.64.182:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {04EEC742-52AB-43FB-BA82-39765A95194F} - C:\windows\system32\awtttsqQ.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Client Default.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

--
End of file - 6220 bytes

First it said xxpgeeut.dll missing, so i pressed 'Fix Checked' and did another scan.
 
Don't fix anything yourself :)

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {04EEC742-52AB-43FB-BA82-39765A95194F} - C:\windows\system32\awtttsqQ.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\awtttsqQ.dll_old
C:\WINDOWS\system32\wdqnd.exe

Folder::
C:\Program\DaemonTools_WhenUSaveNow_Installer

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSaveNow_Installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{fuyttocx-kwdo-xplt-jfbs-mswqwmalbvca}]

Driver::
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


Combo-Do.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log and the OTMoveIt log
 
Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:49, on 2008-05-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\SCardSvr.exe
C:\windows\Explorer.EXE
C:\Program\Eset\nod32krn.exe
C:\windows\system32\svchost.exe
C:\windows\System32\alg.exe
C:\windows\system32\WgaTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\windows\system32\wuauclt.exe
C:\Program\Eset\nod32kui.exe
C:\windows\CTHELPER.EXE
C:\windows\system32\RUNDLL32.EXE
C:\windows\system32\rundll32.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\windows\system32\ctfmon.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\windows\system32\NOTEPAD.EXE
C:\Program\Trend Micro\HijackThis\HijaThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 222.235.64.182:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA724] command /c del "C:\WINDOWS\system32\awtttsqQ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7978] cmd /c del "C:\WINDOWS\system32\awtttsqQ.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Client Default.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

--
End of file - 6505 bytes


OTMoveIt:

Explorer killed successfully
File/Folder C:\WINDOWS\system32\awtttsqQ.dll_old not found.
File/Folder C:\WINDOWS\system32\server.exe not found.
File/Folder C:\WINDOWS\system32\xXPgeEut.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\wdqnd.dll
C:\WINDOWS\wdqnd.dll NOT unregistered.
C:\WINDOWS\wdqnd.dll moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05012008_143951
 
Can you post the ComboFix log and do this


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\RunOnce: [SpybotDeletingA724] command /c del "C:\WINDOWS\system32\awtttsqQ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7978] cmd /c del "C:\WINDOWS\system32\awtttsqQ.dll_old"


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
 
ComboFix 08-04-29.5 - ^_______^ 2008-05-01 14:31:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.642 [GMT 2:00]
Running from: C:\Documents and Settings\^_______^\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\^^_______^^\Skrivbord\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-05-01 13:46 . 2008-05-01 13:46 <KAT> d-------- C:\WINDOWS\system32\config\systemprofile\Lokala instõllningar
2008-05-01 13:46 . 2008-05-01 13:46 <KAT> d-------- C:\Documents and Settings\NetworkService\Lokala instõllningar
2008-05-01 13:46 . 2008-05-01 13:46 <KAT> d-------- C:\Documents and Settings\LocalService\Lokala instõllningar
2008-05-01 13:46 . 2008-05-01 13:46 <KAT> d-------- C:\Documents and Settings\Administrat÷r
2008-05-01 13:46 . 2008-05-01 13:46 <KAT> d-------- C:\Documents and Settings\^_______^\Lokala instõllningar
2008-05-01 12:38 . 2008-05-01 12:38 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-01 12:38 . 2008-05-01 12:38 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-01 12:30 . 2008-05-01 12:30 95 --a------ C:\WINDOWS\wininit.ini
2008-05-01 11:54 . 2008-05-01 11:54 <KAT> d-------- C:\Program\Spybot - Search & Destroy
2008-05-01 11:54 . 2008-05-01 12:45 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 11:43 . 2008-05-01 11:43 <KAT> d-------- C:\VundoFix Backups
2008-05-01 11:33 . 2008-05-01 11:33 <KAT> d-------- C:\Program\Enigma Software Group
2008-05-01 11:28 . 2008-05-01 11:28 <KAT> d-------- C:\Program\Trend Micro
2008-04-29 17:19 . 2008-04-29 17:34 <KAT> d-------- C:\Program\Nidesoft MP4 Video Converter v2.0
2008-04-29 17:03 . 2008-04-29 17:03 <KAT> d-------- C:\Program\XVideoConverter
2008-04-29 17:03 . 2008-04-29 17:03 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 22:49 . 2008-04-11 22:52 <KAT> d-------- C:\Program\TVTool2
2008-04-06 16:32 . 2008-04-06 16:32 <KAT> d-------- C:\Program\achtung
2008-04-04 15:48 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-04 15:48 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-04 15:48 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-04 15:48 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-04 15:48 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-04 00:57 . 2008-04-04 00:57 <KAT> d-------- C:\Program\Delade filer\Nokia
2008-04-04 00:57 . 2008-04-04 00:57 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-04-04 00:06 . 2008-04-04 00:17 <KAT> d-------- C:\Documents and Settings\^_______^\Application Data\NSeries
2008-04-02 18:02 . 2008-04-14 14:33 794,009 --a------ C:\Documents and Settings\^_______^\Application Data\NMM-MetaData.db
2008-04-02 17:54 . 2008-04-02 17:54 <KAT> d-------- C:\Documents and Settings\^_______^\Application Data\Nokia Multimedia Player
2008-04-02 17:53 . 2008-04-02 17:53 <KAT> d-------- C:\Program\SimpleCenter
2008-04-02 17:53 . 2008-04-02 17:53 <KAT> d-------- C:\Program\Delade filer\i4j_jres
2008-04-02 17:53 . 2008-04-02 17:53 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-04-02 17:51 . 2008-04-02 17:51 <KAT> d-------- C:\Program\DIFX
2008-04-02 17:51 . 2008-04-02 17:51 <KAT> d-------- C:\Program\Delade filer\PCSuite
2008-04-02 17:51 . 2008-04-02 18:28 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-02 17:51 . 2008-04-02 18:02 <KAT> d-------- C:\Documents and Settings\^_______^\Application Data\Nokia
2008-04-02 17:47 . 2008-04-02 17:47 <KAT> d-------- C:\Program\PC Connectivity Solution
2008-04-02 17:47 . 2008-04-02 17:47 <KAT> d-------- C:\Documents and Settings\^_______^\Application Data\PC Suite
2008-04-02 17:46 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 11:30 --------- d-----w C:\Documents and Settings\^_______^\Application Data\uTorrent
2008-05-01 08:16 --------- d-----w C:\Program\ESET
2008-04-30 21:27 --------- d-----w C:\Program\DC++
2008-04-27 21:58 --------- d-----w C:\Program\Vstplugins
2008-04-27 16:46 --------- d-----w C:\Documents and Settings\^_______^\Application Data\UseNeXT
2008-04-19 17:17 --------- d-----w C:\Program\Steam
2008-04-16 07:19 --------- d-----w C:\Program\UseNeXT
2008-04-11 21:15 --------- d-----w C:\Documents and Settings\^_______^\Application Data\dvdcss
2008-04-10 14:39 --------- d--h--w C:\Program\InstallShield Installation Information
2008-04-08 09:08 --------- d-----w C:\Program\IRC
2008-04-04 13:48 --------- d-----w C:\Program\Nokia
2008-03-31 18:49 --------- d-----w C:\Documents and Settings\^_______^\Application Data\SmartDraw
2008-03-31 16:22 --------- d-----w C:\Program\HighGrow
2008-03-31 15:32 --------- d-----w C:\Program\SmartDraw 2008
2008-03-31 15:31 --------- d-----w C:\Program\home plan software
2008-03-28 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-28 10:49 --------- d-----w C:\Documents and Settings\^_______^\Application Data\Ahead
2008-03-25 11:04 --------- d-----w C:\Program\TVTool
2008-03-21 13:51 --------- d-----w C:\Program\Ventrilo
2008-03-21 13:51 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2008-03-20 08:10 1,845,248 ----a-w C:\windows\system32\win32k.sys
2008-03-16 23:24 --------- d-----w C:\Program\Playlogic
2008-03-13 14:00 --------- d-----w C:\Program\iZotope
2008-03-13 09:40 --------- d-----w C:\Program\Winamp
2008-03-09 18:25 --------- d-----w C:\Program\Native Instruments
2008-03-09 18:25 --------- d-----w C:\Program\Digidesign
2008-03-09 17:25 --------- d-----w C:\Program\Trafikskolan TEO 2008
2008-03-06 12:22 --------- d-----w C:\Program\Sony
2008-03-06 12:20 --------- d-----w C:\Program\THQ
2008-03-05 13:20 --------- d-----w C:\Program\RegCleaner
2008-03-05 12:53 --------- d-----w C:\Program\VirtualDJ
2008-03-05 12:36 --------- d-----w C:\Program\Electronome
2008-03-05 12:36 --------- d-----w C:\Program\BpmChecker
2008-03-05 12:36 --------- d-----w C:\Program\Auto MP3 Player
2008-03-03 22:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-03-03 22:54 --------- d-----w C:\Documents and Settings\^_______^\Application Data\Ubisoft
2008-02-22 20:53 98,304 ----a-w C:\windows\system32\CmdLineExt.dll
2008-02-20 06:51 282,624 ----a-w C:\windows\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\windows\system32\dnsrslvr.dll
2008-02-16 09:05 659,968 ----a-w C:\windows\system32\wininet.dll
2007-11-23 21:40 22,328 ----a-w C:\Documents and Settings\^_______^\Application Data\PnkBstrK.sys
2007-03-29 10:48 1 ----a-w C:\Documents and Settings\^_______^\SI.bin
2006-05-06 16:42 7,260,160 ----a-w C:\Program\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 22:06 1135968 --a------ C:\Program\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program\Winamp Toolbar\winamptb.dll" [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [2004-08-04 01:34 15360]
"SpybotSD TeaTimer"="C:\Program\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program\Eset\nod32kui.exe" [2007-03-07 00:04 950664]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program\Delade filer\Real\Update_OB\realsched.exe" [2007-06-24 07:07 185896]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:34 158720]
"SpyHunter Security Suite"="C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:34 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^^_______^^Start-meny^Program^Autostart^Adobe Gamma.lnk]
path=C:\Documents and Settings\^_______^\Start-meny\Program\Autostart\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^^_______^^Start-meny^Program^Autostart^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\^_______^\Start-meny\Program\Autostart\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
C:\Program\Anonymizer\Anonymizer Software\Anonymizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 15:08 136136 C:\Program\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSaveNow_Installer]
C:\Program\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
--a------ 2006-04-29 07:36 2834432 C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 2007-09-07 14:44 3100672 C:\Program\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\windows\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-27 00:03 1266936 C:\Program\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VC8Player]
C:\Program\Virtual CD v8\System\VC8Play.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
--a------ 2006-12-26 04:08 11783168 C:\Program\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"VC9SecS"=2 (0x2)
"usnjsvc"=3 (0x3)
"sfrem01"=2 (0x2)
"ServiceLayer"=3 (0x3)
"rpcapd"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\utorrent\\utorrent.exe"=
"C:\\Program\\IRC\\mirc.exe"=
"C:\\Program\\Steam\\steamapps\\chili_boy90@hotmail.com\\counter-strike\\hl.exe"=
"C:\\Program\\DC++\\DCPlusPlus.exe"=
"C:\\Program\\Steam\\steamapps\\chili_boy90@hotmail.com\\team fortress classic\\hl.exe"=
"C:\\Program\\VentSrv\\ventrilo_srv.exe"=
"C:\\Program\\Steam\\steamapps\\chili_boy90@hotmail.com\\dedicated server\\hlds.exe"=
"C:\\Program\\Winamp\\winamp.exe"=
"C:\\Program\\Octoshape Streaming Services\\^_______^\\OctoshapeClient.exe"=
"C:\\Program\\SopCast\\SopCast.exe"=
"C:\\Documents and Settings\\^_______^\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program\\LimeWire\\LimeWire.exe"=
"C:\\Program\\Steam\\steam.exe"=
"C:\\Program\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program\\Mozilla Firefox\\firefox.exe"=
"C:\\Program\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program\\warcraft3\\Warcraft III.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"C:\\Program\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program\\Delade filer\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 SSHDRV65;SSHDRV65;C:\windows\system32\drivers\SSHDRV65.sys [2008-02-19 22:22]
R1 vdrv9000;vdrv9000;C:\windows\system32\DRIVERS\vdrv9000.sys [2007-11-14 13:42]
R3 CLEDX;Team H2O CLEDX service;C:\windows\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
S1 lusbaudio;Logitech USB-mikrofon;C:\windows\system32\drivers\OVSound2.sys [2001-08-17 23:05]
S3 HH9Help.sys;HH9Help.sys;C:\windows\system32\drivers\HH9Help.sys [2006-09-20 12:42]
S3 NPF;NetGroup Packet Filter Driver;C:\windows\system32\drivers\npf.sys [2005-08-02 23:10]
S3 QCEmerald;Logitech QuickCam Web;C:\windows\system32\DRIVERS\OVCE.sys [2001-08-17 23:05]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\windows\system32\DRIVERS\s115bus.sys [2007-04-23 16:54]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 16:54]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\windows\system32\DRIVERS\s115mdm.sys [2007-04-23 16:54]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 16:54]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\windows\system32\DRIVERS\s115obex.sys [2007-04-23 16:54]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 12:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 12:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\windows\system32\DRIVERS\s125mdm.sys [2007-04-24 12:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 12:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 12:33]
S4 VC9SecS;Virtual CD v9 Management Service;C:\Program\Virtual CD v9\System\vc9secs.exe [2007-12-03 15:03]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{fuyttocx-kwdo-xplt-jfbs-mswqwmalbvca}]
C:\WINDOWS\system32\wdqnd.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 13:12:18 C:\windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
"2008-05-01 11:40:16 C:\windows\Tasks\SDMsgUpdate (TE).job"
- C:\Program\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 14:35:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 69

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\windows\\system32\\NvMcTray.dll,NvTaskbarInit"
.
Completion time: 2008-05-01 14:36:49
ComboFix-quarantined-files.txt 2008-05-01 12:36:34
ComboFix2.txt 2008-05-01 11:46:06

Pre-Run: 19,676,114,944 byte ledigt
Post-Run: 19,663,613,952 byte ledigt

266 --- E O F --- 2008-04-11 21:50:38


HijackThis in a minute!
 
Hijackthis, sorry for being so slow..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:59:55, on 2008-05-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program\Eset\nod32krn.exe
C:\windows\system32\svchost.exe
C:\windows\system32\WgaTray.exe
C:\Program\Trend Micro\HijackThis\HijaThis.exe
C:\windows\system32\wuauclt.exe
C:\Program\Eset\nod32kui.exe
C:\windows\CTHELPER.EXE
C:\windows\system32\imapi.exe
C:\windows\SYSTEM32\CTXFISPI.EXE
C:\windows\system32\RUNDLL32.EXE
C:\windows\system32\nwiz.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\windows\regedit.exe
C:\windows\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 222.235.64.182:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Client Default.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

--
End of file - 5369 bytes
 
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    [kill explorer]
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{fuyttocx-kwdo-xplt-jfbs-mswqwmalbvca}
C:\WINDOWS\system32\wdqnd.exe
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and do this


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
 
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top