Virus or something.. not sure.

P

Powster

New member
Well before this happened I have got spyware/viruses or stuff and been able to clean it easily from programs. But whatever I got and how ever I got it which I dont know I cant get rid of no matter what program I use. Scans always find something and then I scan again and more stuff is there already. I get buffer over run things happening alot also from Microsoft Visual C++. The day it started I noticed 2 visual basic program icon things in my Windows Task Manager. I ended there process and since then.. My internet runs 15 times slower and sometimes doesnt work at all. I get loads of popups telling me I got a virus and to download the programs to clean it (I dont do that because a long time ago I tried one of them and it didnt work). Sometimes also while on the internet infinitely number of popups happen at once. The popups keep happening non stop and makes internet explorer take up like 600MB of memory by itself. I scanned with kasper and said 9 viruses found 20 files infected. Then did the search and destroy thing in safe mode and cleaned that and then did HiJack this in normal windows mode.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 02, 2008 7:23:49 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/04/2008
Kaspersky Anti-Virus database records: 677021
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 163513
Number of viruses found: 9
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 03:30:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip/mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Homles.as skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip/mrofinu572.exe Infected: Trojan-Downloader.Win32.Homles.as skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\4HYOQJQ8\hctp[2] Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\GHQ9YUA9\ptch[2] Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\SoftwareRevenue.org\2r_samba.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.Mostofate.e skipped
C:\Program Files\SoftwareRevenue.org\2r_samba.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.e skipped
C:\Program Files\SoftwareRevenue.org\2r_samba.exe NSIS: infected - 2 skipped
C:\Program Files\TBONBin\TBONWnd.EXE Infected: not-a-virus:AdWare.Win32.BetterInternet.bd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\asnet.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\eulabas.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ftpvga.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\mfccat.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddaba.dll Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\vtminii.sys Object is locked skipped
C:\WINDOWS\system32\gebyw.dll Object is locked skipped
C:\WINDOWS\system32\IDME\dimnet201.exe Object is locked skipped
C:\WINDOWS\system32\ijjqmnai.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\jkkji.dll Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mi1.exe/data0009/stream/data0006 Infected: not-a-virus:AdWare.Win32.Mostofate.e skipped
C:\WINDOWS\system32\mi1.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.Mostofate.e skipped
C:\WINDOWS\system32\mi1.exe/data0009 Infected: not-a-virus:AdWare.Win32.Mostofate.e skipped
C:\WINDOWS\system32\mi1.exe NSIS: infected - 3 skipped
C:\WINDOWS\system32\mljhghh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lnz skipped
C:\WINDOWS\system32\mllji.dll Object is locked skipped
C:\WINDOWS\system32\mllmj.dll Object is locked skipped
C:\WINDOWS\system32\mllmk.dll Object is locked skipped
C:\WINDOWS\system32\nutms.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\WINDOWS\system32\pmkjg.dll Object is locked skipped
C:\WINDOWS\system32\pmnlk.dll Object is locked skipped
C:\WINDOWS\system32\rqrpqqr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lnz skipped
C:\WINDOWS\system32\ssqrpol.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lnz skipped
C:\WINDOWS\system32\sstqr.dll Object is locked skipped
C:\WINDOWS\system32\ssttr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\sysutil.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\WINDOWS\system32\ubhdmdvu.dll Object is locked skipped
C:\WINDOWS\system32\usnv\pax89104.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\WINDOWS\system32\usnv\pax89104.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\vssdoc.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\WINDOWS\system32\vturr.dll Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winz1\begmgr11.exe Object is locked skipped
C:\WINDOWS\system32\xTmp\v55api.exe Object is locked skipped
C:\WINDOWS\TinyBHO.dll Object is locked skipped
C:\WINDOWS\tk58.exe Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
logfile for hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:00 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://members.bangbrosnetwork.com/ - via Proxy: 219.21.138.48:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM2bc845de] Rundll32.exe "C:\WINDOWS\system32\hycrychr.dll",s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\CarbonPoker\Poker.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us27/n.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6313 bytes
 
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    [kill explorer]
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll 
C:\Program Files\SoftwareRevenue.org\2r_samba.exe
C:\Program Files\TBONBin\TBONWnd.EXE
C:\WINDOWS\system32\ijjqmnai.dll 
C:\WINDOWS\system32\mi1.exe
C:\WINDOWS\system32\mljhghh.dll 
C:\WINDOWS\system32\mllji.dll 
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmk.dll 
C:\WINDOWS\system32\nutms.exe 
C:\WINDOWS\system32\pmkjg.dll 
C:\WINDOWS\system32\pmnlk.dll 
C:\WINDOWS\system32\rqrpqqr.dll 
C:\WINDOWS\system32\ssqrpol.dll 
C:\WINDOWS\system32\sstqr.dll 
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\sysutil.exe 
C:\WINDOWS\system32\ubhdmdvu.dll 
C:\WINDOWS\system32\usnv\pax89104.exe 
C:\WINDOWS\system32\vssdoc.exe 
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\winz1
C:\WINDOWS\system32\xTmp
C:\WINDOWS\TinyBHO.dll
C:\WINDOWS\tk58.exe 
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and do this


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------​
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------​
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------​
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
 
Well I did the 3 things.. heres the logs for otmove, combo, and hijack




Explorer killed successfully
DllUnregisterServer procedure not found in C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll NOT unregistered.
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll moved successfully.
C:\Program Files\SoftwareRevenue.org\2r_samba.exe moved successfully.
C:\Program Files\TBONBin\TBONWnd.EXE moved successfully.
File/Folder C:\WINDOWS\system32\ijjqmnai.dll not found.
C:\WINDOWS\system32\mi1.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mljhghh.dll
C:\WINDOWS\system32\mljhghh.dll NOT unregistered.
C:\WINDOWS\system32\mljhghh.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllji.dll NOT unregistered.
C:\WINDOWS\system32\mllji.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmj.dll NOT unregistered.
C:\WINDOWS\system32\mllmj.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\mllmk.dll
C:\WINDOWS\system32\mllmk.dll NOT unregistered.
C:\WINDOWS\system32\mllmk.dll moved successfully.
C:\WINDOWS\system32\nutms.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pmkjg.dll NOT unregistered.
C:\WINDOWS\system32\pmkjg.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\pmnlk.dll NOT unregistered.
C:\WINDOWS\system32\pmnlk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqrpqqr.dll
C:\WINDOWS\system32\rqrpqqr.dll NOT unregistered.
C:\WINDOWS\system32\rqrpqqr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssqrpol.dll
C:\WINDOWS\system32\ssqrpol.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ssqrpol.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstqr.dll NOT unregistered.
C:\WINDOWS\system32\sstqr.dll moved successfully.
File/Folder C:\WINDOWS\system32\ssttr.dll not found.
C:\WINDOWS\system32\sysutil.exe moved successfully.
File/Folder C:\WINDOWS\system32\ubhdmdvu.dll not found.
C:\WINDOWS\system32\usnv\pax89104.exe moved successfully.
C:\WINDOWS\system32\vssdoc.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vturr.dll NOT unregistered.
C:\WINDOWS\system32\vturr.dll moved successfully.
C:\WINDOWS\system32\winz1 moved successfully.
C:\WINDOWS\system32\xTmp moved successfully.
LoadLibrary failed for C:\WINDOWS\TinyBHO.dll
C:\WINDOWS\TinyBHO.dll NOT unregistered.
C:\WINDOWS\TinyBHO.dll moved successfully.
C:\WINDOWS\tk58.exe moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04042008_073001

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssqrpol.dll
C:\WINDOWS\system32\ssqrpol.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ssqrpol.dll scheduled to be moved on reboot.
























ComboFix 08-04-03.5 - HP_Owner 2008-04-04 7:41:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.695 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\temp\tn3
C:\WINDOWS\BM2bc845de.xml
C:\WINDOWS\Downloaded Program Files\Odyssey4
C:\WINDOWS\Downloaded Program Files\Odyssey4\dataset.dat
C:\WINDOWS\Downloaded Program Files\Odyssey4\odysseycam.exe
C:\WINDOWS\Downloaded Program Files\Odyssey4\odysseychat.dll
C:\WINDOWS\Downloaded Program Files\Odyssey4\Version.ini
C:\WINDOWS\Downloaded Program Files\Odyssey4\xcl.dll
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\drivers\vtminii.sys
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\hycrychr.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nmhxaqli.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini2
C:\WINDOWS\system32\ssqrpol.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://www.isodown.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VTMINII
-------\Service_vtminii


((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-04 07:30 . 2008-04-04 07:30 <DIR> d-------- C:\_OTMoveIt
2008-04-02 12:17 . 2008-04-02 12:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 08:46 . 2008-04-02 08:46 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-03-29 22:22 . 2008-03-29 22:23 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-26 08:45 . 2008-04-02 07:53 220 --a------ C:\WINDOWS\wininit.ini
2008-03-25 22:01 . 2008-03-25 22:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-25 22:01 . 2008-03-25 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-25 20:00 . 2008-03-25 20:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 20:00 . 2008-03-25 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 19:51 . 2008-03-25 19:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-25 19:51 . 2008-03-25 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-25 19:23 . 2008-03-25 20:31 <DIR> d-------- C:\VundoFix Backups
2008-03-25 08:48 . 2008-04-04 07:30 <DIR> d-------- C:\WINDOWS\system32\usnv
2008-03-25 08:48 . 2008-03-25 08:48 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-25 08:48 . 2008-03-25 08:48 <DIR> d-------- C:\WINDOWS\system32\aqVreo01
2008-03-22 10:16 . 2008-03-22 10:21 <DIR> d-------- C:\Program Files\Personal Media Manager
2008-03-19 12:00 . 2008-03-19 12:00 <DIR> d-------- C:\Program Files\CCleaner
2008-03-19 11:52 . 2008-03-19 11:52 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Uniblue
2008-03-17 20:46 . 2008-03-24 08:08 <DIR> d-------- C:\Fraps
2008-03-15 07:43 . 2008-03-15 07:43 32,768 --a------ C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe
2008-03-13 18:06 . 2008-03-13 18:06 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-03-12 00:41 . 2008-03-25 19:10 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-12 00:41 . 2008-03-25 18:27 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Spyware Terminator
2008-03-12 00:41 . 2008-03-25 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-12 00:41 . 2008-03-12 00:41 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-09 20:19 . 2008-04-04 07:42 <DIR> d-------- C:\Temp
2008-03-08 19:46 . 2008-03-08 19:46 <DIR> d-------- C:\Program Files\X-Projects
2008-03-08 19:42 . 2008-03-08 19:42 <DIR> d-------- C:\Pandora
2008-03-08 19:15 . 2008-03-08 19:15 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-03-07 23:42 . 2008-03-07 23:42 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\DivX
2008-03-07 23:01 . 2008-03-19 12:25 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Any Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 12:30 --------- d-----w C:\Program Files\TBONBin
2008-04-01 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-03-29 15:10 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\ijjigame
2008-03-26 03:19 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-03-26 03:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 01:26 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-24 13:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-22 02:39 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\LimeWire
2008-03-19 17:56 --------- d-----w C:\Program Files\SpeedFan
2008-03-19 17:31 --------- d-----w C:\Program Files\PokerStars
2008-03-19 17:25 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-19 17:24 --------- d-----w C:\Program Files\DivX
2008-03-19 17:23 --------- d-----w C:\Program Files\Dachshund Software
2008-03-19 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 17:21 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2008-03-19 17:21 --------- d-----w C:\Program Files\Web Publish
2008-03-19 17:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-19 17:15 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2008-03-19 17:14 --------- d-----w C:\Program Files\VideoLAN
2008-03-19 16:08 --------- d-----w C:\Program Files\Xfire
2008-03-19 12:51 --------- d-----w C:\Program Files\Final Fantasy VII
2008-03-18 00:30 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Xfire
2008-03-16 05:17 --------- d-----w C:\Program Files\mIRC
2008-03-10 01:08 --------- d-----w C:\Program Files\OGPlanet
2008-03-02 15:34 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-02-16 23:39 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2006-11-20 03:26 1,421,355 ----a-w C:\Documents and Settings\HP_Owner\Application Data\Install.dat
2006-10-01 17:57 88 --sh--r C:\WINDOWS\system32\C0387DA60D.sys
2006-06-13 18:10 5 --sha-w C:\WINDOWS\system32\dfabed8_s.dll
2006-10-01 17:57 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB692F9B-27FE-4511-8885-ED62BB45197B}]
2007-12-16 11:30 200704 --a------ C:\WINDOWS\system32\webperform.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA8B0431-00CE-43EC-A90A-DD094EF66D67}]
C:\WINDOWS\system32\ssttr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-04 19:27 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomnomj]
qomnomj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrpol]
ssqrpol.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"msacm.lhacm"= lhacm.acm
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll
"VIDC.FPS1"= frapsvid.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^My Documents^Xp stuff^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\My Documents\Xp stuff\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^My Documents^Xp stuff^Startup^Xfire.lnk]
path=C:\Documents and Settings\HP_Owner\My Documents\Xp stuff\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 16:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-06-15 23:17 69705 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-21 16:44 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 16:48 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 07:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 07:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 07:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 07:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 22:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WANMiniportService"=2 (0x2)
"VideoAcceleratorService"=2 (0x2)
"usnjsvc"=3 (0x3)
"sp_rssrv"=2 (0x2)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\ijji\\ENGLISH\\u_skid.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\ijji\\ENGLISH\\u_goonzu.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-06-08 08:28]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-01-05 17:05]
R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2005-05-12 11:26]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 13:09]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
S4 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe [2008-01-05 17:05]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 11:02:59 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 07:49:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-04 7:53:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 12:53:40
Pre-Run: 3,708,768,256 bytes free
Post-Run: 3,777,712,128 bytes free
.
2008-03-29 12:51:08 --- E O F ---
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:40 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WebPerform - {AB692F9B-27FE-4511-8885-ED62BB45197B} - C:\WINDOWS\system32\webperform.dll
O2 - BHO: (no name) - {DA8B0431-00CE-43EC-A90A-DD094EF66D67} - C:\WINDOWS\system32\ssttr.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\CarbonPoker\Poker.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us27/n.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: qomnomj - qomnomj.dll (file missing)
O20 - Winlogon Notify: ssqrpol - ssqrpol.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6321 bytes
 
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WebPerform - {AB692F9B-27FE-4511-8885-ED62BB45197B} - C:\WINDOWS\system32\webperform.dll
O2 - BHO: (no name) - {DA8B0431-00CE-43EC-A90A-DD094EF66D67} - C:\WINDOWS\system32\ssttr.dll (file missing)
O20 - Winlogon Notify: qomnomj - qomnomj.dll (file missing)
O20 - Winlogon Notify: ssqrpol - ssqrpol.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ssqrpol.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\dfabed8_s.dll
C:\WINDOWS\system32\webperform.dll
C:\WINDOWS\system32\ssttr.dll

Folder::
C:\WINDOWS\system32\usnv
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\aqVreo01
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


Combo-Do.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
 
Well.. I dont think you said to post the combofix's log so I wont. And also.. that smiley district thing at 09 I didnt download I think that was a program from spyware or something from like a year ago. Can I just delete that like I did with those other files you told me to? And.. can I also delete carbon poker, party poker like that? and also that O16 YInstStarter Class Yahoo DLL thing.. Well heres the new hijack log





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:14 PM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\CarbonPoker\Poker.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us27/n.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5835 bytes
 
Actually I need to see the ComboFix log :)

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\CarbonPoker\Poker.exe (file missing) (HKCU)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Then delete these folders in bold

C:\Program Files\PartyPoker
C:\Program Files\CarbonPoker


Reboot and post a new HijackThis log
 
here is the combo fix log and the new hijack this log







ComboFix 08-04-03.5 - HP_Owner 2008-04-04 18:22:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.658 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\dfabed8_s.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ssqrpol.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\webperform.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Owner\Application Data\install.dat
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\aqVreo01
C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe
C:\WINDOWS\system32\dfabed8_s.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\IDME\dimnet201.exe
C:\WINDOWS\system32\IDME\TGbn1dll.exe
C:\WINDOWS\system32\usnv

.
((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-04 07:30 . 2008-04-04 07:30 <DIR> d-------- C:\_OTMoveIt
2008-04-02 12:17 . 2008-04-02 12:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 22:22 . 2008-03-29 22:23 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-26 08:45 . 2008-04-02 07:53 220 --a------ C:\WINDOWS\wininit.ini
2008-03-25 22:01 . 2008-03-25 22:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-25 22:01 . 2008-03-25 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-25 20:00 . 2008-03-25 20:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 20:00 . 2008-03-25 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 19:51 . 2008-03-25 19:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-25 19:51 . 2008-03-25 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-25 19:23 . 2008-03-25 20:31 <DIR> d-------- C:\VundoFix Backups
2008-03-22 10:16 . 2008-03-22 10:21 <DIR> d-------- C:\Program Files\Personal Media Manager
2008-03-19 12:00 . 2008-03-19 12:00 <DIR> d-------- C:\Program Files\CCleaner
2008-03-19 11:52 . 2008-03-19 11:52 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Uniblue
2008-03-17 20:46 . 2008-03-24 08:08 <DIR> d-------- C:\Fraps
2008-03-13 18:06 . 2008-03-13 18:06 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-03-12 00:41 . 2008-03-25 19:10 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-12 00:41 . 2008-03-25 18:27 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Spyware Terminator
2008-03-12 00:41 . 2008-03-25 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-12 00:41 . 2008-03-12 00:41 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-09 20:19 . 2008-04-04 07:42 <DIR> d-------- C:\Temp
2008-03-08 19:46 . 2008-03-08 19:46 <DIR> d-------- C:\Program Files\X-Projects
2008-03-08 19:42 . 2008-03-08 19:42 <DIR> d-------- C:\Pandora
2008-03-08 19:15 . 2008-03-08 19:15 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-03-07 23:42 . 2008-03-07 23:42 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\DivX
2008-03-07 23:01 . 2008-03-19 12:25 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Any Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 12:30 --------- d-----w C:\Program Files\TBONBin
2008-04-01 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-03-29 15:10 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\ijjigame
2008-03-26 03:19 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-03-26 03:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 01:26 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-24 13:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-22 02:39 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\LimeWire
2008-03-19 17:56 --------- d-----w C:\Program Files\SpeedFan
2008-03-19 17:31 --------- d-----w C:\Program Files\PokerStars
2008-03-19 17:25 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-19 17:24 --------- d-----w C:\Program Files\DivX
2008-03-19 17:23 --------- d-----w C:\Program Files\Dachshund Software
2008-03-19 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 17:21 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2008-03-19 17:21 --------- d-----w C:\Program Files\Web Publish
2008-03-19 17:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-19 17:15 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2008-03-19 17:14 --------- d-----w C:\Program Files\VideoLAN
2008-03-19 16:08 --------- d-----w C:\Program Files\Xfire
2008-03-19 12:51 --------- d-----w C:\Program Files\Final Fantasy VII
2008-03-18 00:30 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Xfire
2008-03-16 05:17 --------- d-----w C:\Program Files\mIRC
2008-03-10 01:08 --------- d-----w C:\Program Files\OGPlanet
2008-03-02 15:34 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-02-16 23:39 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-26 20:28 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-14 12:52 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2006-10-01 17:57 88 --sh--r C:\WINDOWS\system32\C0387DA60D.sys
2006-10-01 17:57 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-04 19:27 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"msacm.lhacm"= lhacm.acm
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll
"VIDC.FPS1"= frapsvid.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^My Documents^Xp stuff^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\My Documents\Xp stuff\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^My Documents^Xp stuff^Startup^Xfire.lnk]
path=C:\Documents and Settings\HP_Owner\My Documents\Xp stuff\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 16:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-06-15 23:17 69705 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-21 16:44 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 16:48 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 07:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 07:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 07:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 07:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 22:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WANMiniportService"=2 (0x2)
"VideoAcceleratorService"=2 (0x2)
"usnjsvc"=3 (0x3)
"sp_rssrv"=2 (0x2)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\ijji\\ENGLISH\\u_skid.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\ijji\\ENGLISH\\u_goonzu.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-06-08 08:28]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-01-05 17:05]
R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2005-05-12 11:26]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 13:09]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
S4 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe [2008-01-05 17:05]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 11:02:59 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 18:24:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-04-04 18:24:40
ComboFix-quarantined-files.txt 2008-04-04 23:24:18
ComboFix2.txt 2008-04-04 12:53:44
Pre-Run: 4,835,815,424 bytes free
Post-Run: 4,824,772,608 bytes free
.
2008-03-29 12:51:08 --- E O F ---
















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:01 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\control.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us27/n.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5077 bytes
 
Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also tell me how your PC is running
 
My computer is running I think as good if not better than it was before I got the pop ups and everything. :D:











Malwarebytes' Anti-Malware 1.10
Database version: 594

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 202072
Time elapsed: 58 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\jkhhh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\IDME\dimnet201.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\04042008_073001\WINDOWS\system32\usnv\pax89104.exe (Adware.TTC) -> Quarantined and deleted successfully.
 
One final thing

Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.




* Click on the Start Button, Click Search
Click "All Files and Folders"
Click "Advanced Options", put a check next to the following:
Search System Folders
Search Hidden Files And Folders
Search Subfolders


Next copy and paste the following entries into the search box(one at a time):

hycrychr



Tell me if you find it and where it is located
 
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top