# Hidden popup??



## xxarlokxx

I got another problem to my computer.  Now it runs really really slow.  When i open task manager.  I see 2 iexplorer.exe take up like 33000k of my space.  but then i normally use firefox.  so i end task those 2 iexplorer.exe and they regenerate itself.  So when i turn off my computer, i can clearly see there is a flash of website behind the whole background. How to remove that??? My computer is so slow that it takes like 10 minutes to turn on...


----------



## Buzz1927

Post a Hijackthis log.
http://www.computerforum.com/24672-hijackthis-logs.html


----------



## xxarlokxx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:02 AM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\kcoin32.exe
C:\WINDOWS\system32\inf\svchosd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0B497AE8-3F6C-440C-AB87-52ED0182464A} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
O2 - BHO: (no name) - {1FD4696C-E95A-44E2-A03A-FDBDF4CCC305} - C:\Program Files\Internet Explorer\IEXPLORE32.win
O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\system32\opshbbty.dll (file missing)
O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\system32\rijxbkin.dll
O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dll (file missing)
O2 - BHO: opshcbty.dll - {32596546-2036-9451-6058-658402589723} - C:\WINDOWS\system32\opshcbty.dll
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll
O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - C:\WINDOWS\system32\apzhctde.dll
O2 - BHO: nhmxdjkl.dll - {47AC9076-C898-B098-D098-A18319080974} - C:\WINDOWS\system32\nhmxdjkl.dll
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\system32\zptlcsys.dll
O2 - BHO: skqnebib.dll - {52023698-6984-8541-9654-698745012525} - C:\WINDOWS\system32\skqnebib.dll
O2 - BHO: mpwdeapi.dll - {55694105-5108-9405-3695-954187462155} - C:\WINDOWS\system32\mpwdeapi.dll
O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll
O2 - BHO: pjjxfdwd.dll - {64FAE856-AD58-20CB-A025-CD4895FA6E46} - C:\WINDOWS\system32\pjjxfdwd.dll
O2 - BHO: (no name) - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} - C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - C:\WINDOWS\system32\zxmsdwin.dll
O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\system32\mnmhgsrv.dll
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll
O2 - BHO: mndshsrv.dll - {87FD640A-158F-48AC-FD14-1597F14A9778} - C:\WINDOWS\system32\mndshsrv.dll
O2 - BHO: yzztkmsn.dll - {B490415F-65F8-B5C5-D8BA-9405FB12054B} - C:\WINDOWS\system32\yzztkmsn.dll
O2 - BHO: hdf453d.dll - {B629FF4F-ACDB-5C90-A098-FACB3456A26B} - C:\WINDOWS\system32\hdf453d.dll
O2 - BHO: (no name) - {E6C0D0E3-9E9A-489D-AE19-BBCFC7047A59} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [kcoin] kcoin32.exe
O4 - HKLM\..\Policies\Explorer\Run: [initnyuser] C:\WINDOWS\system32\inf\svchosd.exe C:\WINDOWS\wftadfi16_080702a.dll tanlt88
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: welldon.dll,nhmxcjkl.dll,yzztkmsn.dll msbod.dll,tisqatyu.dll termilly.dll verptw.dll quaryfy.dll padlod.dll,arjreler.dll,ietzbpaq.dll jordspa.dll,skqncbib.dll womsoy.dll,nhmxdjkl.dll,skqnebib.dll wolko.dll he1low.dll gwofw.dll ziflok.dll mymusi.dll wcpome.dll
O21 - SSODL: midimapgj - {4F4F0064-71E0-4f0d-0003-708476C7815F} - C:\WINDOWS\system32\midimapgj.dll
O21 - SSODL: cliconfgzx.dll - {00050005-0005-0005-0005-00050005BB15} - C:\WINDOWS\system32\cliconfgzx.dll
O21 - SSODL: catsrvwl.dll - {00040004-0004-0004-0004-00040004BB15} - C:\WINDOWS\system32\catsrvwl.dll
O21 - SSODL: kbdswjr.dll - {00120012-0012-0012-0012-00120012BB15} - C:\WINDOWS\system32\kbdswjr.dll
O21 - SSODL: tscfgwmijxsj.dll - {00330033-0033-0033-0033-00330033BB15} - C:\WINDOWS\system32\tscfgwmijxsj.dll
O21 - SSODL: msobjstl.dll - {00170017-0017-0017-0017-00170017BB15} - C:\WINDOWS\system32\msobjstl.dll
O21 - SSODL: adsntzt.dll - {00010001-0001-0001-0001-00010001BB15} - C:\WINDOWS\system32\adsntzt.dll
O21 - SSODL: bootvidgj.dll - {00030003-0003-0003-0003-00030003BB15} - C:\WINDOWS\system32\bootvidgj.dll
O21 - SSODL: midimappt - {4F4F0064-71E0-4f0d-0021-708476C7815F} - C:\WINDOWS\system32\midimappt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 11794 bytes


----------



## cohen

Can you pls do the following

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Can you pls then post a fresh hijackthis log.


----------



## xxarlokxx

vfind.exe was ended

This is the combo fix log:

ComboFix 08-07-05.1 - Steven C 2008-07-06  5:46:41.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.136 [GMT -4:00]Running from: C:\Documents and Settings\Steven C\Desktop\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.
The following files were disabled during the run:
C:\WINDOWS\system32\dbi100.dll


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Internet Explorer\IEXPLORE32.Dat
C:\Program Files\Internet Explorer\IEXPLORE32.jmp
C:\Program Files\Internet Explorer\IEXPLORE32.Sys
C:\Program Files\Internet Explorer\IEXPLORE32.win
C:\Program Files\Internet Explorer\PLUGINS\UnixSys32.Jmp
C:\WINDOWS\system32\aitlasys.exe
C:\WINDOWS\system32\axmsawin.exe
C:\WINDOWS\system32\cedafb.dll
C:\WINDOWS\system32\ciwdaapi.sys
C:\WINDOWS\system32\ddserh.dll
C:\WINDOWS\system32\etshabty.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\fstlbsys.sys
C:\WINDOWS\system32\fzmsbwin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\hdf453d.dll
C:\WINDOWS\system32\hhrdxd.dll
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\isdsasrv.exe
C:\WINDOWS\system32\ismhasrv.exe
C:\WINDOWS\system32\jashbbty.sys
C:\WINDOWS\system32\jfrwdh.dll
C:\WINDOWS\system32\kcoin32.dll
C:\WINDOWS\system32\kcoin32.exe
C:\WINDOWS\system32\lojxadwd.exe
C:\WINDOWS\system32\lpsgajba.exe
C:\WINDOWS\system32\mfdesy.dll
C:\WINDOWS\system32\MMHADPQG1097.dll
C:\WINDOWS\system32\MMHADPQG1100.dll
C:\WINDOWS\system32\MMHADPQG1101.dll
C:\WINDOWS\system32\mnmhgsrv.dll
C:\WINDOWS\system32\mpwdeapi.dll
C:\WINDOWS\system32\mtewdh.dll
C:\WINDOWS\system32\opshcbty.dll
C:\WINDOWS\system32\ozfyebyt.dll
C:\WINDOWS\system32\rfdswc.dll
C:\WINDOWS\system32\simyaapi.exe
C:\WINDOWS\system32\siwdaapi.exe
C:\WINDOWS\system32\smmhbsrv.sys
C:\WINDOWS\system32\spmybapi.sys
C:\WINDOWS\system32\spwdbapi.sys
C:\WINDOWS\system32\tdggrz.dll
C:\WINDOWS\system32\toqnabib.sys
C:\WINDOWS\system32\wklsdd.dll
C:\WINDOWS\system32\wymxajkl.sys
C:\WINDOWS\system32\xfztbmsn.sys
C:\WINDOWS\system32\xzcsbhlp.sys
C:\WINDOWS\system32\ysjxbdwd.sys
C:\WINDOWS\system32\yxcschlp.dll
C:\WINDOWS\system32\zaztamsn.exe
C:\WINDOWS\system32\zgrjdx.dll
C:\WINDOWS\system32\zptlcsys.dll
C:\WINDOWS\system32\zxcsahlp.exe
C:\WINDOWS\system32\zxmsdwin.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HDV32
-------\Legacy_SEICTRL
-------\Service_Hdv32
-------\Service_seictrl


(((((((((((((((((((((((((   Files Created from 2008-06-06 to 2008-07-06  )))))))))))))))))))))))))))))))
.

2008-07-03 06:10 . 2008-07-03 06:10	18,432	--a------	C:\WINDOWS\system32\dbi100.dll
2008-07-03 06:09 . 2008-07-03 06:09	19,015	--a------	C:\WINDOWS\system32\tqgs27.exe
2008-07-03 06:08 . 2008-07-03 06:08	10,420	--a------	C:\WINDOWS\system32\mxtq9.exe
2008-07-03 06:01 . 2008-07-03 06:01	30,836	--a------	C:\WINDOWS\system32\divq38.exe
2008-07-03 06:01 . 2008-07-03 06:01	19,015	--a------	C:\WINDOWS\system32\uhhn27.exe
2008-07-03 06:00 . 2008-07-03 06:00	10,420	--a------	C:\WINDOWS\system32\jqcu9.exe
2008-07-03 05:30 . 2008-07-03 05:30	<DIR>	d--------	C:\WINDOWS\system32\inf
2008-07-03 05:30 . 2008-07-06 05:59	230,912	--a------	C:\WINDOWS\dcbdcatys32_080702a.dll
2008-07-03 05:30 . 2008-07-03 05:30	222,208	--ah-----	C:\WINDOWS\system32\jdsaex.dll
2008-07-03 05:30 . 2008-07-03 05:30	115,472	--a------	C:\WINDOWS\system32\flje29.exe
2008-07-03 05:30 . 2008-07-03 05:30	115,472	--a------	C:\WINDOWS\system\sgcxcxxaspf080702.exe
2008-07-03 05:30 . 2008-07-03 05:30	32,256	--a------	C:\WINDOWS\wftadfi16_080702a.dll
2008-07-03 05:30 . 2008-07-06 05:59	474	--a------	C:\WINDOWS\twisys.ini
2008-07-03 05:29 . 2008-07-03 05:29	28,672	--a------	C:\WINDOWS\system32\wolko.dll
2008-07-03 05:29 . 2008-07-03 05:29	28,672	--a------	C:\WINDOWS\system32\he1low.dll
2008-07-03 05:29 . 2008-07-03 05:29	24,576	--a------	C:\WINDOWS\system32\ziflok.dll
2008-07-03 05:29 . 2008-07-03 05:29	24,576	--a------	C:\WINDOWS\system32\wcpome.dll
2008-07-03 05:29 . 2008-07-03 05:29	24,576	--a------	C:\WINDOWS\system32\mymusi.dll
2008-07-03 05:29 . 2008-07-03 05:29	24,576	--a------	C:\WINDOWS\system32\gwofw.dll
2008-07-03 02:20 . 2008-07-03 02:20	30,836	--a------	C:\WINDOWS\system32\jpri38.exe
2008-07-03 02:19 . 2008-07-03 02:19	19,015	--a------	C:\WINDOWS\system32\qadu27.exe
2008-07-03 02:18 . 2008-07-03 02:18	10,420	--a------	C:\WINDOWS\system32\iwco9.exe
2008-07-03 02:10 . 2007-06-13 06:23	1,033,216	--a------	C:\WINDOWS\eqlk.exe
2008-07-03 02:07 . 2008-07-03 02:07	30,836	--a------	C:\WINDOWS\system32\szvy38.exe
2008-07-03 02:06 . 2008-07-03 02:06	19,015	--a------	C:\WINDOWS\system32\nuuu27.exe
2008-07-03 02:05 . 2008-07-03 02:05	10,420	--a------	C:\WINDOWS\system32\ljmy9.exe
2008-07-02 11:49 . 2008-07-02 11:49	30,837	--a------	C:\WINDOWS\system32\umfd38.exe
2008-07-02 11:49 . 2008-07-02 11:49	19,021	--a------	C:\WINDOWS\system32\bsdx27.exe
2008-07-02 11:47 . 2008-07-02 11:47	10,420	--a------	C:\WINDOWS\system32\bsdk9.exe
2008-06-30 10:35 . 2008-07-03 06:09	225,792	--ah-----	C:\WINDOWS\system32\sgdewg.dll
2008-06-30 10:35 . 2008-06-30 10:35	218,624	--ah-----	C:\WINDOWS\system32\jfdses.dll
2008-06-30 10:35 . 2008-06-30 10:35	30,837	--a------	C:\WINDOWS\system32\wvmk38.exe
2008-06-30 10:35 . 2008-07-03 06:10	24,576	--a------	C:\WINDOWS\system32\womsoy.dll
2008-06-30 10:35 . 2008-06-30 10:35	18,488	--a------	C:\WINDOWS\system32\otbb27.exe
2008-06-30 10:35 . 2008-07-03 06:10	11,264	--a------	C:\WINDOWS\system32\womsoyk.exe
2008-06-30 10:34 . 2008-07-03 06:09	225,792	--ah-----	C:\WINDOWS\system32\tdffdl.dll
2008-06-30 10:34 . 2008-07-06 05:58	24	--a------	C:\WINDOWS\system32\ngjxakin.sys
2008-06-30 10:34 . 2008-07-06 05:58	24	--a------	C:\WINDOWS\system32\ijzhatde.sys
2008-06-30 10:33 . 2008-07-03 06:08	229,376	--ah-----	C:\WINDOWS\system32\pedadt.dll
2008-06-30 10:33 . 2008-06-30 10:33	10,420	--a------	C:\WINDOWS\system32\ragc9.exe
2008-06-28 06:02 . 2008-06-28 06:02	135,168	--a------	C:\zip.exe
2008-06-28 06:02 . 2008-06-28 06:02	19,286	--a------	C:\cleanup.exe
2008-06-28 06:02 . 2008-06-28 06:02	574	--a------	C:\cleanup.bat
2008-06-28 06:02 . 2008-06-28 06:02	0	--a------	C:\backup.reg
2008-06-28 02:21 . 2008-06-28 02:21	<DIR>	d--------	C:\Program Files\Trend Micro
2008-06-25 14:56 . 2008-06-25 14:56	127	--a------	C:\WINDOWS\system32\MRT.INI
2008-06-25 14:49 . 2008-06-25 14:49	<DIR>	d--------	C:\Program Files\MSXML 6.0
2008-06-25 06:11 . 2008-06-13 09:10	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-25 04:38 . 2007-07-09 09:09	584,192	-----c---	C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-25 03:59 . 2008-07-03 02:12	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-06-25 03:59 . 2008-07-03 02:12	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 03:33 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui
2008-06-25 02:09 . 2008-06-25 13:31	30,968	--a------	C:\Documents and Settings\Steven C\setupg.exe
2008-06-24 12:46 . 2008-01-05 16:53	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-24 08:14 . 2008-06-24 00:10	31,048	---------	C:\Documents and Settings\Steven C\setupd.exe
2008-06-24 06:47 . 2008-06-24 06:47	<DIR>	d--------	C:\WINDOWS\system32\Adobe
2008-06-24 06:04 . 2008-06-28 01:39	49,152	--a------	C:\WINDOWS\system32\5A634FAC.DLL
2008-06-24 01:15 . 2008-06-24 01:16	<DIR>	d--------	C:\Program Files\QuickTime
2008-06-24 01:13 . 2008-06-24 01:13	<DIR>	d--------	C:\Program Files\Common Files\Apple
2008-06-22 04:15 . 2008-06-22 04:15	<DIR>	d--------	C:\Downloads
2008-06-22 04:15 . 2008-06-22 04:15	2,560	--a------	C:\WINDOWS\system32\bitcometres.dll
2008-06-22 04:14 . 2008-06-22 04:20	<DIR>	d--------	C:\Program Files\BitComet
2008-06-06 02:05 . 2008-06-06 02:05	<DIR>	d--------	C:\WINDOWS\system32\NtmsData

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 08:51	---------	d-----w	C:\Program Files\Warcraft III
2008-07-02 05:35	---------	d-----w	C:\Program Files\Steam
2008-06-24 05:18	---------	d-----w	C:\Documents and Settings\Steven C\Application Data\Apple Computer
2008-06-24 05:17	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 08:02	---------	d-----w	C:\Documents and Settings\Steven C\Application Data\uTorrent
2008-06-13 13:10	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-05-21 16:47	---------	d-----w	C:\Documents and Settings\Steven C\Application Data\Samsung
2008-05-21 16:38	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-05-21 06:11	---------	d-----w	C:\Program Files\Samsung
2008-05-18 09:46	---------	d-----w	C:\Program Files\Tales of Pirates Online
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 03:02	---------	d-----w	C:\Program Files\SopCast
2008-05-06 04:16	---------	d-----w	C:\Documents and Settings\Steven C\Application Data\vlc
2008-05-06 04:15	---------	d-----w	C:\Program Files\VideoLAN
2008-02-01 02:35	28,080	----a-w	C:\Documents and Settings\Steven C\Application Data\GDIPFONTCACHEV1.DAT
2004-08-08 10:09	1,040	--sh--w	C:\WINDOWS\system32\aoqnabib.sys
2004-08-08 14:34	537,608	--sh--w	C:\WINDOWS\system32\apsggjba.dll
2004-08-08 14:34	538,120	--sh--w	C:\WINDOWS\system32\apzhctde.dll
2004-08-08 10:09	15,789	--sh--w	C:\WINDOWS\system32\dfqnabib.exe
2004-08-08 10:09	3,120	--sh--w	C:\WINDOWS\system32\erjxakin.sys
2004-08-08 10:08	520	--sh--w	C:\WINDOWS\system32\gpzhatde.sys
2004-08-08 10:10	16,341	--sh--w	C:\WINDOWS\system32\lpmxajkl.exe
2004-08-08 10:08	17,228	--sh--w	C:\WINDOWS\system32\lpzhatde.exe
2004-08-08 14:34	534,024	--sh--w	C:\WINDOWS\system32\mndshsrv.dll
2004-08-08 14:35	536,072	--sh--w	C:\WINDOWS\system32\nhmxdjkl.dll
2004-08-08 14:34	536,072	--sh--w	C:\WINDOWS\system32\pjjxfdwd.dll
2004-08-08 14:34	536,584	--sh--w	C:\WINDOWS\system32\rijxbkin.dll
2004-08-08 10:10	520	--sh--w	C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 15:48	535,048	--sh--w	C:\WINDOWS\system32\skqnebib.dll
2004-08-08 10:09	520	--sh--w	C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 10:08	520	--sh--w	C:\WINDOWS\system32\snfybbyt.sys
2004-08-08 10:09	16,602	--sh--w	C:\WINDOWS\system32\stjxakin.exe
2004-08-08 10:08	15,129	--sh--w	C:\WINDOWS\system32\tjfyabyt.exe
2004-08-08 14:33	536,584	--sh--w	C:\WINDOWS\system32\yzztkmsn.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-06-28_ 2.52.24.35   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 06:45:42	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-07-06 09:58:36	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2001-07-03 10:08:19	851,744	----a-w	C:\WINDOWS\system32\adsntzt.dll
+ 2001-07-03 10:08:40	717,460	----a-w	C:\WINDOWS\system32\bootvidgj.dll
+ 2001-07-03 10:09:28	937,760	----a-w	C:\WINDOWS\system32\catsrvwl.dll
+ 2001-07-03 10:08:43	606,124	----a-w	C:\WINDOWS\system32\cliconfgzx.dll
- 2008-06-20 01:33:23	3,472	----a-w	C:\WINDOWS\system32\d3d9caps.dat
+ 2008-07-02 05:34:55	3,472	----a-w	C:\WINDOWS\system32\d3d9caps.dat
+ 2001-08-17 17:52:30	18,688	-c--a-w	C:\WINDOWS\system32\dllcache\cdaudio.sys
+ 2001-07-03 09:29:18	574,612	----a-w	C:\WINDOWS\system32\dpvvoxmh.dll
- 2001-08-23 12:00:00	18,688	----a-w	C:\WINDOWS\system32\drivers\cdaudio.sys
+ 2001-08-17 17:52:30	18,688	----a-w	C:\WINDOWS\system32\drivers\cdaudio.sys
+ 2008-07-03 09:30:36	32,256	----a-w	C:\WINDOWS\system32\inf\scsys16_080702.dll
+ 2008-07-03 09:30:31	115,472	----a-w	C:\WINDOWS\system32\inf\sppdcrs080702.scr
+ 2004-08-04 05:56:56	33,280	----a-w	C:\WINDOWS\system32\inf\svchosd.exe
+ 2001-07-03 10:09:45	982,304	----a-w	C:\WINDOWS\system32\kbdswjr.dll
+ 2001-07-03 09:30:03	913,184	----a-w	C:\WINDOWS\system32\ksuserfy.dll
+ 2001-06-30 14:34:09	1,072,788	----a-w	C:\WINDOWS\system32\midimapgj.dll
+ 2001-07-03 09:30:06	1,067,668	----a-w	C:\WINDOWS\system32\midimappt.dll
+ 2001-07-03 10:10:18	927,008	----a-w	C:\WINDOWS\system32\msobjstl.dll
+ 2001-07-02 15:47:46	688,788	----a-w	C:\WINDOWS\system32\rasdlgcq.dll
+ 2001-07-03 10:09:59	605,472	----a-w	C:\WINDOWS\system32\tscfgwmijxsj.dll
- 2008-05-25 10:10:05	87,397	----a-w	C:\WINDOWS\War3Unin.dat
+ 2008-07-01 03:18:34	88,451	----a-w	C:\WINDOWS\War3Unin.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
2004-08-08 10:34	536584	---hs----	C:\WINDOWS\system32\rijxbkin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D698451-2015-6358-9871-2015987452D3}]
2004-08-08 10:34	538120	---hs----	C:\WINDOWS\system32\apzhctde.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47AC9076-C898-B098-D098-A18319080974}]
2004-08-08 10:35	536072	---hs----	C:\WINDOWS\system32\nhmxdjkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52023698-6984-8541-9654-698745012525}]
2004-08-08 11:48	535048	---hs----	C:\WINDOWS\system32\skqnebib.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64FAE856-AD58-20CB-A025-CD4895FA6E46}]
2004-08-08 10:34	536072	---hs----	C:\WINDOWS\system32\pjjxfdwd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74381DEC-D78B-43E4-BA5D-5244F669EBE4}]
2008-07-03 06:01	44660	--ahs----	C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FD45A54-9875-698F-E56E-65102358FDF7}]
2004-08-08 10:34	537608	---hs----	C:\WINDOWS\system32\apsggjba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87FD640A-158F-48AC-FD14-1597F14A9778}]
2004-08-08 10:34	534024	---hs----	C:\WINDOWS\system32\mndshsrv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B490415F-65F8-B5C5-D8BA-9405FB12054B}]
2004-08-08 10:33	536584	---hs----	C:\WINDOWS\system32\yzztkmsn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 22:24 185896]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"EPSON Stylus CX1500 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 23:32 208952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 13:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"initnyuser"="C:\WINDOWS\system32\inf\svchosd.exe" [2004-08-04 01:56 33280]

C:\Documents and Settings\Steven C\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B490415F-65F8-B5C5-D8BA-9405FB12054B}"= "C:\WINDOWS\system32\yzztkmsn.dll" [2004-08-08 10:33 536584]
"{7FD45A54-9875-698F-E56E-65102358FDF7}"= "C:\WINDOWS\system32\apsggjba.dll" [2004-08-08 10:34 537608]
"{3D698451-2015-6358-9871-2015987452D3}"= "C:\WINDOWS\system32\apzhctde.dll" [2004-08-08 10:34 538120]
"{74381DEC-D78B-43E4-BA5D-5244F669EBE4}"= "C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys" [2008-07-03 06:01 44660]
"{5E907A48-400E-4EA8-9792-FFAE052D59E9}"= "C:\WINDOWS\system32\pedadt.dll" [2008-07-03 06:08 229376]
"{4F4F0064-71E0-4f0d-0003-708476C7815F}"= "C:\WINDOWS\system32\midimapgj.dll" [2001-06-30 10:34 1072788]
"{25FD6584-698F-BCD2-602C-698745210352}"= "C:\WINDOWS\system32\rijxbkin.dll" [2004-08-08 10:34 536584]
"{87FD640A-158F-48AC-FD14-1597F14A9778}"= "C:\WINDOWS\system32\mndshsrv.dll" [2004-08-08 10:34 534024]
"{C0595A7E-2E2F-4B34-A83A-019270A0A464}"= "C:\WINDOWS\system32\tdffdl.dll" [2008-07-03 06:09 225792]
"{64FAE856-AD58-20CB-A025-CD4895FA6E46}"= "C:\WINDOWS\system32\pjjxfdwd.dll" [2004-08-08 10:34 536072]
"{81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B}"= "C:\WINDOWS\system32\jfdses.dll" [2008-06-30 10:35 218624]
"{47AC9076-C898-B098-D098-A18319080974}"= "C:\WINDOWS\system32\nhmxdjkl.dll" [2004-08-08 10:35 536072]
"{52023698-6984-8541-9654-698745012525}"= "C:\WINDOWS\system32\skqnebib.dll" [2004-08-08 11:48 535048]
"{00010001-0001-0001-0001-00010001BB15}"= "C:\WINDOWS\system32\adsntzt.dll" [2001-07-03 06:08 851744]
"{00030003-0003-0003-0003-00030003BB15}"= "C:\WINDOWS\system32\bootvidgj.dll" [2001-07-03 06:08 717460]
"{00050005-0005-0005-0005-00050005BB15}"= "C:\WINDOWS\system32\cliconfgzx.dll" [2001-07-03 06:08 606124]
"{00040004-0004-0004-0004-00040004BB15}"= "C:\WINDOWS\system32\catsrvwl.dll" [2001-07-03 06:09 937760]
"{00120012-0012-0012-0012-00120012BB15}"= "C:\WINDOWS\system32\kbdswjr.dll" [2001-07-03 06:09 982304]
"{00330033-0033-0033-0033-00330033BB15}"= "C:\WINDOWS\system32\tscfgwmijxsj.dll" [2001-07-03 06:09 605472]
"{00170017-0017-0017-0017-00170017BB15}"= "C:\WINDOWS\system32\msobjstl.dll" [2001-07-03 06:10 927008]
"{4F4F0064-71E0-4f0d-0021-708476C7815F}"= "C:\WINDOWS\system32\midimappt.dll" [2001-07-03 05:30 1067668]
"{B29583D8-033A-4B9F-8553-7C5458F3FB8E}"= "C:\WINDOWS\system32\jdsaex.dll" [2008-07-03 05:30 222208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapgj"= {4F4F0064-71E0-4f0d-0003-708476C7815F} - C:\WINDOWS\system32\midimapgj.dll [2001-06-30 10:34 1072788]
"cliconfgzx.dll"= {00050005-0005-0005-0005-00050005BB15} - C:\WINDOWS\system32\cliconfgzx.dll [2001-07-03 06:08 606124]
"catsrvwl.dll"= {00040004-0004-0004-0004-00040004BB15} - C:\WINDOWS\system32\catsrvwl.dll [2001-07-03 06:09 937760]
"kbdswjr.dll"= {00120012-0012-0012-0012-00120012BB15} - C:\WINDOWS\system32\kbdswjr.dll [2001-07-03 06:09 982304]
"tscfgwmijxsj.dll"= {00330033-0033-0033-0033-00330033BB15} - C:\WINDOWS\system32\tscfgwmijxsj.dll [2001-07-03 06:09 605472]
"msobjstl.dll"= {00170017-0017-0017-0017-00170017BB15} - C:\WINDOWS\system32\msobjstl.dll [2001-07-03 06:10 927008]
"adsntzt.dll"= {00010001-0001-0001-0001-00010001BB15} - C:\WINDOWS\system32\adsntzt.dll [2001-07-03 06:08 851744]
"bootvidgj.dll"= {00030003-0003-0003-0003-00030003BB15} - C:\WINDOWS\system32\bootvidgj.dll [2001-07-03 06:08 717460]
"midimappt"= {4F4F0064-71E0-4f0d-0021-708476C7815F} - C:\WINDOWS\system32\midimappt.dll [2001-07-03 05:30 1067668]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=welldon.dll,nhmxcjkl.dll,yzztkmsn.dll msbod.dll,tisqatyu.dll termilly.dll verptw.dll quaryfy.dll padlod.dll,arjreler.dll,ietzbpaq.dll jordspa.dll,skqncbib.dll womsoy.dll,nhmxdjkl.dll,skqnebib.dll wolko.dll he1low.dll gwofw.dll ziflok.dll mymusi.dll wcpome.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ati2evxx.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\egui.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\idag.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kaccore.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyDBG.EXE]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyICE.EXE]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravtool.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regtool.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exeFYFireWall.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safebank.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WinDbg.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-31 01:42 1271032 C:\Program Files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaws.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\loki2882@hotmail.com\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Steam\\steamapps\\loki2882@hotmail.com\\day of defeat\\hl.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:Utor1
"1720:TCP"= 1720:TCP:utorrent
"1720:UDP"= 1720:UDP:utorrent1
"12535:TCP"= 12535:TCP:BitComet 12535 TCP
"12535:UDP"= 12535:UDP:BitComet 12535 UDP

S0 hjjku3xohj;hjjku3xohj;C:\WINDOWS\system32\drivers\hjjku3xohj.sys [2004-08-04 01:56]
S0 tfj4g0kc8q;tfj4g0kc8;C:\WINDOWS\system32\DRIVERS\tfj4g0kc8q.sys [2004-08-04 01:56]
S3 epflt15;epflt15;C:\WINDOWS\system32\DRIVERS\epflt15.SYS [2004-10-09 16:10]
S3 esflt15;esflt15;C:\WINDOWS\system32\DRIVERS\esflt15.SYS [2004-11-16 19:52]
S3 sssdbus;SAMSUNG WMC Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sssdbus.sys [2007-07-05 12:37]
S3 sssdmdfl;SAMSUNG Modem Filter;C:\WINDOWS\system32\DRIVERS\sssdmdfl.sys [2007-07-05 12:37]
S3 sssdmdm;SAMSUNG Modem Driver;C:\WINDOWS\system32\DRIVERS\sssdmdm.sys [2007-07-05 12:37]
S3 sssdmgmt;SAMSUNG AT command Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdmgmt.sys [2007-07-05 12:37]
S3 sssdobex;SAMSUNG OBEX Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdobex.sys [2007-07-05 12:37]

.
- - - - ORPHANS REMOVED - - - -

BHO-{0B497AE8-3F6C-440C-AB87-52ED0182464A} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
BHO-{1FD4696C-E95A-44E2-A03A-FDBDF4CCC305} - C:\Program Files\Internet Explorer\IEXPLORE32.win
BHO-{32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dll
BHO-{E6C0D0E3-9E9A-489D-AE19-BBCFC7047A59} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
HKCU-Run-Sticker - C:\Program Files\MoRUN.net\Sticker\sticker.exe
HKLM-Run-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
ShellExecuteHooks-{6C648541-1025-9650-9057-6541258720C6} - (no file)
ShellExecuteHooks-{77FD640A-158F-48AC-FD14-1597F14A9777} - (no file)
ShellExecuteHooks-{6E091341-6715-2098-51F0-178367AE53E6} - (no file)
ShellExecuteHooks-{7C69034A-F45F-D34D-A33A-C33C4D324FC7} - (no file)
ShellExecuteHooks-{29109876-7619-9101-7012-901938475192} - (no file)
ShellExecuteHooks-{1A698452-C5D8-C584-C256-C264C987C5A1} - (no file)
ShellExecuteHooks-{E6C0D0E3-9E9A-489D-AE19-BBCFC7047A59} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
ShellExecuteHooks-{1FD4696C-E95A-44E2-A03A-FDBDF4CCC305} - C:\Program Files\Internet Explorer\IEXPLORE32.win
ShellExecuteHooks-{0B497AE8-3F6C-440C-AB87-52ED0182464A} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
ShellExecuteHooks-{A9895933-6636-4281-BC58-EE6DE2AF96E3} - C:\WINDOWS\system32\ddserh.dll
ShellExecuteHooks-{32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dll
ShellExecuteHooks-{d332093c-9d73-4868-b201-9464a1d97512} - C:\WINDOWS\system32\MMHADPQG1101.dll
Notify-WgaLogon - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 05:59:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2008-07-06  6:06:54 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-06 10:06:12
ComboFix2.txt  2008-06-28 06:53:27

Pre-Run: 32,145,330,176 bytes free
Post-Run: 32,359,931,904 bytes free

403	--- E O F ---	2008-07-05 18:27:44


----------



## xxarlokxx

Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:45 AM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inf\svchosd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\system32\rijxbkin.dll
O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - C:\WINDOWS\system32\apzhctde.dll
O2 - BHO: nhmxdjkl.dll - {47AC9076-C898-B098-D098-A18319080974} - C:\WINDOWS\system32\nhmxdjkl.dll
O2 - BHO: skqnebib.dll - {52023698-6984-8541-9654-698745012525} - C:\WINDOWS\system32\skqnebib.dll
O2 - BHO: pjjxfdwd.dll - {64FAE856-AD58-20CB-A025-CD4895FA6E46} - C:\WINDOWS\system32\pjjxfdwd.dll
O2 - BHO: (no name) - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} - C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll
O2 - BHO: mndshsrv.dll - {87FD640A-158F-48AC-FD14-1597F14A9778} - C:\WINDOWS\system32\mndshsrv.dll
O2 - BHO: yzztkmsn.dll - {B490415F-65F8-B5C5-D8BA-9405FB12054B} - C:\WINDOWS\system32\yzztkmsn.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [initnyuser] C:\WINDOWS\system32\inf\svchosd.exe C:\WINDOWS\wftadfi16_080702a.dll tanlt88
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: welldon.dll,nhmxcjkl.dll,yzztkmsn.dll msbod.dll,tisqatyu.dll termilly.dll verptw.dll quaryfy.dll padlod.dll,arjreler.dll,ietzbpaq.dll jordspa.dll,skqncbib.dll womsoy.dll,nhmxdjkl.dll,skqnebib.dll wolko.dll he1low.dll gwofw.dll ziflok.dll mymusi.dll wcpome.dll
O21 - SSODL: midimapgj - {4F4F0064-71E0-4f0d-0003-708476C7815F} - C:\WINDOWS\system32\midimapgj.dll
O21 - SSODL: cliconfgzx.dll - {00050005-0005-0005-0005-00050005BB15} - C:\WINDOWS\system32\cliconfgzx.dll
O21 - SSODL: catsrvwl.dll - {00040004-0004-0004-0004-00040004BB15} - C:\WINDOWS\system32\catsrvwl.dll
O21 - SSODL: kbdswjr.dll - {00120012-0012-0012-0012-00120012BB15} - C:\WINDOWS\system32\kbdswjr.dll
O21 - SSODL: tscfgwmijxsj.dll - {00330033-0033-0033-0033-00330033BB15} - C:\WINDOWS\system32\tscfgwmijxsj.dll
O21 - SSODL: msobjstl.dll - {00170017-0017-0017-0017-00170017BB15} - C:\WINDOWS\system32\msobjstl.dll
O21 - SSODL: adsntzt.dll - {00010001-0001-0001-0001-00010001BB15} - C:\WINDOWS\system32\adsntzt.dll
O21 - SSODL: bootvidgj.dll - {00030003-0003-0003-0003-00030003BB15} - C:\WINDOWS\system32\bootvidgj.dll
O21 - SSODL: midimappt - {4F4F0064-71E0-4f0d-0021-708476C7815F} - C:\WINDOWS\system32\midimappt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10088 bytes


----------



## cohen

how is your system running now???

I'll just read through your log, and be back with you soon.


----------



## xxarlokxx

i still see iexplore.exe taking 6,600k of space..but i dun use internet explorer...i use firefox..=="...
also..i sometime hear refreshing page sound..u know the clicking sound that kind of thing.  But i wasnt doing anything.


----------



## cohen

Ok, i'll be with you soon, i'm just asking for some higher advice, on this one.


----------



## xxarlokxx

oh ok...thanks alot..=]


----------



## johnb35

you are still majorly infected.  Wait for buzz, punk, or a mod to help you clean your system.  While waiting you can try downloading, updating and running superantispyware and see how much cleaner your system is.


----------



## adarsh

Yes, you are still infected with Vundo.
Please do not browse as it may increase the infections and contibute to the infections present on this system.


----------



## GameMaster

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).* 

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account. 


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*. 
Click *Format*, and ensure *Word Wrap* is unchecked. 
Copy and Paste the text in the box below into *Notepad*. 
Now save the file as *RemoveFiles.txt* in a location where you can find it. 



> Files to delete:
> C:\WINDOWS\system32\dbi100.dll
> C:\WINDOWS\system32\tqgs27.exe
> C:\WINDOWS\system32\mxtq9.exe
> C:\WINDOWS\system32\divq38.exe
> C:\WINDOWS\system32\uhhn27.exe
> C:\WINDOWS\system32\jqcu9.exe
> C:\WINDOWS\dcbdcatys32_080702a.dll
> C:\WINDOWS\system32\jdsaex.dll
> C:\WINDOWS\system32\flje29.exe
> C:\WINDOWS\system\sgcxcxxaspf080702.exe
> C:\WINDOWS\wftadfi16_080702a.dll
> C:\WINDOWS\twisys.ini
> C:\WINDOWS\system32\wolko.dll
> C:\WINDOWS\system32\he1low.dll
> C:\WINDOWS\system32\ziflok.dll
> C:\WINDOWS\system32\wcpome.dll
> C:\WINDOWS\system32\mymusi.dll
> C:\WINDOWS\system32\gwofw.dll
> C:\WINDOWS\system32\jpri38.exe
> C:\WINDOWS\system32\qadu27.exe
> C:\WINDOWS\system32\iwco9.exe
> C:\WINDOWS\eqlk.exe
> C:\WINDOWS\system32\szvy38.exe
> C:\WINDOWS\system32\nuuu27.exe
> C:\WINDOWS\system32\ljmy9.exe
> C:\WINDOWS\system32\umfd38.exe
> C:\WINDOWS\system32\bsdx27.exe
> C:\WINDOWS\system32\bsdk9.exe
> C:\WINDOWS\system32\sgdewg.dll
> C:\WINDOWS\system32\jfdses.dll
> C:\WINDOWS\system32\wvmk38.exe
> C:\WINDOWS\system32\womsoy.dll
> C:\WINDOWS\system32\otbb27.exe
> C:\WINDOWS\system32\womsoyk.exe
> C:\WINDOWS\system32\tdffdl.dll
> C:\WINDOWS\system32\ngjxakin.sys
> C:\WINDOWS\system32\ijzhatde.sys
> C:\WINDOWS\system32\pedadt.dll
> C:\WINDOWS\system32\ragc9.exe
> C:\Documents and Settings\Steven C\Application Data\GDIPFONTCACHEV1.DAT
> C:\WINDOWS\system32\aoqnabib.sys
> C:\WINDOWS\system32\apsggjba.dll
> C:\WINDOWS\system32\apzhctde.dll
> C:\WINDOWS\system32\dfqnabib.exe
> C:\WINDOWS\system32\erjxakin.sys
> C:\WINDOWS\system32\gpzhatde.sys
> C:\WINDOWS\system32\lpmxajkl.exe
> C:\WINDOWS\system32\lpzhatde.exe
> C:\WINDOWS\system32\mndshsrv.dll
> C:\WINDOWS\system32\nhmxdjkl.dll
> C:\WINDOWS\system32\pjjxfdwd.dll
> C:\WINDOWS\system32\rijxbkin.dll
> C:\WINDOWS\system32\rnmxajkl.sys
> C:\WINDOWS\system32\skqnebib.dll
> C:\WINDOWS\system32\smdsbsrv.sys
> C:\WINDOWS\system32\snfybbyt.sys
> C:\WINDOWS\system32\stjxakin.exe
> C:\WINDOWS\system32\tjfyabyt.exe
> C:\WINDOWS\system32\yzztkmsn.dll
> C:\WINDOWS\system32\adsntzt.dll
> C:\WINDOWS\system32\bootvidgj.dll
> C:\WINDOWS\system32\catsrvwl.dll
> C:\WINDOWS\system32\cliconfgzx.dll
> C:\WINDOWS\system32\d3d9caps.dat
> C:\WINDOWS\system32\d3d9caps.dat
> C:\WINDOWS\system32\dpvvoxmh.dll
> C:\WINDOWS\system32\inf\scsys16_080702.dll
> C:\WINDOWS\system32\inf\sppdcrs080702.scr
> C:\WINDOWS\system32\inf\svchosd.exe
> C:\WINDOWS\system32\kbdswjr.dll
> C:\WINDOWS\system32\ksuserfy.dll
> C:\WINDOWS\system32\midimapgj.dll
> C:\WINDOWS\system32\midimappt.dll
> C:\WINDOWS\system32\msobjstl.dll
> C:\WINDOWS\system32\rasdlgcq.dll
> C:\WINDOWS\system32\tscfgwmijxsj.dll
> C:\WINDOWS\bootstat.dat



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system. 

Start *Avenger* by double clicking on *Avenger.exe*. 

Check *Load script from file:* 
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*. 
Double click it to enter it into Avenger. 
Click the *green traffic light symbol*. 
You will be asked if you want to execute the script, answer *Yes*. 
At this point you may get prompts from your protection systems, allow them please. 
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. 
Answer *Yes*, and allow your computer to re-boot. 
Upon re-boot a command window will briefly appear on screen (this is normal). 
A Notepad text file will be created *C:\avenger.txt*. 
*Copy and Paste it into your next post please.*


----------



## xxarlokxx

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\dbi100.dll" deleted successfully.
File "C:\WINDOWS\system32\tqgs27.exe" deleted successfully.
File "C:\WINDOWS\system32\mxtq9.exe" deleted successfully.
File "C:\WINDOWS\system32\divq38.exe" deleted successfully.
File "C:\WINDOWS\system32\uhhn27.exe" deleted successfully.
File "C:\WINDOWS\system32\jqcu9.exe" deleted successfully.
File "C:\WINDOWS\dcbdcatys32_080702a.dll" deleted successfully.
File "C:\WINDOWS\system32\jdsaex.dll" deleted successfully.
File "C:\WINDOWS\system32\flje29.exe" deleted successfully.
File "C:\WINDOWS\system\sgcxcxxaspf080702.exe" deleted successfully.
File "C:\WINDOWS\wftadfi16_080702a.dll" deleted successfully.
File "C:\WINDOWS\twisys.ini" deleted successfully.
File "C:\WINDOWS\system32\wolko.dll" deleted successfully.
File "C:\WINDOWS\system32\he1low.dll" deleted successfully.
File "C:\WINDOWS\system32\ziflok.dll" deleted successfully.
File "C:\WINDOWS\system32\wcpome.dll" deleted successfully.
File "C:\WINDOWS\system32\mymusi.dll" deleted successfully.
File "C:\WINDOWS\system32\gwofw.dll" deleted successfully.
File "C:\WINDOWS\system32\jpri38.exe" deleted successfully.
File "C:\WINDOWS\system32\qadu27.exe" deleted successfully.
File "C:\WINDOWS\system32\iwco9.exe" deleted successfully.
File "C:\WINDOWS\eqlk.exe" deleted successfully.
File "C:\WINDOWS\system32\szvy38.exe" deleted successfully.
File "C:\WINDOWS\system32\nuuu27.exe" deleted successfully.
File "C:\WINDOWS\system32\ljmy9.exe" deleted successfully.
File "C:\WINDOWS\system32\umfd38.exe" deleted successfully.
File "C:\WINDOWS\system32\bsdx27.exe" deleted successfully.
File "C:\WINDOWS\system32\bsdk9.exe" deleted successfully.
File "C:\WINDOWS\system32\sgdewg.dll" deleted successfully.
File "C:\WINDOWS\system32\jfdses.dll" deleted successfully.
File "C:\WINDOWS\system32\wvmk38.exe" deleted successfully.
File "C:\WINDOWS\system32\womsoy.dll" deleted successfully.
File "C:\WINDOWS\system32\otbb27.exe" deleted successfully.
File "C:\WINDOWS\system32\womsoyk.exe" deleted successfully.
File "C:\WINDOWS\system32\tdffdl.dll" deleted successfully.
File "C:\WINDOWS\system32\ngjxakin.sys" deleted successfully.
File "C:\WINDOWS\system32\ijzhatde.sys" deleted successfully.
File "C:\WINDOWS\system32\pedadt.dll" deleted successfully.
File "C:\WINDOWS\system32\ragc9.exe" deleted successfully.
File "C:\Documents and Settings\Steven C\Application Data\GDIPFONTCACHEV1.DAT" deleted successfully.
File "C:\WINDOWS\system32\aoqnabib.sys" deleted successfully.
File "C:\WINDOWS\system32\apsggjba.dll" deleted successfully.
File "C:\WINDOWS\system32\apzhctde.dll" deleted successfully.
File "C:\WINDOWS\system32\dfqnabib.exe" deleted successfully.
File "C:\WINDOWS\system32\erjxakin.sys" deleted successfully.
File "C:\WINDOWS\system32\gpzhatde.sys" deleted successfully.
File "C:\WINDOWS\system32\lpmxajkl.exe" deleted successfully.
File "C:\WINDOWS\system32\lpzhatde.exe" deleted successfully.
File "C:\WINDOWS\system32\mndshsrv.dll" deleted successfully.
File "C:\WINDOWS\system32\nhmxdjkl.dll" deleted successfully.
File "C:\WINDOWS\system32\pjjxfdwd.dll" deleted successfully.
File "C:\WINDOWS\system32\rijxbkin.dll" deleted successfully.
File "C:\WINDOWS\system32\rnmxajkl.sys" deleted successfully.
File "C:\WINDOWS\system32\skqnebib.dll" deleted successfully.
File "C:\WINDOWS\system32\smdsbsrv.sys" deleted successfully.
File "C:\WINDOWS\system32\snfybbyt.sys" deleted successfully.
File "C:\WINDOWS\system32\stjxakin.exe" deleted successfully.
File "C:\WINDOWS\system32\tjfyabyt.exe" deleted successfully.
File "C:\WINDOWS\system32\yzztkmsn.dll" deleted successfully.
File "C:\WINDOWS\system32\adsntzt.dll" deleted successfully.
File "C:\WINDOWS\system32\bootvidgj.dll" deleted successfully.
File "C:\WINDOWS\system32\catsrvwl.dll" deleted successfully.
File "C:\WINDOWS\system32\cliconfgzx.dll" deleted successfully.
File "C:\WINDOWS\system32\d3d9caps.dat" deleted successfully.

Error:  file "C:\WINDOWS\system32\d3d9caps.dat" not found!
Deletion of file "C:\WINDOWS\system32\d3d9caps.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\dpvvoxmh.dll" deleted successfully.
File "C:\WINDOWS\system32\inf\scsys16_080702.dll" deleted successfully.
File "C:\WINDOWS\system32\inf\sppdcrs080702.scr" deleted successfully.
File "C:\WINDOWS\system32\inf\svchosd.exe" deleted successfully.
File "C:\WINDOWS\system32\kbdswjr.dll" deleted successfully.
File "C:\WINDOWS\system32\ksuserfy.dll" deleted successfully.
File "C:\WINDOWS\system32\midimapgj.dll" deleted successfully.
File "C:\WINDOWS\system32\midimappt.dll" deleted successfully.
File "C:\WINDOWS\system32\msobjstl.dll" deleted successfully.
File "C:\WINDOWS\system32\rasdlgcq.dll" deleted successfully.
File "C:\WINDOWS\system32\tscfgwmijxsj.dll" deleted successfully.
File "C:\WINDOWS\bootstat.dat" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.



So does that remove Vundo?? or its just temporary (a bit cleaner), but still heavily infected??


----------



## GameMaster

Erm...it's a lot cleaner now. 
I'm sure there are some remnants so let's scan for them.

Please download VundoFix. When downloaded, install it and run. It will check for a Vundo infection ( or for what is left ).
When done, it will produce a log. Please post the log in your next reply, with the new HijackThs log.

Also, can you feel your computer feeling any better?


----------



## xxarlokxx

it does feel better....=]...
is it the same virus that i encountered be4? the one about QQ pop up?? and i asked for your help before..=P...

i'll do the vundofix now...post the log afterward...

thx alot, btw!! ..

Oh, one more thing..When i run vundofix..do i click fix vundo after scanning?? or i just post the log and u look it over first??


----------



## xxarlokxx

apparently.  After i done the vundo scan, it said no infected file found? 
Its a bit weird, because i found on the internet its quite hard to remove vundo.  And i dont get a log produced.  So does that mean i dun have vundo anymore??


----------



## johnb35

Post a fresh hijackthis log please.


----------



## G25r8cer

Wow that system was Very Badly infected.


----------



## xxarlokxx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:12 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\system32\rijxbkin.dll (file missing)
O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - C:\WINDOWS\system32\apzhctde.dll (file missing)
O2 - BHO: nhmxdjkl.dll - {47AC9076-C898-B098-D098-A18319080974} - C:\WINDOWS\system32\nhmxdjkl.dll (file missing)
O2 - BHO: skqnebib.dll - {52023698-6984-8541-9654-698745012525} - C:\WINDOWS\system32\skqnebib.dll (file missing)
O2 - BHO: pjjxfdwd.dll - {64FAE856-AD58-20CB-A025-CD4895FA6E46} - C:\WINDOWS\system32\pjjxfdwd.dll (file missing)
O2 - BHO: (no name) - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} - C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll (file missing)
O2 - BHO: mndshsrv.dll - {87FD640A-158F-48AC-FD14-1597F14A9778} - C:\WINDOWS\system32\mndshsrv.dll (file missing)
O2 - BHO: yzztkmsn.dll - {B490415F-65F8-B5C5-D8BA-9405FB12054B} - C:\WINDOWS\system32\yzztkmsn.dll (file missing)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [initnyuser] C:\WINDOWS\system32\inf\svchosd.exe C:\WINDOWS\wftadfi16_080702a.dll tanlt88
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: welldon.dll,nhmxcjkl.dll,yzztkmsn.dll msbod.dll,tisqatyu.dll termilly.dll verptw.dll quaryfy.dll padlod.dll,arjreler.dll,ietzbpaq.dll jordspa.dll,skqncbib.dll womsoy.dll,nhmxdjkl.dll,skqnebib.dll wolko.dll he1low.dll gwofw.dll ziflok.dll mymusi.dll wcpome.dll
O21 - SSODL: midimapgj - {4F4F0064-71E0-4f0d-0003-708476C7815F} - C:\WINDOWS\system32\midimapgj.dll (file missing)
O21 - SSODL: cliconfgzx.dll - {00050005-0005-0005-0005-00050005BB15} - C:\WINDOWS\system32\cliconfgzx.dll (file missing)
O21 - SSODL: catsrvwl.dll - {00040004-0004-0004-0004-00040004BB15} - C:\WINDOWS\system32\catsrvwl.dll (file missing)
O21 - SSODL: kbdswjr.dll - {00120012-0012-0012-0012-00120012BB15} - C:\WINDOWS\system32\kbdswjr.dll (file missing)
O21 - SSODL: tscfgwmijxsj.dll - {00330033-0033-0033-0033-00330033BB15} - C:\WINDOWS\system32\tscfgwmijxsj.dll (file missing)
O21 - SSODL: msobjstl.dll - {00170017-0017-0017-0017-00170017BB15} - C:\WINDOWS\system32\msobjstl.dll (file missing)
O21 - SSODL: adsntzt.dll - {00010001-0001-0001-0001-00010001BB15} - C:\WINDOWS\system32\adsntzt.dll (file missing)
O21 - SSODL: bootvidgj.dll - {00030003-0003-0003-0003-00030003BB15} - C:\WINDOWS\system32\bootvidgj.dll (file missing)
O21 - SSODL: midimappt - {4F4F0064-71E0-4f0d-0021-708476C7815F} - C:\WINDOWS\system32\midimappt.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10070 bytes


----------



## xxarlokxx

...it was....my comp was really  slow before..


----------



## ceewi1

Your log reveals a your system has been infected with multiple keyloggers, one of which still remains. These can severely compromise personal information which could lead to identity theft.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D698451-2015-6358-9871-2015987452D3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47AC9076-C898-B098-D098-A18319080974}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52023698-6984-8541-9654-698745012525}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64FAE856-AD58-20CB-A025-CD4895FA6E46}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74381DEC-D78B-43E4-BA5D-5244F669EBE4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FD45A54-9875-698F-E56E-65102358FDF7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87FD640A-158F-48AC-FD14-1597F14A9778}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B490415F-65F8-B5C5-D8BA-9405FB12054B}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"initnyuser"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B490415F-65F8-B5C5-D8BA-9405FB12054B}"=-
"{7FD45A54-9875-698F-E56E-65102358FDF7}"=-
"{3D698451-2015-6358-9871-2015987452D3}"=-
"{74381DEC-D78B-43E4-BA5D-5244F669EBE4}"=-
"{5E907A48-400E-4EA8-9792-FFAE052D59E9}"=-
"{4F4F0064-71E0-4f0d-0003-708476C7815F}"=-
"{25FD6584-698F-BCD2-602C-698745210352}"=-
"{87FD640A-158F-48AC-FD14-1597F14A9778}"=-
"{C0595A7E-2E2F-4B34-A83A-019270A0A464}"=-
"{64FAE856-AD58-20CB-A025-CD4895FA6E46}"=-
"{81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B}"=-
"{47AC9076-C898-B098-D098-A18319080974}"=-
"{52023698-6984-8541-9654-698745012525}"=-
"{00010001-0001-0001-0001-00010001BB15}"=-
"{00030003-0003-0003-0003-00030003BB15}"=-
"{00050005-0005-0005-0005-00050005BB15}"=-
"{00040004-0004-0004-0004-00040004BB15}"=-
"{00120012-0012-0012-0012-00120012BB15}"=-
"{00330033-0033-0033-0033-00330033BB15}"=-
"{00170017-0017-0017-0017-00170017BB15}"=-
"{4F4F0064-71E0-4f0d-0021-708476C7815F}"=-
"{B29583D8-033A-4B9F-8553-7C5458F3FB8E}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapgj"=-
"cliconfgzx.dll"=-
"catsrvwl.dll"=-
"kbdswjr.dll"=-
"tscfgwmijxsj.dll"=-
"msobjstl.dll"=-
"adsntzt.dll"=-
"bootvidgj.dll"=-
"midimappt"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options]

Driver::
hjjku3xohj
tfj4g0kc8q


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.


----------



## xxarlokxx

Vfind.exe was end-tasked...

ComboFix 08-07-05.1 - Steven C 2008-07-07  5:53:09.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.179 [GMT -4:00]
Running from: C:\Documents and Settings\Steven C\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven C\Desktop\CFScript.txt
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\toqnabib.sys
C:\WINDOWS\system32\wymxajkl.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjjku3xohj
-------\Service_tfj4g0kc8q


(((((((((((((((((((((((((   Files Created from 2008-06-07 to 2008-07-07  )))))))))))))))))))))))))))))))
.

2008-07-06 13:38 . 2008-07-06 13:38	<DIR>	d--------	C:\VundoFix Backups
2008-07-06 11:30 . 2008-07-06 13:24	77	--a------	C:\WINDOWS\system32\mywfhit.ini
2008-07-03 05:30 . 2008-07-06 13:25	<DIR>	d--------	C:\WINDOWS\system32\inf
2008-06-28 02:21 . 2008-06-28 02:21	<DIR>	d--------	C:\Program Files\Trend Micro
2008-06-25 14:56 . 2008-06-25 14:56	127	--a------	C:\WINDOWS\system32\MRT.INI
2008-06-25 14:49 . 2008-06-25 14:49	<DIR>	d--------	C:\Program Files\MSXML 6.0
2008-06-25 06:11 . 2008-06-13 09:10	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-25 04:38 . 2007-07-09 09:09	584,192	-----c---	C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-25 03:59 . 2008-07-03 02:12	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-06-25 03:59 . 2008-07-03 02:12	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 03:33 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui
2008-06-25 02:09 . 2008-06-25 13:31	30,968	--a------	C:\Documents and Settings\Steven C\setupg.exe
2008-06-24 12:46 . 2008-01-05 16:53	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-24 08:14 . 2008-06-24 00:10	31,048	---------	C:\Documents and Settings\Steven C\setupd.exe
2008-06-24 06:47 . 2008-06-24 06:47	<DIR>	d--------	C:\WINDOWS\system32\Adobe
2008-06-24 06:04 . 2008-06-28 01:39	49,152	--a------	C:\WINDOWS\system32\5A634FAC.DLL
2008-06-24 01:15 . 2008-06-24 01:16	<DIR>	d--------	C:\Program Files\QuickTime
2008-06-24 01:13 . 2008-06-24 01:13	<DIR>	d--------	C:\Program Files\Common Files\Apple
2008-06-22 04:15 . 2008-06-22 04:15	<DIR>	d--------	C:\Downloads
2008-06-22 04:15 . 2008-06-22 04:15	2,560	--a------	C:\WINDOWS\system32\bitcometres.dll
2008-06-22 04:14 . 2008-06-22 04:20	<DIR>	d--------	C:\Program Files\BitComet

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 06:03	---------	d-----w	C:\Program Files\Warcraft III
2008-07-06 15:23	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-06 11:23	---------	d-----w	C:\Program Files\Steam
2008-06-24 05:18	---------	d-----w	C:\Documents and Settings\Steven C\Application Data\Apple Computer
2008-06-24 05:17	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 08:02	---------	d-----w	C:\Documents and Settings\Steven C\Application Data\uTorrent
2008-06-13 13:10	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-05-21 16:47	---------	d-----w	C:\Documents and Settings\Steven C\Application Data\Samsung
2008-05-21 06:11	---------	d-----w	C:\Program Files\Samsung
2008-05-18 09:46	---------	d-----w	C:\Program Files\Tales of Pirates Online
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 03:02	---------	d-----w	C:\Program Files\SopCast
.

(((((((((((((((((((((((((((((   snapshot@2008-06-28_ 2.52.24.35   )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-17 17:52:30	18,688	-c--a-w	C:\WINDOWS\system32\dllcache\cdaudio.sys
- 2001-08-23 12:00:00	18,688	----a-w	C:\WINDOWS\system32\drivers\cdaudio.sys
+ 2001-08-17 17:52:30	18,688	----a-w	C:\WINDOWS\system32\drivers\cdaudio.sys
- 2005-08-26 22:07:28	81,920	----a-w	C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
+ 2007-05-02 15:11:12	72,968	----a-w	C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
- 2005-08-30 05:46:16	81,920	----a-w	C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
+ 2007-05-02 15:12:28	72,968	----a-w	C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
- 2005-12-22 16:24:52	65,536	----a-w	C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
+ 2007-07-03 20:53:24	70,824	----a-w	C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
+ 2006-03-17 00:38:01	28,672	------w	C:\WINDOWS\system32\verclsid.exe
- 2008-05-25 10:10:05	87,397	----a-w	C:\WINDOWS\War3Unin.dat
+ 2008-07-01 03:18:34	88,451	----a-w	C:\WINDOWS\War3Unin.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 22:24 185896]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"EPSON Stylus CX1500 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 23:32 208952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 13:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\Steven C\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-31 01:42 1271032 C:\Program Files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaws.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\loki2882@hotmail.com\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Steam\\steamapps\\loki2882@hotmail.com\\day of defeat\\hl.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:Utor1
"1720:TCP"= 1720:TCP:utorrent
"1720:UDP"= 1720:UDP:utorrent1
"12535:TCP"= 12535:TCP:BitComet 12535 TCP
"12535:UDP"= 12535:UDP:BitComet 12535 UDP

S3 epflt15;epflt15;C:\WINDOWS\system32\DRIVERS\epflt15.SYS [2004-10-09 16:10]
S3 esflt15;esflt15;C:\WINDOWS\system32\DRIVERS\esflt15.SYS [2004-11-16 19:52]
S3 sssdbus;SAMSUNG WMC Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sssdbus.sys [2007-07-05 12:37]
S3 sssdmdfl;SAMSUNG Modem Filter;C:\WINDOWS\system32\DRIVERS\sssdmdfl.sys [2007-07-05 12:37]
S3 sssdmdm;SAMSUNG Modem Driver;C:\WINDOWS\system32\DRIVERS\sssdmdm.sys [2007-07-05 12:37]
S3 sssdmgmt;SAMSUNG AT command Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdmgmt.sys [2007-07-05 12:37]
S3 sssdobex;SAMSUNG OBEX Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdobex.sys [2007-07-05 12:37]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 06:01:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-07  6:08:23 - machine was rebooted [Steven C]
ComboFix-quarantined-files.txt  2008-07-07 10:07:57
ComboFix2.txt  2008-07-06 10:06:56
ComboFix3.txt  2008-06-28 06:53:27

Pre-Run: 31,936,430,080 bytes free
Post-Run: 31,956,258,816 bytes free

178	--- E O F ---	2008-07-06 18:29:00


----------



## xxarlokxx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:45 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7653 bytes


----------



## ceewi1

Almost done now, just a few final leftovers.

Please delete the following files:
C:\WINDOWS\system32\*mywfhit.ini*
C:\Documents and Settings\Steven C\*setupg.exe*
C:\Documents and Settings\Steven C\*setupd.exe*

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

*C:\WINDOWS\system32\5A634FAC.DLL*

Then click Send File.  Allow the file to be scanned, and then please copy and paste the results here for me to see.

If that scanner is busy, please use this one: http://virusscan.jotti.org


----------



## xxarlokxx

Is this the result u looking for??


File has already been analysed:
MD5: 	264eb04c9193885636f369331e76393e
First received: 	05.05.2008 09:54:31 (CET)
Date: 	06.23.2008 13:27:39 (CET) [>13D]
Results: 	29/33
Permalink: 	analisis/e54e739a0c5544bd57835b4c902862cb


----------



## ceewi1

Yes, that's what I expected.

Delete this file as well:
C:\WINDOWS\system32\*5A634FAC.DLL*

How is your system running now?


----------



## xxarlokxx

it seems fine....the comp got faster...before was horrible..=P
but then as for the keylogger..is it completely cleared?? 
can i use this comp for banking stuff??


----------



## cohen

post a fresh hijackthis log.


----------



## ceewi1

Those logs appear to be clean, but given the severity of the infection I would like to see the results of an online scan.

Please do a scan with Kaspersky Online Scanner

Click on the *Accept* button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the *Scan* section select *My Computer*.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on *View scan report*
Now, click on the *Save Report as* button.
In the drop down box labeled *Files of type* change the type to *Text file*.
Save the file to your desktop.
Copy and paste that information in your next post.


----------



## xxarlokxx

Here is the hijackthis log....i'll do the online scan now

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:05 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7710 bytes


----------



## cohen

I did find this



> O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
> O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
> O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
> O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
> C:\WINDOWS\system32\ctfmon.exe



Ceewi1, can you pls confirm this.

xxarlokxx, we wait for you online scanner results.


----------



## G25r8cer

Those ARE legit!!! It is part of Microsoft Office I believe.


----------



## cohen

g25racer said:


> Those ARE legit!!! It is part of Microsoft Office I believe.



but if you read it, it says it was a virus / malware, and then people have comments below saying, it is a virus.


----------



## G25r8cer

What says it was a Virus?


----------



## xxarlokxx

here is the report....seems like alot got infected...0.o...=\=\

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Tuesday, July 8, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Tuesday, July 08, 2008 04:32:20
 Records in database: 924835
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	C:\
	D:\
	E:\
	F:\

Scan statistics:
	Files scanned: 78677
	Threat name: 57
	Infected objects: 63
	Suspicious objects: 0
	Duration of the scan: 02:36:44


File name / Threat name / Threats count
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\ad[2].js.bac_a05644	Infected: not-a-virus:AdWare.Win32.BHO.aai	1
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\msupx1.aux.bac_a05644	Infected: Trojan-Downloader.Win32.Tiny.bfz	1
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\__wmisog1.log.bac_a05644	Infected: not-a-virus:AdWare.Win32.BHO.aai	1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080629-065926-506.dll	Infected: Trojan-PSW.Win32.QQPass.chg	1
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll.vir	Infected: not-a-virus:AdWare.Win32.Cinmus.kif	1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Dat.vir	Infected: Trojan-Spy.Win32.Delf.cwy	1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Sys.vir	Infected: Trojan-Spy.Win32.Delf.cwx	1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.win.vir	Infected: Trojan-Spy.Win32.Delf.cwz	1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys.vir	Infected: Trojan-PSW.Win32.QQPass.clp	1
C:\QooBox\Quarantine\C\Program Files\Microsoft Office\SYSTEM\apcdli.sys.vir	Infected: not-a-virus:AdWare.Win32.Cinmus.hpc	1
C:\QooBox\Quarantine\C\WINDOWS\system32\aitlasys.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.apms	1
C:\QooBox\Quarantine\C\WINDOWS\system32\axmsawin.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxxj	1
C:\QooBox\Quarantine\C\WINDOWS\system32\azzxaime.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.apil	1
C:\QooBox\Quarantine\C\WINDOWS\system32\cedafb.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rzop	1
C:\QooBox\Quarantine\C\WINDOWS\system32\ddserh.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.ryop	1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\acpidisk.sys.vir	Infected: Trojan-Dropper.Win32.Delf.boe	1
C:\QooBox\Quarantine\C\WINDOWS\system32\etshabty.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxwy	1
C:\QooBox\Quarantine\C\WINDOWS\system32\F411997C.EXE.vir	Infected: Backdoor.Win32.Popwin.bfu	1
C:\QooBox\Quarantine\C\WINDOWS\system32\ghwxattb.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.aphm	1
C:\QooBox\Quarantine\C\WINDOWS\system32\hdf453d.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxxu	1
C:\QooBox\Quarantine\C\WINDOWS\system32\hhrdxd.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.rxnx	1
C:\QooBox\Quarantine\C\WINDOWS\system32\isdsasrv.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxwy	1
C:\QooBox\Quarantine\C\WINDOWS\system32\ismhasrv.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.saev	1
C:\QooBox\Quarantine\C\WINDOWS\system32\jbhxabyt.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.apnd	1
C:\QooBox\Quarantine\C\WINDOWS\system32\jfrwdh.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxvu	1
C:\QooBox\Quarantine\C\WINDOWS\system32\jkhxaklo.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.aqem	1
C:\QooBox\Quarantine\C\WINDOWS\system32\kcoin32.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.asft	1
C:\QooBox\Quarantine\C\WINDOWS\system32\kcoin32.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.arum	1
C:\QooBox\Quarantine\C\WINDOWS\system32\lofsdjbo.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxva	1
C:\QooBox\Quarantine\C\WINDOWS\system32\lojxadwd.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxxa	1
C:\QooBox\Quarantine\C\WINDOWS\system32\lpsgajba.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxxp	1
C:\QooBox\Quarantine\C\WINDOWS\system32\mfdesy.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.aruv	1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1097.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.aqik	1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1100.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rzux	1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1101.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.saqa	1
C:\QooBox\Quarantine\C\WINDOWS\system32\mnmhgsrv.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxxl	1
C:\QooBox\Quarantine\C\WINDOWS\system32\mpwdeapi.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.aprv	1
C:\QooBox\Quarantine\C\WINDOWS\system32\mtewdh.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.sbvy	1
C:\QooBox\Quarantine\C\WINDOWS\system32\oohxdbyt.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.apkv	1
C:\QooBox\Quarantine\C\WINDOWS\system32\opshcbty.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rzcp	1
C:\QooBox\Quarantine\C\WINDOWS\system32\oswxdttb.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.aqba	1
C:\QooBox\Quarantine\C\WINDOWS\system32\ozfyebyt.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.aqex	1
C:\QooBox\Quarantine\C\WINDOWS\system32\pjjxedwd.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxzj	1
C:\QooBox\Quarantine\C\WINDOWS\system32\pldhadwd.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.aqfs	1
C:\QooBox\Quarantine\C\WINDOWS\system32\posqatyu.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.aqgp	1
C:\QooBox\Quarantine\C\WINDOWS\system32\ptjhehlp.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.apke	1
C:\QooBox\Quarantine\C\WINDOWS\system32\rfdswc.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.sakh	1
C:\QooBox\Quarantine\C\WINDOWS\system32\s2da2f323.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.ascd	1
C:\QooBox\Quarantine\C\WINDOWS\system32\simyaapi.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxxa	1
C:\QooBox\Quarantine\C\WINDOWS\system32\siwdaapi.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.apms	1
C:\QooBox\Quarantine\C\WINDOWS\system32\spjhahlp.exe.vir	Infected: Trojan-PSW.Win32.OnLineGames.apms	1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdggrz.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.sadw	1
C:\QooBox\Quarantine\C\WINDOWS\system32\tisqatyu.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.aqhb	1
C:\QooBox\Quarantine\C\WINDOWS\system32\wklsdd.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.sabp	1
C:\QooBox\Quarantine\C\WINDOWS\system32\yxcschlp.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxya	1
C:\QooBox\Quarantine\C\WINDOWS\system32\zaztamsn.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.asbu	1
C:\QooBox\Quarantine\C\WINDOWS\system32\zgrjdx.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.sahx	1
C:\QooBox\Quarantine\C\WINDOWS\system32\zptlcsys.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.aplb	1
C:\QooBox\Quarantine\C\WINDOWS\system32\zxcsahlp.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxwy	1
C:\QooBox\Quarantine\C\WINDOWS\system32\zxmsdwin.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.rxxv	1
C:\QooBox\Quarantine\C\WINDOWS\system32\zycbdime.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.apjc	1
C:\QooBox\Quarantine\C\WINDOWS\system32\zyzxjime.dll.vir	Infected: Trojan-PSW.Win32.OnLineGames.apja	1
C:\WINDOWS\system32\drivers\hjjku3xohj.sys	Infected: Trojan-Downloader.Win32.Hmir.doj	1

The selected area was scanned.


----------



## cohen

xxarlokxx said:


> here is the report....seems like alot got infected...



You bet!


----------



## xxarlokxx

cohen said:


> You bet!



what can i do?? 
is it hard to get it fixed??


----------



## cohen

xxarlokxx said:


> what can i do??
> is it hard to get it fixed??



well i'm have not learnt this part yet, i'm learning a few things, i can do the starting things, and i'm sure it won't be to hard to fix, wait for ceewi1 or punk or gamemaster, mostly likely it will be ceewi1 to come along.


----------



## nobbly niblets

Originally Posted by *nobbly niblets* 

 
_Heya xxarlokxx,

It will be hard to get fixed.

It will be a multifaceted process to repair your system. Unforunately this will require multiple scans and multiple log postings on your part.

It is not surprising that an infection of this magnitude has infected your system. You download torrents and there is no evidence of an antivirus program or firewall on your system.

Use a tool to directly target the trojan horses appearing on your system.

*Download SDFix to your desktop.*

http://downloads.andymanchesta.com/R...ools/SDFix.exe

Double click SDFix.exe on your desktop and it will extract the files to the root directory where your operating system resides.

Next boot your pc into "Safe mode" using the f8 key during start-up.

Please do not use msconfig method whenever booting into "Safe Mode" for malware removal as this can cause boot loop

*IN SAFE MODE*

1) Open the extracted SDFix folder and double click RunThis to start the script. This can be found in the root directory usually C:\SDFix.

2) Type Y to begin the cleanup process. 

3) It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 

4) Press any Key and it will restart the PC.

5) When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. 

6) Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

7) Finally paste the contents of the Report.txt back on the forum with a new HijackThis log_


----------



## GameMaster

nobbly niblets said:


> Heya xxarlokxx,
> 
> It will be hard to get fixed.
> 
> It will be a multifaceted process to repair your system. Unforunately this will require multiple scans and multiple log postings on your part.
> 
> It is not surprising that an infection of this magnitude has infected your system. You download torrents and there is no evidence of an antivirus program or firewall on your system.
> 
> Use a tool to directly target the trojan horses appearing on your system.
> 
> *Download SDFix to your desktop.*
> 
> http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
> 
> Double click SDFix.exe on your desktop and it will extract the files to the root directory where your operating system resides.
> 
> Next boot your pc into "Safe mode" using the f8 key during start-up.
> 
> _Please do not use msconfig method whenever booting into "Safe Mode" for malware removal as this can cause boot loop_
> 
> *IN SAFE MODE*
> 
> 1) Open the extracted SDFix folder and double click RunThis to start the script. This can be found in the root directory usually C:\SDFix.
> 
> 2) Type Y to begin the cleanup process.
> 
> 3) It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
> 
> 4) Press any Key and it will restart the PC.
> 
> 5) When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
> 
> 6) Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
> (Report.txt will also be copied to Clipboard ready for posting back on the forum).
> 
> 7) Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



Wow there goes another


----------



## nobbly niblets

Heya GameMaster,



> Wow there goes another [End Quote]
> 
> Did I do something wrong?
> 
> You quoted my whole post and ad-libbed with _"Wow there goes another"_.
> 
> I'm not too sure what exactly to make of this.
> 
> Please enlighten me


----------



## GameMaster

I mean another security expert...or something similar.


----------



## nobbly niblets

Okaaaay,

Hmmmm,

I feel like I've stepped on toes.

I'll edit out the post completely, not because I feel the advice given is wrong, but because I know there is adequate advice being given already.

Forgive my intrusion.


----------



## Buzz1927

nobbly niblets said:


> Okaaaay,
> 
> Hmmmm,
> 
> I feel like I've stepped on toes.
> 
> I'll edit out the post completely, not because I feel the advice given is wrong, but because I know there is adequate advice being given already.
> 
> Forgive my intrusion.


I don't know what you posted, but could you please put it back?

Oops, now I saw the quote, put it back anyway, Gamemaster doesn't decide things here.


----------



## nobbly niblets

Heya Buzz1927,

Sorry I didn't keep the post, but it is quoted at the top of this page.

Basically it was just a set of instructions for SDFix.

How do I reply to a PM or conversation?


----------



## Buzz1927

nobbly niblets said:


> Heya Buzz1927,
> 
> Sorry I didn't keep the post, but it is quoted at the top of this page.
> 
> Basically it was just a set of instructions for SDFix.
> 
> How do I reply to a PM or conversation?


I'll put your post back.
You need 100 posts to pm (had problems with spammers). I'm not sure about visitor messages, can you not reply?


----------



## GameMaster

Hi haha.
I was just commenting the professionalism of your SDFix instructions. With that, I didn't want to point out that ceewi1 ( another expert ) is already helping the OP, or anything similar.
In fact I'm sure ceewi1 would like having an expert helping him ( in helping other people .

Sorry if you misunderstood my post(s),
Cheers


----------



## nobbly niblets

Cheers Buzz1927,

No, only the option to report... Kinda figured this was for offensive messages.


----------



## Buzz1927

nobbly niblets said:


> Cheers Buzz1927,
> 
> No, only the option to report... Kinda figured this was for offensive messages.


I think that was changed to 100 posts as well, anyway, enough thread-jacking, sorry to the OP.


----------



## nobbly niblets

It's all good GameMaster,

I thought I might have been interrupting on current instructions given by ceewi1, and to be honest I had reservations about posting because of this.

I have seen the quality advice given by ceewi1 and it is nothing short of impressive. I thought because the post was made yesterday?, that I could help the OP move forward.

Actually I was in two minds whether to advise an online scan with bitdefender (to remove some of the offending entries) or to go with SDFix, but because one online scan had already been run I went with the latter.

No harm, No foul.

xxarlokxx sorry that you have to read my ramblings while you continue with your fix. Apologies.


----------



## xxarlokxx

SD fix report..=P...


*SDFix: Version 1.203 *
Run by Steven C on Tue 07/08/2008 at 05:07 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


*Checking Files *: 

No Trojan Files Found






Removing Temp Files

*ADS Check *:



*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 05:18:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:031d9f9e
"s2"=dword:f9a6c9fd
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:c9,09,8d,86,a4,bf,17,f2,f0,7c,f8,ab,ad,3c,d4,f1,13,b7,e4,6f,a9,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:37,0e,8c,33,21,b5,3a,e6,de,b7,da,20,a5,50,b2,71,3a,aa,5d,f4,aa,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,44,a2,32,09,65,94,73,09,24,81,7f,78,f8,e1,6e,b3,ca,..
"khjeh"=hex:13,52,ac,81,68,86,b7,2b,a8,ab,d5,31,e8,17,b9,ac,dc,13,63,16,2a,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:d6,0b,90,81,22,23,7f,c1,c6,c0,56,df,a3,c7,98,6d,2a,e5,6f,b0,85,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:c9,09,8d,86,a4,bf,17,f2,f0,7c,f8,ab,ad,3c,d4,f1,13,b7,e4,6f,a9,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:37,0e,8c,33,21,b5,3a,e6,de,b7,da,20,a5,50,b2,71,3a,aa,5d,f4,aa,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,44,a2,32,09,65,94,73,09,24,81,7f,78,f8,e1,6e,b3,ca,..
"khjeh"=hex:13,52,ac,81,68,86,b7,2b,a8,ab,d5,31,e8,17,b9,ac,dc,13,63,16,2a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:d6,0b,90,81,22,23,7f,c1,c6,c0,56,df,a3,c7,98,6d,2a,e5,6f,b0,85,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C044C803-7FD5-3F74-26B9-99B97348F63E}]
"dbkopjdaclfkhifhefhjcccmkaamgfkfleioknch"=hex:6b,61,69,6b,64,62,66,61,62,6d,65,6c,69,64,6f,6f,61,66,6f,64,6e,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services *:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaws.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaws.exe:*:Enabled:javaws"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Steam\\steamapps\\loki2882@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\loki2882@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Steam\\steamapps\\loki2882@hotmail.com\\day of defeat\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\loki2882@hotmail.com\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:EnabledC++"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

*Remaining Files *:



*Files with Hidden Attributes *:

Wed  4 Aug 2004        93,184 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 13 Oct 2004     1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed  4 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Fri 12 Nov 2004        37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Wed 25 Jun 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4844df1d57a292079101da42a26d7d72\BIT3.tmp"
Wed 25 Jun 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2.tmp"
Sun  6 Jul 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78670cbd6a90baaa408a8a72f52fdce2\BIT2.tmp"
Wed 25 Jun 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT4.tmp"
Wed 25 Jun 2008    95,315,977 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8e4c50bd1c41feac24607e18c5505bd\BIT2A.tmp"
Fri  9 Mar 2007       231,936 A..H. --- "C:\Documents and Settings\Steven C\Desktop\University of Waterloo\Chem 267L\~WRL0005.tmp"
Fri  9 Mar 2007       243,712 A..H. --- "C:\Documents and Settings\Steven C\Desktop\University of Waterloo\Chem 267L\~WRL0703.tmp"
Fri  9 Mar 2007       243,712 A..H. --- "C:\Documents and Settings\Steven C\Desktop\University of Waterloo\Chem 267L\~WRL1177.tmp"

*Finished!*


----------



## xxarlokxx

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:05 AM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7624 bytes


----------



## xxarlokxx

haha..its ok, man....need to thank you alot for helping me...
also...can u suggest a fireball/antivirus program?? 
dont know which one is reliable, and the common one always need to be purchased online and i dont trust those online thing..-_-"...


----------



## cohen

xxarlokxx said:


> haha..its ok, man....need to thank you alot for helping me...
> also...can u suggest a fireball/antivirus program??
> dont know which one is reliable, and the common one always need to be purchased online and i dont trust those online thing..-_-"...



AVG 8.0 is good free one.


----------



## xxarlokxx

cohen said:


> AVG 8.0 is good free one.



thxxx...=]...
so hows my system now?? still badly infected???


----------



## cohen

xxarlokxx said:


> thxxx...=]...
> so hows my system now?? still badly infected???



yeah, no problems,

yes, are you still having problems, like pop ups etc?


----------



## xxarlokxx

hmm...didnt have any pop ups long time ago...i was just worrying about keylogger...so i wonder if that thing is removed? because sometimes i need to go on banking stuff...


----------



## GameMaster

xxarlokxx said:


> hmm...didnt have any pop ups long time ago...i was just worrying about keylogger...so i wonder if that thing is removed? because sometimes i need to go on banking stuff...



That's the part when you should have decided to reformat/reinstall!
Ceewi1 warned you about the consequences, keyloggers are very dangerous, as they record every key you type...


----------



## xxarlokxx

ooo...so it cant be completely cleared w/o reformatting it?? i'll reformat once i get the window cd @ home...



GameMaster said:


> That's the part when you should have decided to reformat/reinstall!
> Ceewi1 warned you about the consequences, keyloggers are very dangerous, as they record every key you type...


----------



## soccerdude

After you reformat, a very good free firewall to install is Comodo which can be found here


----------



## cohen

xxarlokxx said:


> ooo...so it cant be completely cleared w/o reformatting it?? i'll reformat once i get the window cd @ home...



Sounds like a very good idea! and yes everything will be cleared once you reformat.



soccerdude said:


> After you reformat, a very good free firewall to install is Comodo which can be found here



Yes i agree, and also install AVG 8.0 for your virus protection.

xxarlokxx - Cheers for now, good luck, if you have any problems, just come back and post a new thread.


----------



## xxarlokxx

well...i did a AVG scan everything..n there is this trojan horse virus that affects more n more files everyday and now my comp is kind of slow again...==""

sadly, i have to wait until aug 12th to get home to reformat, since i am on vacation right now...




cohen said:


> Sounds like a very good idea! and yes everything will be cleared once you reformat.
> 
> 
> 
> Yes i agree, and also install AVG 8.0 for your virus protection.
> 
> xxarlokxx - Cheers for now, good luck, if you have any problems, just come back and post a new thread.


----------



## cohen

oh ok.....

well all i can say is start a new thread, because this one is to long , once that is done, i will post a reply with instructions, but in the first reply do a Hijackthis log.


----------

