Slow system performance, adaware, etc. [CLOSED]

Welcome Guest ( Log In | Join )

If you don't enter, you can't win! Enter here

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

Slow system performance, adaware, etc. [CLOSED], :(

Options

Meiko View Member Profile	Dec 12 2007, 02:55 PM Post #1
New Member Posts: 4 OS: Windows XP	Any help is appreciated! Thank you so much in advance. QUOTE Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:47:51 PM, on 12/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\okvygcsv.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Microsoft Works\wkswp.exe c:\Program Files\Microsoft Works\MSWorks.exe c:\Program Files\Microsoft Works\wkgdcach.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirect...c02&lc=0409 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...c02&lc=0409 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirect...c02&lc=0409 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq O1 - Hosts: 207.210.93.28 game01.us.segaonline.jp O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {DB75957E-CF75-4BFF-9CFC-8C366B6E1E2A} - C:\WINDOWS\system32\mllmj.dll O2 - BHO: {d5501d14-0066-b1ca-5874-9ec3dc7692ee} - {ee2967cd-3ce9-4785-ac1b-660041d1055d} - C:\WINDOWS\system32\rhgwbtob.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKLM\..\Run: [0892050d] rundll32.exe "C:\WINDOWS\system32\ckbmduln.dll",b O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKUS\S-1-5-21-3307144382-1183073070-501881172-1006\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?') O4 - HKUS\S-1-5-21-3307144382-1183073070-501881172-1006\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe (User '?') O4 - HKUS\S-1-5-21-3307144382-1183073070-501881172-1006\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing) O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://www.playinfinity.net/cab/WindyGSPAx.cab O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe -- End of file - 7612 bytes Sorry! I couldn't attach the log. This post has been edited by Meiko: Dec 18 2007, 03:29 PM

racenutalways View Member Profile	Dec 17 2007, 09:10 AM Post #2
Member 1K Posts: 1,620 From: Sudbury Ont. Canada OS: Vista Home Premium	Hello Meiko and welcome to G2G. Please download the OTMoveIt by OldTimer. Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\system32\mllmj.dll C:\WINDOWS\system32\rhgwbtob.dll C:\WINDOWS\system32\ckbmduln.dll Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Click the red Moveit! button. Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply. Close OTMoveIt If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes. If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:\_OTMoveIt\MovedFiles\*****_**.log (where "******_**" is the "date_time") Click "Exit" to close OTMoveIt. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {DB75957E-CF75-4BFF-9CFC-8C366B6E1E2A} - C:\WINDOWS\system32\mllmj.dll O2 - BHO: {d5501d14-0066-b1ca-5874-9ec3dc7692ee} - {ee2967cd-3ce9-4785-ac1b-660041d1055d} - C:\WINDOWS\system32\rhgwbtob.dll O4 - HKLM\..\Run: [0892050d] rundll32.exe "C:\WINDOWS\system32\ckbmduln.dll",b Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Download ComboFix from Here or Here to your Desktop. Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall**

Meiko View Member Profile	Dec 17 2007, 11:47 AM Post #3
New Member Posts: 4 OS: Windows XP	Alright, here's the OTMoveIt log: QUOTE DllUnregisterServer procedure not found in C:\WINDOWS\system32\mllmj.dll C:\WINDOWS\system32\mllmj.dll NOT unregistered. File move failed. C:\WINDOWS\system32\mllmj.dll scheduled to be moved on reboot. DllUnregisterServer procedure not found in C:\WINDOWS\system32\rhgwbtob.dll C:\WINDOWS\system32\rhgwbtob.dll NOT unregistered. C:\WINDOWS\system32\rhgwbtob.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\ckbmduln.dll C:\WINDOWS\system32\ckbmduln.dll NOT unregistered. C:\WINDOWS\system32\ckbmduln.dll moved successfully. Created on 12/17/2007 12:08:16 ComboFix: QUOTE ComboFix 07-12-17.1 - Michael Xu 2007-12-17 12:23:46.1 - NTFSx86 Running from: C:\Documents and Settings\Michael Xu\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk C:\Documents and Settings\Michael Xu\Favorites\Online Security Guide.lnk C:\WINDOWS\hosts C:\WINDOWS\system32\aeomlxqf.dll C:\WINDOWS\system32\cckvyheg.dll C:\WINDOWS\system32\csjmvvxe.dll C:\WINDOWS\system32\exvvmjsc.ini C:\WINDOWS\system32\fgsebeds.dll C:\WINDOWS\system32\fnkhykpf.dll C:\WINDOWS\system32\fpkyhknf.ini C:\WINDOWS\system32\fqxlmoea.ini C:\WINDOWS\system32\hbivrcmv.dll C:\WINDOWS\system32\jmllm.ini C:\WINDOWS\system32\jmllm.ini2 C:\WINDOWS\system32\kiyjyuiv.exe C:\WINDOWS\system32\mantec~1 C:\WINDOWS\system32\mantec~1\??mantec\ C:\WINDOWS\system32\mllmj.dll C:\WINDOWS\system32\ongtywst.exe C:\WINDOWS\system32\vmcrvibh.ini C:\WINDOWS\system32\vxevgico.exe C:\WINDOWS\system32\wnstsisv.exe C:\WINDOWS\system32\yjbsikvi.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 ))))))))))))))))))))))))))))))) . 2007-12-14 01:14 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-12-14 01:12 . 2007-12-14 01:12 <DIR> d-------- C:\Program Files\Common Files\Java 2007-12-13 15:09 . 2007-12-14 15:11 952,203 --ahs---- C:\WINDOWS\system32\ejpgbprm.ini 2007-12-12 15:12 . 2007-12-12 20:22 917,013 --ahs---- C:\WINDOWS\system32\nludmbkc.ini 2007-12-12 15:06 . 2007-12-12 15:06 <DIR> d-------- C:\VundoFix Backups 2007-12-11 20:46 . 2007-12-12 15:47 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-12-11 15:42 . 2007-12-17 12:28 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-12-11 15:42 . 2007-12-11 15:42 <DIR> d-------- C:\Documents and Settings\Michael Xu\Application Data\PC Tools 2007-12-11 15:42 . 2007-12-13 17:00 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-12-11 15:42 . 2007-12-13 17:00 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-12-11 15:42 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-12-11 15:42 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-12-11 15:41 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-12-11 15:23 . 2007-12-11 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue 2007-12-11 14:43 . 2007-12-11 14:43 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-11 11:22 . 2007-12-13 16:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2007-12-10 17:17 . 2007-12-10 17:17 <DIR> d-------- C:\Documents and Settings\Michael Xu\Application Data\System Tweaker 2007-12-10 17:05 . 2007-12-11 15:23 <DIR> d-------- C:\Program Files\Uniblue 2007-12-10 17:05 . 2007-12-11 15:23 <DIR> d-------- C:\Documents and Settings\Michael Xu\Application Data\Uniblue 2007-12-09 12:04 . 2007-12-12 00:26 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-12-09 10:41 . 2007-12-09 10:41 36,352 --a------ C:\WINDOWS\system32\vtuvwxu.dll.vir 2007-12-04 16:14 . 2007-12-13 23:31 <DIR> d-------- C:\Program Files\World of Warcraft 2007-12-02 02:58 . 2007-12-02 02:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-02 02:58 . 2007-12-02 02:58 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-17 17:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-14 06:15 --------- d-----w C:\Documents and Settings\Michael Xu\Application Data\FrostWire 2007-12-14 06:14 --------- d-----w C:\Program Files\Java 2007-12-12 19:39 --------- d-----w C:\Program Files\Viewpoint 2007-12-11 22:38 4,942 ----a-w C:\WINDOWS\compaq.reg 2007-12-09 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-04 21:17 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2007-11-19 23:59 --------- d-----w C:\Program Files\ESEA 2007-11-19 23:59 --------- d-----w C:\Program Files\Cheat Engine 2007-11-19 23:55 --------- d-----w C:\Program Files\Sony 2007-11-15 02:33 --------- d-----w C:\Program Files\Ventrilo 2007-11-15 02:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-14 05:56 --------- d-----w C:\Documents and Settings\Michael Xu\Application Data\.purple 2007-11-06 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2007-11-06 19:26 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-10-30 04:18 --------- d-----w C:\Program Files\MSN Messenger 2007-10-26 21:12 --------- d-----w C:\Program Files\Common Files\Viewpoint 2007-10-26 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2006-05-21 21:03 102,494,438 ----a-w C:\Documents and Settings\Michael Xu\WoW-1.10.2.5302-to-0.11.0.5344-enUS-patch.exe 2005-11-18 06:35 36 -c--a-w C:\Documents and Settings\Michael Xu\klextlock.dat 2005-10-01 19:59 22 -csh--w C:\WINDOWS\dpwtddxp.dll 2005-10-01 19:59 14 -csh--w C:\WINDOWS\dpwtpdxp.dll 2006-07-13 07:59 88 -csh--r C:\WINDOWS\system32\C2929277F0.sys 2005-10-01 19:59 22 -csha-w C:\WINDOWS\system32\dpwtdaxp.dll 2005-10-01 19:59 14 -csha-w C:\WINDOWS\system32\dpwtpaxp.dll 2006-07-13 07:59 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys 2005-10-01 19:59 12 -csha-w C:\WINDOWS\system32\spwtpaxp.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54] "Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 08:58] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56] "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael Xu^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\Michael Xu\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael Xu^Start Menu^Programs^Startup^Xfire.lnk] path=C:\Documents and Settings\Michael Xu\Start Menu\Programs\Startup\Xfire.lnk backup=C:\WINDOWS\pss\Xfire.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0892050d] rundll32.exe C:\WINDOWS\system32\fnkhykpf.dll,b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aaou] C:\WINDOWS\system32\MANTEC~1\ati2evxx.exe -vt yazb [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] 2005-06-06 22:46 57344 --a--c--- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] C:\program files\aim\aim.exe -cnetwait.odl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] 2006-09-25 11:42 108160 --a--c--- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath] C:\WINDOWS\VM_STI.EXE DELL PC-CAM BRIGHT EYE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC] 2001-12-15 00:01 32768 --a--c--- C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu] C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM] C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe -Background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] 2002-07-16 10:03 106549 --a--c--- C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe] 2002-12-12 02:14 46592 --a--c--- C:\WINDOWS\System32\dxdllreg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\File cdrom bold clock] C:\Documents and Settings\All Users\Application Data\Pure List File Cdrom\this wave.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2002-05-15 05:20 114688 --a--c--- C:\WINDOWS\System32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv] 1998-05-07 18:04 52736 --a--c--- c:\windows\system\hpsysdrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2002-05-15 05:29 155648 --a--c--- C:\WINDOWS\System32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-06-01 15:51 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Pass] C:\Program Files\Media Pass\MediaPassK.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent] 2002-02-27 13:27 75384 --a--c--- c:\PROGRA~1\NORTON~1\navapw32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10] C:\Program Files\QdrModule\QdrModule10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack10] C:\Program Files\QdrPack\QdrPack10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime Alternative\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rahgz] C:\Program Files\Common Files\W?nSxS\d?xplore.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] 2002-07-04 19:55 212992 --a--c--- C:\WINDOWS\SMINST\RECGUARD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean] 2001-07-24 23:34 36864 --a------ C:\Cpqs\Scom\srmclean.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] C:\Program Files\Steam\Steam.exe -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard] C:\Program Files\VERITAS Software\Update Manager\sgtray.exe /r [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser] C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -m [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] C:\Program Files\Veoh Networks\Veoh\VeohClient.exe /VeohHide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe] 2006-02-01 17:33 1880064 --a------ C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN] C:\Program Files\VVSN\VVSN.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL] 2002-02-20 21:40 143360 --a------ C:\Program Files\COMPAQ\Coloreal\coloreal.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble] C:\Program Files\WinAble\winable.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2007-05-14 17:22 35328 --a------ C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowDrv] C:\DOCUME~1\MICHAE~1\APPLIC~1\BLEHGL~1\64 Start.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "DomainService"=2 (0x2) "usnjsvc"=3 (0x3) "SymWSC"=2 (0x2) "SNDSrvc"=3 (0x3) "seclogon"=2 (0x2) "SBService"=2 (0x2) "ose"=3 (0x3) "navapsvc"=2 (0x2) "KodakCCS"=3 (0x3) "iPod Service"=3 (0x3) "IDriverT"=3 (0x3) "Compaq_RBA"=2 (0x2) "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) "Adobe LM Service"=3 (0x3) "WebClient"=2 (0x2) "Viewpoint Manager Service"=2 (0x2) "TapiSrv"=3 (0x3) "Eventlog"=2 (0x2) "BITS"=3 (0x3) "aspnet_state"=3 (0x3) "AppMgmt"=3 (0x3) "VSS"=3 (0x3) "usprserv"=3 (0x3) "SENS"=2 (0x2) "SamSs"=2 (0x2) "RDSessMgr"=3 (0x3) "RasMan"=3 (0x3) "mnmsrvc"=3 (0x3) "ALG"=3 (0x3) "ATI Smart"=2 (0x2) "clr_optimization_v2.0.50727_32"=3 (0x3) . Contents of the 'Scheduled Tasks' folder "2007-12-09 17:07:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-08 01:01:42 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - c:\PROGRA~1\NORTON~1\NAVW32.exe "2007-12-11 19:35:36 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE "2007-12-11 21:04:25 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job" - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe "2007-12-11 20:40:42 C:\WINDOWS\Tasks\Uniblue SpyEraser.job" - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-17 12:38:19 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-12-17 12:42:37 - machine was rebooted & HiJackThis: QUOTE Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:46:13 PM, on 12/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...c02&lc=0409 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirect...c02&lc=0409 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKUS\S-1-5-21-3307144382-1183073070-501881172-1006\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?') O4 - HKUS\S-1-5-21-3307144382-1183073070-501881172-1006\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe (User '?') O4 - HKUS\S-1-5-21-3307144382-1183073070-501881172-1006\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing) O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://www.playinfinity.net/cab/WindyGSPAx.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe -- End of file - 6763 bytes Eep, hope everything's okay.

racenutalways View Member Profile	Dec 18 2007, 10:03 AM Post #4
Member 1K Posts: 1,620 From: Sudbury Ont. Canada OS: Vista Home Premium	Hi meiko, you have some work ahead of you. We will delete a bunch of unwanted files, then run a spyware scanner and let it clean what it finds, after that, we will run an online scanner to get a 2nd opinion and make sure we didn't leave anything alive that shouldn't be. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box. 2. Now copy/paste the entire content of the codebox below into the Notepad window: QUOTE File:: C:\WINDOWS\system32\ejpgbprm.ini C:\WINDOWS\system32\nludmbkc.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\vtuvwxu.dll.vir C:\WINDOWS\dpwtddxp.dll C:\WINDOWS\dpwtpdxp.dll C:\WINDOWS\system32\dpwtdaxp.dll C:\WINDOWS\system32\dpwtpaxp.dll C:\WINDOWS\system32\spwtpaxp.dll C:\WINDOWS\system32\fnkhykpf.dll C:\WINDOWS\mrofinu72.exe Folder:: C:\Program Files\WildTangent C:\Program Files\Media Gateway C:\Program Files\Media Pass C:\Program Files\VVSN C:\Program Files\WinAble C:\Program Files\QdrPack Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0892050d] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Pass] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack10] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rahgz] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowDrv] 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you also use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you also use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. SUPERAntiSpyware Home Edition (free version) - Download - Home Page 1. Install it and double-click the icon on your desktop to run it. 2. It will ask if you want to update the program definitions, click Yes. 3. Under Configuration and Preferences, click the Preferences button. 4. Click the Scanning Control tab. 5. Under Scanner Options make sure the following are checked: 1. Close browsers before scanning 2. Scan for tracking cookies 3. Terminate memory threats before quarantining. 4. Please leave the others unchecked. 5. Click the Close button to leave the control center screen. 6. On the main screen, under Scan for Harmful Software click Scan your computer. 7. On the left check C:\Fixed Drive. 8. On the right, under Complete Scan, choose Perform Complete Scan. 9. Click Next to start the scan. Please be patient while it scans your computer. 10. After the scan is complete a summary box will appear. Click OK. 11. Make sure everything in the white box has a check next to it, then click Next. 12. It will quarantine what it found and if it asks if you want to reboot, click Yes. 13. To retrieve the removal information for me please do the following: 1. After reboot, double-click the SUPERAntispyware icon on your desktop. 2. Click Preferences. Click the Statistics/Logs tab. 3. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. 4. It will open in your default text editor (such as Notepad/Wordpad). 5. Please highlight everything in the notepad, then right-click and choose copy. 14. Click close and close again to exit the program. 15. Save the log information. If needed (still infected) paste this info along with your HijackThis log. Panda only works if you are using Internet Explorer. Please go HERE to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Meiko

Dec 18 2007, 06:32 PM

Post #5

New Member

Posts: 4
OS: Windows XP

Mmm, this is going to be another looong post.

Okiee, here it goes:

ComboFix Log:

QUOTE

ComboFix 07-12-17.1 - Michael Xu 2007-12-18 15:45:45.2 - NTFSx86

Running from: C:\Documents and Settings\Michael Xu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael Xu\Desktop\CFScript.txt

FILE
C:\WINDOWS\dpwtddxp.dll
C:\WINDOWS\dpwtpdxp.dll
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\dpwtdaxp.dll
C:\WINDOWS\system32\dpwtpaxp.dll
C:\WINDOWS\system32\ejpgbprm.ini
C:\WINDOWS\system32\fnkhykpf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nludmbkc.ini
C:\WINDOWS\system32\spwtpaxp.dll
C:\WINDOWS\system32\vtuvwxu.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dpwtddxp.dll
C:\WINDOWS\dpwtpdxp.dll
C:\WINDOWS\system32\dpwtdaxp.dll
C:\WINDOWS\system32\dpwtpaxp.dll
C:\WINDOWS\system32\ejpgbprm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nludmbkc.ini
C:\WINDOWS\system32\spwtpaxp.dll
C:\WINDOWS\system32\vtuvwxu.dll.vir

.
((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.

2007-12-18 15:42 . 2007-12-18 15:42 0 --a------ C:\Documents and Settings\Michael Xu\.exe
2007-12-14 01:14 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-14 01:12 . 2007-12-14 01:12 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-12 15:06 . 2007-12-12 15:06 <DIR> d-------- C:\VundoFix Backups
2007-12-11 20:46 . 2007-12-12 15:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-11 15:42 . 2007-12-18 02:20 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-11 15:42 . 2007-12-11 15:42 <DIR> d-------- C:\Documents and Settings\Michael Xu\Application Data\PC Tools
2007-12-11 15:42 . 2007-12-13 17:00 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-11 15:42 . 2007-12-13 17:00 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-11 15:42 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-11 15:42 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-11 15:41 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-11 15:23 . 2007-12-11 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-12-11 14:43 . 2007-12-11 14:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-11 11:22 . 2007-12-13 16:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-10 17:17 . 2007-12-10 17:17 <DIR> d-------- C:\Documents and Settings\Michael Xu\Application Data\System Tweaker
2007-12-10 17:05 . 2007-12-11 15:23 <DIR> d-------- C:\Program Files\Uniblue
2007-12-10 17:05 . 2007-12-11 15:23 <DIR> d-------- C:\Documents and Settings\Michael Xu\Application Data\Uniblue
2007-12-04 16:14 . 2007-12-13 23:31 <DIR> d-------- C:\Program Files\World of Warcraft
2007-12-02 02:58 . 2007-12-02 02:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-02 02:58 . 2007-12-02 02:58 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 20:42 0 ----a-w C:\Documents and Settings\Michael Xu\.exe
2007-12-17 17:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-14 06:15 --------- d-----w C:\Documents and Settings\Michael Xu\Application Data\FrostWire
2007-12-14 06:14 --------- d-----w C:\Program Files\Java
2007-12-12 19:39 --------- d-----w C:\Program Files\Viewpoint
2007-12-11 22:38 4,942 ----a-w C:\WINDOWS\compaq.reg
2007-12-09 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 21:17 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-19 23:59 --------- d-----w C:\Program Files\ESEA
2007-11-19 23:59 --------- d-----w C:\Program Files\Cheat Engine
2007-11-19 23:55 --------- d-----w C:\Program Files\Sony
2007-11-15 02:33 --------- d-----w C:\Program Files\Ventrilo
2007-11-15 02:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 05:56 --------- d-----w C:\Documents and Settings\Michael Xu\Application Data\.purple
2007-11-06 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-06 19:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-30 04:18 --------- d-----w C:\Program Files\MSN Messenger
2007-10-26 21:12 --------- d-----w C:\Program Files\Common Files\Viewpoint
2007-10-26 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-05-21 21:03 102,494,438 ----a-w C:\Documents and Settings\Michael Xu\WoW-1.10.2.5302-to-0.11.0.5344-enUS-patch.exe
2005-11-18 06:35 36 -c--a-w C:\Documents and Settings\Michael Xu\klextlock.dat
2006-07-13 07:59 88 -csh--r C:\WINDOWS\system32\C2929277F0.sys
2006-07-13 07:59 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 08:58]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael Xu^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Michael Xu\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael Xu^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Michael Xu\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aaou]
C:\WINDOWS\system32\MANTEC~1\ati2evxx.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 22:46 57344 --a--c--- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\program files\aim\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2006-09-25 11:42 108160 --a--c--- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.EXE DELL PC-CAM BRIGHT EYE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
2001-12-15 00:01 32768 --a--c--- C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2002-07-16 10:03 106549 --a--c--- C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
2002-12-12 02:14 46592 --a--c--- C:\WINDOWS\System32\dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\File cdrom bold clock]
C:\Documents and Settings\All Users\Application Data\Pure List File Cdrom\this wave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2002-05-15 05:20 114688 --a--c--- C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 18:04 52736 --a--c--- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2002-05-15 05:29 155648 --a--c--- C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-06-01 15:51 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
2002-02-27 13:27 75384 --a--c--- c:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
C:\Program Files\QdrModule\QdrModule10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-07-04 19:55 212992 --a--c--- C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 23:34 36864 --a------ C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2006-02-01 17:33 1880064 --a------ C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
2002-02-20 21:40 143360 --a------ C:\Program Files\COMPAQ\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 17:22 35328 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=2 (0x2)
"usnjsvc"=3 (0x3)
"SymWSC"=2 (0x2)
"SNDSrvc"=3 (0x3)
"seclogon"=2 (0x2)
"SBService"=2 (0x2)
"ose"=3 (0x3)
"navapsvc"=2 (0x2)
"KodakCCS"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Compaq_RBA"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"WebClient"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"TapiSrv"=3 (0x3)
"Eventlog"=2 (0x2)
"BITS"=3 (0x3)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"VSS"=3 (0x3)
"usprserv"=3 (0x3)
"SENS"=2 (0x2)
"SamSs"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ALG"=3 (0x3)
"ATI Smart"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 17:07:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-08 01:01:42 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-12-11 19:35:36 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-12-11 21:04:25 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-12-11 20:40:42 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 15:50:31
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-18 15:52:33
C:\ComboFix2.txt ... 2007-12-17 12:42

Log for HiJackthis, after ComboFix:

QUOTE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:46 PM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files&