Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Do I have a Combination of Problems? [CLOSED]


  • This topic is locked This topic is locked

#1
inklink

inklink

    New Member

  • Member
  • Pip
  • 6 posts
Hi folks, new member, long time reader :) . This place is awesome.

Alright, I don't know how I got into all of this trouble, but I'm in it, and I need your assistance in getting out.

I've tried SUPERAntiSpyware, Adaware, Spybot Search and Destroy, and I think that's about it. They found some problems: Vundo/Trojan and Virtumonde.

Now, I used the remove function on those software, but it keeps coming back.

I receive these RUNDLL errors @ startup: "Error loading C:\WindowsSystem32\ [SOME DLL FILE] (right now it's okkjbdrq.dll).

I've removed them from startup (through MSConfig) but they reappear.

And from time to timecertain "C++ ... LIBRARY" popup errors:

MICROSOFT VISUAL C++ RUNTIME LIBRARY

Buffer overrun detected!

Program: C:\WINDOWS\Explorer.EXE

A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.

I get this error when using Internet Explorer. Like for example, when I started the PandaSoft scan, I received this error. I clicked okay, and nothing happened to explorer.exe .

In addition, when I'm browsing Firefox, I get a new tab out of no where for AVsystemcare.com, but that page never loads. And when using Internet Explorer, I get popups, usually "WhowillImarry.com".

Now I've been reading all over the Internet for a week now. I understand that Vundo, if not cleaned fully, returns after a while?

I've downloaded VundoFix, and also Symantec "FixVundo" tool. Perhaps they work temporarily, but the problem persists.

Also, when I log on (start up) I receive a "ddcya.dll missing" error.

There are numerous .dll files in my System32 folder, most of them are random letters apparently (no Google results :) ). I've been seeing ddcya.dll, hcavltok.dll, okkjbdrq.dll, urqxnxsv.dll, and also a 'tmp. txt" file and a "tmp. registry file".

Now, I've deleted some of those files (they usually are deletable in SafeMode) but I can't delete ddcya.dll. I've tried KillBox, too :) .

Anyhow, here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:38 AM, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcya.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [786ca39a] rundll32.exe "C:\WINDOWS\system32\okkjbdrq.dll",b
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...erPlugin.cab?s6
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6217 bytes


If there's any other information I need to provide you with, kindly let me know :) .

Thank you very much,
Inklink
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
inklink

inklink

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi, thanks for the response :) .

ComboFix 08-02.05.3 - Main 2008-02-05 11:17:11.1 - NTFSx86
Running from: C:\VS\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddcya.dll
C:\install.exe
C:\Program Files\ATI Multimedia\main\launchpd .exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\fvpmdsxe.ini
C:\WINDOWS\system32\hlqcjnvp.ini
C:\WINDOWS\system32\whmqaeiw.ini
C:\WINDOWS\system32\ywbwwode.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 01:02 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-05 01:01 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\luqgtambnuit.sys
2008-02-05 00:52 . 2008-02-05 02:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-05 00:52 . 2008-02-05 00:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-05 00:52 . 2008-02-05 00:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-05 00:52 . 2008-02-05 00:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 00:06 . 2008-02-05 11:15 <DIR> d-------- C:\VS
2008-02-04 23:31 . 2008-02-04 23:31 294 --ahs---- C:\WINDOWS\system32\qrdbjkko.ini
2008-02-04 20:07 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-04 20:07 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-04 20:07 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-04 20:07 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-04 20:07 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-04 20:07 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-04 20:07 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-04 16:38 . 2008-02-04 16:38 294 --ahs---- C:\WINDOWS\system32\ucjfiioa.ini
2008-02-03 19:40 . 2008-02-03 19:40 99,153 --a------ C:\242897983_lg.jpg
2008-02-03 18:45 . 2008-02-03 18:45 <DIR> d-------- C:\Program Files\CCleaner
2008-02-03 18:30 . 2008-02-03 18:30 <DIR> d-------- C:\RegBackup
2008-02-03 15:04 . 2008-02-03 15:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-03 15:04 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-03 15:04 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-03 15:04 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-03 15:04 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Program Files\Webroot
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Documents and Settings\Main\Application Data\Webroot
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-03 15:01 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-03 14:57 . 2008-02-03 14:57 164 --a------ C:\install.dat
2008-02-03 14:04 . 2008-02-03 14:27 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-02 18:18 . 2008-02-03 17:59 309 --a------ C:\WINDOWS\wininit.ini
2008-02-02 17:24 . 2008-02-05 02:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-02 17:24 . 2008-02-02 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 19:00 . 2008-02-01 19:01 <DIR> d-------- C:\divx
2008-02-01 00:14 . 2008-02-01 00:14 <DIR> d-------- C:\Program Files\AVI MPEG RM WMV Splitter
2008-01-31 23:56 . 2008-01-31 23:56 <DIR> d-------- C:\Program Files\Xilisoft
2008-01-31 23:48 . 2008-01-31 23:48 <DIR> d-------- C:\Documents and Settings\Main\Application Data\GeoVid
2008-01-31 23:47 . 2008-01-31 23:47 <DIR> d-------- C:\Program Files\GeoVid
2008-01-31 23:47 . 2008-01-31 23:47 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-01-31 23:47 . 2004-08-18 15:00 1,712,128 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-31 23:47 . 2005-06-07 15:11 60,416 --a------ C:\WINDOWS\system32\dsetup.dll
2008-01-30 21:57 . 2008-02-05 02:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-30 21:57 . 2008-01-30 21:57 <DIR> d-------- C:\Documents and Settings\Main\Application Data\SUPERAntiSpyware.com
2008-01-30 21:57 . 2008-01-30 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-29 12:13 . 2008-02-01 19:02 <DIR> d-------- C:\Documents and Settings\Main\Application Data\DivX
2008-01-25 21:13 . 2008-01-25 21:13 <DIR> d-------- C:\GAoTD
2008-01-24 00:40 . 2008-01-24 01:27 <DIR> d-------- C:\Program Files\CamStudio
2008-01-22 13:54 . 2008-02-01 00:13 <DIR> d-------- C:\Program Files\Easy Video Splitter
2008-01-21 17:09 . 2008-01-21 17:09 <DIR> d-------- C:\Documents and Settings\Main\Application Data\ATI MMC
2008-01-20 13:23 . 2008-01-20 13:23 <DIR> d-------- C:\Program Files\TVAnts
2008-01-20 11:56 . 2008-01-20 11:56 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-19 17:08 . 2008-01-19 22:57 <DIR> d-------- C:\Projects2
2008-01-17 12:38 . 2008-01-30 18:50 <DIR> d-------- C:\Program Files\GAotD
2008-01-17 12:38 . 2004-09-19 03:00 628,736 --a------ C:\WINDOWS\system32\InControlApplet.cpl
2008-01-14 18:46 . 2008-01-14 18:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-14 18:22 . 2008-01-14 18:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-14 18:22 . 2008-01-14 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 18:21 . 2008-01-14 18:21 <DIR> d-------- C:\Program Files\Ashampoo
2008-01-14 17:29 . 2008-01-14 17:30 295 --ahs---- C:\WINDOWS\system32\otkutddw.ini
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-06 15:03 . 2008-01-06 15:03 <DIR> d-------- C:\Program Files\StarBurn
2008-01-06 15:03 . 2007-12-27 15:45 85,760 --a------ C:\WINDOWS\system32\drivers\StarPortLite.sys
2008-01-05 17:04 . 2005-01-25 17:12 201,216 --a------ C:\WINDOWS\system32\NCTVideoPlayer.dll
2008-01-05 17:03 . 2008-01-05 17:04 <DIR> d-------- C:\Program Files\A-one Video Joiner
2008-01-05 17:03 . 2006-03-28 22:35 475,136 --a------ C:\WINDOWS\system32\SkinCrafter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 16:19 --------- d-----w C:\Program Files\MSN Messenger
2008-02-05 07:04 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-02-05 06:44 --------- d-----w C:\Program Files\Bonjour
2008-02-05 02:47 --------- d-----w C:\Program Files\DScaler
2008-02-05 00:24 --------- d-----w C:\Program Files\CGPACalc2
2008-02-03 23:11 --------- d-----w C:\Program Files\Lexmark 1200 Series
2008-01-31 17:24 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-31 02:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 17:13 --------- d-----w C:\Program Files\DivX
2008-01-29 17:09 --------- d-----w C:\Program Files\XviD
2008-01-27 02:32 --------- d-----w C:\Program Files\CD Label Design
2008-01-26 22:47 --------- d-----w C:\Program Files\BitComet
2008-01-21 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-01-17 19:54 --------- d-----w C:\Program Files\Pilot Group Ltd
2008-01-17 17:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-04 22:36 --------- d-----w C:\Program Files\Video Watermark Factory
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-28 00:35 --------- d-----w C:\Documents and Settings\Main\Application Data\dvdcss
2007-12-27 18:24 --------- d-----w C:\Documents and Settings\Main\Application Data\Sony
2007-12-27 17:21 --------- d-----w C:\Program Files\Sony
2007-12-27 17:19 --------- d-----w C:\Program Files\Sony Setup
2007-12-27 17:14 80,880,248 ----a-w C:\dvdarchitectpro45a-trial_enu.exe
2007-12-26 19:55 --------- d-----w C:\Program Files\Plato Video Converter
2007-12-26 04:22 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-12-25 23:46 --------- d-----w C:\Documents and Settings\Main\Application Data\UseNeXT
2007-12-21 19:11 --------- d-----w C:\Program Files\TextAloud
2007-12-20 19:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 15:32 --------- d-----w C:\Program Files\Monte Cristo
2007-12-20 15:13 --------- d-----w C:\Program Files\Mafia
2007-12-20 06:01 --------- d-----w C:\Documents and Settings\Main\Application Data\Ventrilo
2007-12-20 05:58 --------- d-----w C:\Program Files\Ventrilo
2007-12-20 03:17 --------- d-----w C:\Program Files\UseNeXT
2007-12-20 02:54 --------- d-----w C:\Program Files\Rapidown
2007-12-18 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-15 03:52 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-14 21:52 --------- d-----w C:\Program Files\Jitbit
2007-12-14 21:52 --------- d-----w C:\Documents and Settings\Main\Application Data\AutoText
2007-12-13 19:03 --------- d-----w C:\Documents and Settings\Main\Application Data\Media Player Classic
2007-12-13 19:02 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-12 00:26 --------- d-----w C:\Program Files\MP3 Recorder Studio
2007-12-11 01:13 --------- d-----w C:\Program Files\Titan Backup
2007-12-08 18:05 --------- d-----w C:\Program Files\SopCast
2007-12-08 05:05 --------- d-----w C:\Program Files\Electronic Arts
2007-11-07 13:03 97,296 ----a-w C:\install.res.1036.dll
2007-11-07 13:03 96,272 ----a-w C:\install.res.3082.dll
2007-11-07 13:03 96,272 ----a-w C:\install.res.1031.dll
2007-11-07 13:03 95,248 ----a-w C:\install.res.1040.dll
2007-11-07 13:03 91,152 ----a-w C:\install.res.1033.dll
2007-11-07 13:03 81,424 ----a-w C:\install.res.1041.dll
2007-11-07 13:03 79,888 ----a-w C:\install.res.1042.dll
2007-11-07 13:03 76,304 ----a-w C:\install.res.1028.dll
2007-11-07 13:03 75,792 ----a-w C:\install.res.2052.dll
2007-09-10 17:33 496 ----a-w C:\Program Files\Shortcut (2) to Mafia.lnk
.

<pre>
----a-w		   624,248 2008-01-14 23:01:22  C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w		 2,334,040 2008-01-30 23:44:24  C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard  .exe
----a-w			53,248 2008-02-01 19:52:38  C:\Program Files\ATI Multimedia\main\ATIDtct .EXE
----a-w		 1,884,160 2008-01-14 23:01:23  C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2 .EXE
----a-w		 2,321,600 2008-02-01 19:52:41  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w		   155,648 2008-02-03 00:54:26  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w		   171,464 2008-01-31 17:24:56  C:\Program Files\DAEMON Tools\daemon .exe
----a-w			74,672 2008-02-03 00:54:26  C:\Program Files\Lexmark 1200 Series\lxczbmgr .exe
----a-w		   295,856 2008-02-03 00:54:27  C:\Program Files\Lexmark Fax Solutions\fm3032 .exe
----a-w		 5,674,352 2008-02-05 05:38:13  C:\Program Files\MSN Messenger\msnmsgr  .exe
----a-w		 2,097,488 2008-02-03 00:54:33  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 1,318,912 2008-02-03 00:54:31  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w			15,360 2008-01-20 16:56:00  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{485e819b-c162-44e3-a694-0ed468ffd253}]
C:\WINDOWS\system32\urqxnxsv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr .exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"786ca39a"="C:\WINDOWS\system32\okkjbdrq.dll" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\786ca39a]
C:\WINDOWS\system32\aoiifjcu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ddcya.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 12:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468dc090-9afa-11dc-9bf6-00508d7be943}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8acbe2c2-5bb8-11dc-8ec8-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 20:04:22 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
"2008-02-05 16:29:06 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-05 16:19:49 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 11:29:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-05 11:37:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 16:37:51
.
2007-12-12 16:39:49 --- E O F ---


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:39 AM, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: {352dff86-4de0-496a-3e44-261cb918e584} - {485e819b-c162-44e3-a694-0ed468ffd253} - C:\WINDOWS\system32\urqxnxsv.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [786ca39a] rundll32.exe "C:\WINDOWS\system32\okkjbdrq.dll",b
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...erPlugin.cab?s6
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6959 bytes


Thanks!
Inklink
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Don't put the logs in quote boxes please

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: {352dff86-4de0-496a-3e44-261cb918e584} - {485e819b-c162-44e3-a694-0ed468ffd253} - C:\WINDOWS\system32\urqxnxsv.dll (file missing)
O4 - HKLM\..\Run: [786ca39a] rundll32.exe "C:\WINDOWS\system32\okkjbdrq.dll",b


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\drivers\luqgtambnuit.sys
C:\WINDOWS\system32\qrdbjkko.ini
C:\WINDOWS\system32\ucjfiioa.ini
C:\WINDOWS\system32\otkutddw.ini
C:\WINDOWS\system32\urqxnxsv.dll
C:\WINDOWS\system32\aoiifjcu.dll
C:\WINDOWS\system32\ddcya.exe
D:\setup.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\786ca39a]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468dc090-9afa-11dc-9bf6-00508d7be943}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8acbe2c2-5bb8-11dc-8ec8-806d6172696f}]

RenV::
----a-w 624,248 2008-01-14 23:01:22 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 2,334,040 2008-01-30 23:44:24 C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard .exe
----a-w 53,248 2008-02-01 19:52:38 C:\Program Files\ATI Multimedia\main\ATIDtct .EXE
----a-w 1,884,160 2008-01-14 23:01:23 C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2 .EXE
----a-w 2,321,600 2008-02-01 19:52:41 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 155,648 2008-02-03 00:54:26 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 171,464 2008-01-31 17:24:56 C:\Program Files\DAEMON Tools\daemon .exe
----a-w 74,672 2008-02-03 00:54:26 C:\Program Files\Lexmark 1200 Series\lxczbmgr .exe
----a-w 295,856 2008-02-03 00:54:27 C:\Program Files\Lexmark Fax Solutions\fm3032 .exe
----a-w 5,674,352 2008-02-05 05:38:13 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 2,097,488 2008-02-03 00:54:33 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 1,318,912 2008-02-03 00:54:31 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w 15,360 2008-01-20 16:56:00 C:\WINDOWS\system32\ctfmon .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#5
inklink

inklink

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi :) .

Here's the ComboFix log that popped up:

ComboFix 08-02.05.3 - Main 2008-02-05 12:36:00.2 - NTFSx86
Running from: C:\vs\ComboFix.exe
Command switches used :: C:\vs\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\aoiifjcu.dll
C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\drivers\luqgtambnuit.sys
C:\WINDOWS\system32\otkutddw.ini
C:\WINDOWS\system32\qrdbjkko.ini
C:\WINDOWS\system32\ucjfiioa.ini
C:\WINDOWS\system32\urqxnxsv.dll
D:\setup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\luqgtambnuit.sys
C:\WINDOWS\system32\otkutddw.ini
C:\WINDOWS\system32\qrdbjkko.ini
C:\WINDOWS\system32\ucjfiioa.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 11:16 . 2004-08-04 07:00 388,608 --a------ C:\kmd.exe
2008-02-05 01:02 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-05 00:52 . 2008-02-05 02:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-05 00:52 . 2008-02-05 00:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-05 00:52 . 2008-02-05 00:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-05 00:52 . 2008-02-05 00:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 00:06 . 2008-02-05 12:35 <DIR> d-------- C:\VS
2008-02-04 20:07 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-04 20:07 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-04 20:07 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-04 20:07 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-04 20:07 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-04 20:07 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-04 20:07 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 19:40 . 2008-02-03 19:40 99,153 --a------ C:\242897983_lg.jpg
2008-02-03 18:45 . 2008-02-03 18:45 <DIR> d-------- C:\Program Files\CCleaner
2008-02-03 18:30 . 2008-02-03 18:30 <DIR> d-------- C:\RegBackup
2008-02-03 15:04 . 2008-02-03 15:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-03 15:04 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-03 15:04 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-03 15:04 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-03 15:04 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Program Files\Webroot
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Documents and Settings\Main\Application Data\Webroot
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-03 15:01 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-03 14:57 . 2008-02-03 14:57 164 --a------ C:\install.dat
2008-02-03 14:04 . 2008-02-03 14:27 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-02 18:18 . 2008-02-03 17:59 309 --a------ C:\WINDOWS\wininit.ini
2008-02-02 17:24 . 2008-02-05 12:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-02 17:24 . 2008-02-02 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 19:00 . 2008-02-01 19:01 <DIR> d-------- C:\divx
2008-02-01 00:14 . 2008-02-01 00:14 <DIR> d-------- C:\Program Files\AVI MPEG RM WMV Splitter
2008-01-31 23:56 . 2008-01-31 23:56 <DIR> d-------- C:\Program Files\Xilisoft
2008-01-31 23:48 . 2008-01-31 23:48 <DIR> d-------- C:\Documents and Settings\Main\Application Data\GeoVid
2008-01-31 23:47 . 2008-01-31 23:47 <DIR> d-------- C:\Program Files\GeoVid
2008-01-31 23:47 . 2008-01-31 23:47 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-01-31 23:47 . 2004-08-18 15:00 1,712,128 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-31 23:47 . 2005-06-07 15:11 60,416 --a------ C:\WINDOWS\system32\dsetup.dll
2008-01-30 21:57 . 2008-02-05 12:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-30 21:57 . 2008-01-30 21:57 <DIR> d-------- C:\Documents and Settings\Main\Application Data\SUPERAntiSpyware.com
2008-01-30 21:57 . 2008-01-30 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-29 12:13 . 2008-02-01 19:02 <DIR> d-------- C:\Documents and Settings\Main\Application Data\DivX
2008-01-25 21:13 . 2008-01-25 21:13 <DIR> d-------- C:\GAoTD
2008-01-24 00:40 . 2008-01-24 01:27 <DIR> d-------- C:\Program Files\CamStudio
2008-01-22 13:54 . 2008-02-01 00:13 <DIR> d-------- C:\Program Files\Easy Video Splitter
2008-01-21 17:09 . 2008-01-21 17:09 <DIR> d-------- C:\Documents and Settings\Main\Application Data\ATI MMC
2008-01-20 13:23 . 2008-01-20 13:23 <DIR> d-------- C:\Program Files\TVAnts
2008-01-20 11:56 . 2008-01-20 11:56 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-20 11:56 . 2008-01-20 11:56 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-19 17:08 . 2008-01-19 22:57 <DIR> d-------- C:\Projects2
2008-01-17 12:38 . 2008-01-30 18:50 <DIR> d-------- C:\Program Files\GAotD
2008-01-17 12:38 . 2004-09-19 03:00 628,736 --a------ C:\WINDOWS\system32\InControlApplet.cpl
2008-01-14 18:46 . 2008-01-14 18:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-14 18:22 . 2008-01-14 18:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-14 18:22 . 2008-01-14 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 18:21 . 2008-01-14 18:21 <DIR> d-------- C:\Program Files\Ashampoo
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-06 15:03 . 2008-01-06 15:03 <DIR> d-------- C:\Program Files\StarBurn
2008-01-06 15:03 . 2007-12-27 15:45 85,760 --a------ C:\WINDOWS\system32\drivers\StarPortLite.sys
2008-01-05 17:04 . 2005-01-25 17:12 201,216 --a------ C:\WINDOWS\system32\NCTVideoPlayer.dll
2008-01-05 17:03 . 2008-01-05 17:04 <DIR> d-------- C:\Program Files\A-one Video Joiner
2008-01-05 17:03 . 2006-03-28 22:35 475,136 --a------ C:\WINDOWS\system32\SkinCrafter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 17:35 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-02-05 17:35 --------- d-----w C:\Program Files\Lexmark 1200 Series
2008-02-05 17:35 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-05 16:19 --------- d-----w C:\Program Files\MSN Messenger
2008-02-05 06:44 --------- d-----w C:\Program Files\Bonjour
2008-02-05 05:37 494,080 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-02-05 02:47 --------- d-----w C:\Program Files\DScaler
2008-02-05 00:24 --------- d-----w C:\Program Files\CGPACalc2
2008-01-31 02:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 17:13 --------- d-----w C:\Program Files\DivX
2008-01-29 17:09 --------- d-----w C:\Program Files\XviD
2008-01-27 02:32 --------- d-----w C:\Program Files\CD Label Design
2008-01-26 22:47 --------- d-----w C:\Program Files\BitComet
2008-01-21 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-01-17 19:54 --------- d-----w C:\Program Files\Pilot Group Ltd
2008-01-17 17:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-04 22:36 --------- d-----w C:\Program Files\Video Watermark Factory
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-28 00:35 --------- d-----w C:\Documents and Settings\Main\Application Data\dvdcss
2007-12-27 18:24 --------- d-----w C:\Documents and Settings\Main\Application Data\Sony
2007-12-27 17:21 --------- d-----w C:\Program Files\Sony
2007-12-27 17:19 --------- d-----w C:\Program Files\Sony Setup
2007-12-27 17:14 80,880,248 ----a-w C:\dvdarchitectpro45a-trial_enu.exe
2007-12-26 19:55 --------- d-----w C:\Program Files\Plato Video Converter
2007-12-26 04:22 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-12-25 23:46 --------- d-----w C:\Documents and Settings\Main\Application Data\UseNeXT
2007-12-21 19:11 --------- d-----w C:\Program Files\TextAloud
2007-12-20 19:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 15:32 --------- d-----w C:\Program Files\Monte Cristo
2007-12-20 15:13 --------- d-----w C:\Program Files\Mafia
2007-12-20 06:01 --------- d-----w C:\Documents and Settings\Main\Application Data\Ventrilo
2007-12-20 05:58 --------- d-----w C:\Program Files\Ventrilo
2007-12-20 03:17 --------- d-----w C:\Program Files\UseNeXT
2007-12-20 02:54 --------- d-----w C:\Program Files\Rapidown
2007-12-18 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-15 03:52 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-14 21:52 --------- d-----w C:\Program Files\Jitbit
2007-12-14 21:52 --------- d-----w C:\Documents and Settings\Main\Application Data\AutoText
2007-12-13 19:03 --------- d-----w C:\Documents and Settings\Main\Application Data\Media Player Classic
2007-12-13 19:02 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-12 00:26 --------- d-----w C:\Program Files\MP3 Recorder Studio
2007-12-11 01:13 --------- d-----w C:\Program Files\Titan Backup
2007-12-08 18:05 --------- d-----w C:\Program Files\SopCast
2007-12-08 05:05 --------- d-----w C:\Program Files\Electronic Arts
2007-11-07 13:03 97,296 ----a-w C:\install.res.1036.dll
2007-11-07 13:03 96,272 ----a-w C:\install.res.3082.dll
2007-11-07 13:03 96,272 ----a-w C:\install.res.1031.dll
2007-11-07 13:03 95,248 ----a-w C:\install.res.1040.dll
2007-11-07 13:03 91,152 ----a-w C:\install.res.1033.dll
2007-11-07 13:03 81,424 ----a-w C:\install.res.1041.dll
2007-11-07 13:03 79,888 ----a-w C:\install.res.1042.dll
2007-11-07 13:03 76,304 ----a-w C:\install.res.1028.dll
2007-11-07 13:03 75,792 ----a-w C:\install.res.2052.dll
2007-09-10 17:33 496 ----a-w C:\Program Files\Shortcut (2) to Mafia.lnk
.
<pre>
----a-w		 2,334,040 2008-01-30 23:44:24  C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard  .exe
----a-w		 5,674,352 2008-02-05 05:38:13  C:\Program Files\MSN Messenger\msnmsgr  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14684776-84d2-403e-b141-ff1b1837b4b2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C46CAAF-3014-461A-A977-317E218BF3E9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-31 12:24 171464]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2008-02-01 14:52 53248]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr .exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-02 19:54 1318912]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-02-02 19:54 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-02-01 14:52 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"@"="" []
"786ca39a"="rundll32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-02 19:54 155648]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2008-02-02 19:54 74672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljwsrtwa]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zxknycfp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-02-01 14:52 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 12:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 20:04:22 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
- A:\
"2008-02-05 17:41:45 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-05 16:19:49 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 12:42:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-05 12:51:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 17:51:07
ComboFix2.txt 2008-02-05 16:37:55
.
2007-12-12 16:39:49 --- E O F ---


---

PS: Is my computer supposed to restart? It did, and then ComboFix continued after it started up again.

Here's my HijackThis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:58 PM, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {14684776-84d2-403e-b141-ff1b1837b4b2} - (no file)
O2 - BHO: (no name) - {3C46CAAF-3014-461A-A977-317E218BF3E9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [786ca39a] "rundll32.exe" "C:\WINDOWS\system32\exsdmpvf.dll",b
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...erPlugin.cab?s6
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ljwsrtwa - C:\WINDOWS\
O20 - Winlogon Notify: zxknycfp - C:\WINDOWS\
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7705 bytes



==

Thanks :)!
Inklink
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {14684776-84d2-403e-b141-ff1b1837b4b2} - (no file)
O2 - BHO: (no name) - {3C46CAAF-3014-461A-A977-317E218BF3E9} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O4 - HKLM\..\Run: [786ca39a] "rundll32.exe" "C:\WINDOWS\system32\exsdmpvf.dll",b
O20 - Winlogon Notify: ljwsrtwa - C:\WINDOWS\
O20 - Winlogon Notify: zxknycfp - C:\WINDOWS\


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\exsdmpvf.dll
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard .exe
C:\Program Files\MSN Messenger\msnmsgr .exe

RenV::
----a-w 2,334,040 2008-01-30 23:44:24 C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard .exe
----a-w 5,674,352 2008-02-05 05:38:13 C:\Program Files\MSN Messenger\msnmsgr .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#7
inklink

inklink

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi :) ! Thanks for your continued help :) .

Here's the latest HijackThis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:24 AM, on 06/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {14684776-84d2-403e-b141-ff1b1837b4b2} - (no file)
O2 - BHO: (no name) - {3C46CAAF-3014-461A-A977-317E218BF3E9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...erPlugin.cab?s6
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ljwsrtwa - C:\WINDOWS\
O20 - Winlogon Notify: zxknycfp - C:\WINDOWS\
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7567 bytes


===
Thanks,
Inklink
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the ComboFix log please
  • 0

#9
inklink

inklink

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ComboFix 08-02.05.3 - Main 2008-02-06 1:10:06.3 - NTFSx86
Running from: C:\VS\ComboFix.exe
Command switches used :: C:\VS\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\WINDOWS\system32\exsdmpvf.dll
.

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-06 01:08 . 2004-08-04 07:00 388,608 --a------ C:\kmd.exe
2008-02-06 01:04 . 2008-02-06 01:04 10,698 --a------ C:\CriticalAnalysis1 title.docx
2008-02-05 19:02 . 2008-02-05 19:12 10,805 --a------ C:\CriticalAnalysis1 Work cited.docx
2008-02-05 13:43 . 2008-02-06 01:00 18,240 --a------ C:\CriticalAnalysis1.docx
2008-02-05 01:02 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-05 00:52 . 2008-02-05 02:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-05 00:52 . 2008-02-05 00:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-05 00:52 . 2008-02-05 00:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-05 00:52 . 2008-02-05 00:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 00:06 . 2008-02-06 01:10 <DIR> d-------- C:\VS
2008-02-04 20:07 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-04 20:07 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-04 20:07 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-04 20:07 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-04 20:07 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-04 20:07 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-04 20:07 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 19:40 . 2008-02-03 19:40 99,153 --a------ C:\242897983_lg.jpg
2008-02-03 18:45 . 2008-02-03 18:45 <DIR> d-------- C:\Program Files\CCleaner
2008-02-03 18:30 . 2008-02-03 18:30 <DIR> d-------- C:\RegBackup
2008-02-03 15:04 . 2008-02-03 15:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-03 15:04 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-03 15:04 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-03 15:04 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-03 15:04 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Program Files\Webroot
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Documents and Settings\Main\Application Data\Webroot
2008-02-03 15:01 . 2008-02-03 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-03 15:01 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-03 14:57 . 2008-02-03 14:57 164 --a------ C:\install.dat
2008-02-03 14:04 . 2008-02-03 14:27 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-02 18:18 . 2008-02-03 17:59 309 --a------ C:\WINDOWS\wininit.ini
2008-02-02 17:24 . 2008-02-05 12:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-02 17:24 . 2008-02-02 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 19:00 . 2008-02-01 19:01 <DIR> d-------- C:\divx
2008-02-01 00:14 . 2008-02-01 00:14 <DIR> d-------- C:\Program Files\AVI MPEG RM WMV Splitter
2008-01-31 23:56 . 2008-01-31 23:56 <DIR> d-------- C:\Program Files\Xilisoft
2008-01-31 23:48 . 2008-01-31 23:48 <DIR> d-------- C:\Documents and Settings\Main\Application Data\GeoVid
2008-01-31 23:47 . 2008-01-31 23:47 <DIR> d-------- C:\Program Files\GeoVid
2008-01-31 23:47 . 2008-01-31 23:47 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-01-31 23:47 . 2004-08-18 15:00 1,712,128 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-31 23:47 . 2005-06-07 15:11 60,416 --a------ C:\WINDOWS\system32\dsetup.dll
2008-01-30 21:57 . 2008-02-05 12:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-30 21:57 . 2008-01-30 21:57 <DIR> d-------- C:\Documents and Settings\Main\Application Data\SUPERAntiSpyware.com
2008-01-30 21:57 . 2008-01-30 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-29 12:13 . 2008-02-01 19:02 <DIR> d-------- C:\Documents and Settings\Main\Application Data\DivX
2008-01-25 21:13 . 2008-01-25 21:13 <DIR> d-------- C:\GAoTD
2008-01-24 00:40 . 2008-01-24 01:27 <DIR> d-------- C:\Program Files\CamStudio
2008-01-22 13:54 . 2008-02-01 00:13 <DIR> d-------- C:\Program Files\Easy Video Splitter
2008-01-21 17:09 . 2008-01-21 17:09 <DIR> d-------- C:\Documents and Settings\Main\Application Data\ATI MMC
2008-01-20 13:23 . 2008-01-20 13:23 <DIR> d-------- C:\Program Files\TVAnts
2008-01-20 11:56 . 2008-01-20 11:56 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-20 11:56 . 2008-01-20 11:56 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-19 17:08 . 2008-01-19 22:57 <DIR> d-------- C:\Projects2
2008-01-17 12:38 . 2008-01-30 18:50 <DIR> d-------- C:\Program Files\GAotD
2008-01-17 12:38 . 2004-09-19 03:00 628,736 --a------ C:\WINDOWS\system32\InControlApplet.cpl
2008-01-14 18:46 . 2008-01-14 18:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-14 18:22 . 2008-01-14 18:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-14 18:22 . 2008-01-14 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 18:21 . 2008-01-14 18:21 <DIR> d-------- C:\Program Files\Ashampoo
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-06 15:03 . 2008-01-06 15:03 <DIR> d-------- C:\Program Files\StarBurn
2008-01-06 15:03 . 2007-12-27 15:45 85,760 --a------ C:\WINDOWS\system32\drivers\StarPortLite.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 06:08 --------- d-----w C:\Program Files\DScaler
2008-02-05 17:35 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-02-05 17:35 --------- d-----w C:\Program Files\Lexmark 1200 Series
2008-02-05 17:35 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-05 16:19 --------- d-----w C:\Program Files\MSN Messenger
2008-02-05 06:44 --------- d-----w C:\Program Files\Bonjour
2008-02-05 05:37 494,080 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-02-05 00:24 --------- d-----w C:\Program Files\CGPACalc2
2008-01-31 02:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 17:13 --------- d-----w C:\Program Files\DivX
2008-01-29 17:09 --------- d-----w C:\Program Files\XviD
2008-01-27 02:32 --------- d-----w C:\Program Files\CD Label Design
2008-01-26 22:47 --------- d-----w C:\Program Files\BitComet
2008-01-21 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-01-17 19:54 --------- d-----w C:\Program Files\Pilot Group Ltd
2008-01-17 17:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 22:04 --------- d-----w C:\Program Files\A-one Video Joiner
2008-01-04 22:36 --------- d-----w C:\Program Files\Video Watermark Factory
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-01-04 21:58 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-30 17:30 39,936 ----a-w C:\WINDOWS\system32\NTSpool.exe
2007-12-28 00:35 --------- d-----w C:\Documents and Settings\Main\Application Data\dvdcss
2007-12-27 18:24 --------- d-----w C:\Documents and Settings\Main\Application Data\Sony
2007-12-27 17:21 --------- d-----w C:\Program Files\Sony
2007-12-27 17:19 --------- d-----w C:\Program Files\Sony Setup
2007-12-27 17:14 80,880,248 ----a-w C:\dvdarchitectpro45a-trial_enu.exe
2007-12-26 19:55 --------- d-----w C:\Program Files\Plato Video Converter
2007-12-26 04:22 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-12-25 23:46 --------- d-----w C:\Documents and Settings\Main\Application Data\UseNeXT
2007-12-21 19:11 --------- d-----w C:\Program Files\TextAloud
2007-12-20 19:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 15:32 --------- d-----w C:\Program Files\Monte Cristo
2007-12-20 15:13 --------- d-----w C:\Program Files\Mafia
2007-12-20 06:01 --------- d-----w C:\Documents and Settings\Main\Application Data\Ventrilo
2007-12-20 05:58 --------- d-----w C:\Program Files\Ventrilo
2007-12-20 03:17 --------- d-----w C:\Program Files\UseNeXT
2007-12-20 02:54 --------- d-----w C:\Program Files\Rapidown
2007-12-18 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-15 03:52 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-14 21:52 --------- d-----w C:\Program Files\Jitbit
2007-12-14 21:52 --------- d-----w C:\Documents and Settings\Main\Application Data\AutoText
2007-12-13 19:03 --------- d-----w C:\Documents and Settings\Main\Application Data\Media Player Classic
2007-12-13 19:02 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-12 00:26 --------- d-----w C:\Program Files\MP3 Recorder Studio
2007-12-11 01:13 --------- d-----w C:\Program Files\Titan Backup
2007-12-08 18:05 --------- d-----w C:\Program Files\SopCast
2007-12-08 05:05 --------- d-----w C:\Program Files\Electronic Arts
2007-11-21 18:23 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-11-07 13:03 97,296 ----a-w C:\install.res.1036.dll
2007-11-07 13:03 96,272 ----a-w C:\install.res.3082.dll
2007-11-07 13:03 96,272 ----a-w C:\install.res.1031.dll
2007-11-07 13:03 95,248 ----a-w C:\install.res.1040.dll
2007-11-07 13:03 91,152 ----a-w C:\install.res.1033.dll
2007-11-07 13:03 81,424 ----a-w C:\install.res.1041.dll
2007-11-07 13:03 79,888 ----a-w C:\install.res.1042.dll
2007-11-07 13:03 76,304 ----a-w C:\install.res.1028.dll
2007-11-07 13:03 75,792 ----a-w C:\install.res.2052.dll
2007-09-10 17:33 496 ----a-w C:\Program Files\Shortcut (2) to Mafia.lnk
.
<pre>
----a-w		 2,334,040 2008-01-30 23:44:24  C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard  .exe
----a-w		 5,674,352 2008-02-05 05:38:13  C:\Program Files\MSN Messenger\msnmsgr  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-31 12:24 171464]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2008-02-01 14:52 53248]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr .exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-02 19:54 1318912]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-02-02 19:54 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-02 19:54 155648]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2008-02-02 19:54 74672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-02-01 14:52 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 12:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 20:04:22 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
"2008-02-05 22:00:00 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-05 16:19:49 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 01:15:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 1:21:21
ComboFix-quarantined-files.txt 2008-02-06 06:21:19
ComboFix2.txt 2008-02-05 17:51:11
ComboFix3.txt 2008-02-05 16:37:55
.
2007-12-12 16:39:49 --- E O F ---


===
Thanks :)
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • Download RenV.exe by sUBs to your desktop
  • Double click on it to run it
  • It will search your system drive looking for any modified .exe file and will produce a log for you.
  • Drag that log into RenV.exe and post the resulting log

  • 0

#11
inklink

inklink

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi :) !

I downloaded it and ran the program, the first log I got was:

Ran on 06/02/2008 - 21:33:53.53

----a-w		 2,334,040 2008-01-30 23:44:24  C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard  .exe
----a-w		 5,674,352 2008-02-05 05:38:13  C:\Program Files\MSN Messenger\msnmsgr  .exe

 Entries:				2  (2)
 Directories:			0  Files:			 2
 Bytes:		  8,008,392  Blocks:	   15,642


Then I dragged that log file into the .exe. It said in the command prompt window something like it couldn't find those files. It then gave me this log:

Ran on 06/02/2008 - 21:42:33.39

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0



Thanks!
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Perfect, nearly done now

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log and tell me how your PC is running
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP