[Rog53]

Hi,

I have been hit badly with Virtumonde, and my SpyBot cannot remove it. Can you please help? My Noton Security keeps blocking Matajuan, and all my Desktop keeps going totally blue, so I can only restart through the Windows Task Manager.
I have posted my GBT TXT and HijackThis log. On the desktop it permanently says: ''Windows XP Home Edition'' permanently.

Can you help?


Rog53


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27:18, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\pctspk.exe
C:\PNP\AUDIO\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\drivers\RMC.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...t...earch&meta=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:81;gopher=127.0.0.1:81;http=localhost:2323;https=127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: Shell=explorer.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Audio] C:\PNP\AUDIO\SOUNDMAN.EXE
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [RMC] C:\WINDOWS\system32\drivers\RMC.exe
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [a435e821] rundll32.exe "C:\WINDOWS\system32\sbmyhbge.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02999FD7-E09B-4E84-8F1D-722A74F19683}: NameServer = 192.168.10.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5946 bytes


VBG TXT:

[02/08/2008, 13:16:30] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Roger Douek\Desktop\VirtumundoBeGone.exe" )
[02/08/2008, 13:16:38] - Detected System Information:
[02/08/2008, 13:16:38] - Windows Version: 5.1.2600, Service Pack 2
[02/08/2008, 13:16:38] - Current Username: Roger Douek (Admin)
[02/08/2008, 13:16:38] - Windows is in NORMAL mode.
[02/08/2008, 13:16:38] - Searching for Browser Helper Objects:
[02/08/2008, 13:16:38] - BHO 1: {07CECA9C-D8FA-43E2-A3BA-1582C42C7717} ()
[02/08/2008, 13:16:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:38] - Checking for HKLM\...\Winlogon\Notify\vtsts
[02/08/2008, 13:16:38] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[02/08/2008, 13:16:38] - BHO 2: {09FBEEEB-7A59-482B-8F13-284A837BDE5C} ()
[02/08/2008, 13:16:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:38] - Checking for HKLM\...\Winlogon\Notify\ddcyv
[02/08/2008, 13:16:38] - Key not found: HKLM\...\Winlogon\Notify\ddcyv, continuing.
[02/08/2008, 13:16:38] - BHO 3: {20f3740b-f949-4c3f-8f16-524ad9f1b287} ()
[02/08/2008, 13:16:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:38] - Checking for HKLM\...\Winlogon\Notify\ltotulmk
[02/08/2008, 13:16:38] - Key not found: HKLM\...\Winlogon\Notify\ltotulmk, continuing.
[02/08/2008, 13:16:38] - BHO 4: {2CD8AFCA-891D-4E30-BB57-C43F8B5804E8} ()
[02/08/2008, 13:16:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:38] - Checking for HKLM\...\Winlogon\Notify\vtsts
[02/08/2008, 13:16:38] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[02/08/2008, 13:16:38] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/08/2008, 13:16:38] - BHO 6: {555DC70A-74F5-4688-B8B2-64234232A4D5} ()
[02/08/2008, 13:16:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:38] - Checking for HKLM\...\Winlogon\Notify\fcyax
[02/08/2008, 13:16:38] - Key not found: HKLM\...\Winlogon\Notify\fcyax, continuing.
[02/08/2008, 13:16:38] - BHO 7: {9DB30F1E-538B-4395-9E49-37C1429AB459} ()
[02/08/2008, 13:16:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:38] - Checking for HKLM\...\Winlogon\Notify\jkkjige
[02/08/2008, 13:16:38] - Found: HKLM\...\Winlogon\Notify\jkkjige - This is probably Virtumundo.
[02/08/2008, 13:16:38] - Assigning {9DB30F1E-538B-4395-9E49-37C1429AB459} MSEvents Object
[02/08/2008, 13:16:38] - BHO list has been changed! Starting over...
[02/08/2008, 13:16:38] - BHO 1: {07CECA9C-D8FA-43E2-A3BA-1582C42C7717} ()
[02/08/2008, 13:16:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:38] - Checking for HKLM\...\Winlogon\Notify\vtsts
[02/08/2008, 13:16:38] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[02/08/2008, 13:16:38] - BHO 2: {09FBEEEB-7A59-482B-8F13-284A837BDE5C} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\ddcyv
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\ddcyv, continuing.
[02/08/2008, 13:16:39] - BHO 3: {20f3740b-f949-4c3f-8f16-524ad9f1b287} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\ltotulmk
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\ltotulmk, continuing.
[02/08/2008, 13:16:39] - BHO 4: {2CD8AFCA-891D-4E30-BB57-C43F8B5804E8} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\vtsts
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[02/08/2008, 13:16:39] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/08/2008, 13:16:39] - BHO 6: {555DC70A-74F5-4688-B8B2-64234232A4D5} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\fcyax
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\fcyax, continuing.
[02/08/2008, 13:16:39] - BHO 7: {9DB30F1E-538B-4395-9E49-37C1429AB459} (MSEvents Object)
[02/08/2008, 13:16:39] - ALERT: Found MSEvents Object!
[02/08/2008, 13:16:39] - BHO 8: {C42693C2-580E-4B87-8DA8-A13F8024A7B5} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\pmkjg
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\pmkjg, continuing.
[02/08/2008, 13:16:39] - BHO 9: {C9CBB51E-D0E6-44FD-9C66-4040FABE948A} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\sstss
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\sstss, continuing.
[02/08/2008, 13:16:39] - BHO 10: {CBDFA3F0-2DAD-452B-BA1F-57F10E151D8B} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\vtsrr
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\vtsrr, continuing.
[02/08/2008, 13:16:39] - BHO 11: {DC234301-325C-4E6A-8FD1-321C64C92EC2} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\ljjhf
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\ljjhf, continuing.
[02/08/2008, 13:16:39] - BHO 12: {DE0F2322-A9ED-4588-AA0A-538CD18DEA0B} ()
[02/08/2008, 13:16:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:39] - Checking for HKLM\...\Winlogon\Notify\vtsts
[02/08/2008, 13:16:39] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[02/08/2008, 13:16:39] - Finished Searching Browser Helper Objects
[02/08/2008, 13:16:39] - *** Detected MSEvents Object
[02/08/2008, 13:16:39] - Trying to remove MSEvents Object...
[02/08/2008, 13:16:40] - Terminating Process: IEXPLORE.EXE
[02/08/2008, 13:16:40] - Terminating Process: RUNDLL32.EXE
[02/08/2008, 13:16:40] - Disabling Automatic Shell Restart
[02/08/2008, 13:16:41] - Terminating Process: EXPLORER.EXE
[02/08/2008, 13:16:41] - Suspending the NT Session Manager System Service
[02/08/2008, 13:16:41] - Terminating Windows NT Logon/Logoff Manager
[02/08/2008, 13:16:41] - Re-enabling Automatic Shell Restart
[02/08/2008, 13:16:41] - File to disable: C:\WINDOWS\system32\jkkjige.dll
[02/08/2008, 13:16:41] - Renaming C:\WINDOWS\system32\jkkjige.dll -> C:\WINDOWS\system32\jkkjige.dll.vir
[02/08/2008, 13:16:42] - File successfully renamed!
[02/08/2008, 13:16:42] - Removing HKLM\...\Browser Helper Objects\{9DB30F1E-538B-4395-9E49-37C1429AB459}
[02/08/2008, 13:16:42] - Removing HKCR\CLSID\{9DB30F1E-538B-4395-9E49-37C1429AB459}
[02/08/2008, 13:16:42] - Adding Kill Bit for ActiveX for GUID: {9DB30F1E-538B-4395-9E49-37C1429AB459}
[02/08/2008, 13:16:42] - Deleting ATLEvents/MSEvents Registry entries
[02/08/2008, 13:16:42] - Removing HKLM\...\Winlogon\Notify\jkkjige
[02/08/2008, 13:16:42] - Searching for Browser Helper Objects:
[02/08/2008, 13:16:42] - BHO 1: {07CECA9C-D8FA-43E2-A3BA-1582C42C7717} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\vtsts
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[02/08/2008, 13:16:42] - BHO 2: {09FBEEEB-7A59-482B-8F13-284A837BDE5C} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\ddcyv
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\ddcyv, continuing.
[02/08/2008, 13:16:42] - BHO 3: {20f3740b-f949-4c3f-8f16-524ad9f1b287} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\ltotulmk
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\ltotulmk, continuing.
[02/08/2008, 13:16:42] - BHO 4: {2CD8AFCA-891D-4E30-BB57-C43F8B5804E8} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\vtsts
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[02/08/2008, 13:16:42] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/08/2008, 13:16:42] - BHO 6: {555DC70A-74F5-4688-B8B2-64234232A4D5} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\fcyax
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\fcyax, continuing.
[02/08/2008, 13:16:42] - BHO 7: {C42693C2-580E-4B87-8DA8-A13F8024A7B5} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\pmkjg
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\pmkjg, continuing.
[02/08/2008, 13:16:42] - BHO 8: {C9CBB51E-D0E6-44FD-9C66-4040FABE948A} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\sstss
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\sstss, continuing.
[02/08/2008, 13:16:42] - BHO 9: {CBDFA3F0-2DAD-452B-BA1F-57F10E151D8B} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\vtsrr
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\vtsrr, continuing.
[02/08/2008, 13:16:42] - BHO 10: {DC234301-325C-4E6A-8FD1-321C64C92EC2} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\ljjhf
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\ljjhf, continuing.
[02/08/2008, 13:16:42] - BHO 11: {DE0F2322-A9ED-4588-AA0A-538CD18DEA0B} ()
[02/08/2008, 13:16:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/08/2008, 13:16:42] - Checking for HKLM\...\Winlogon\Notify\vtsts
[02/08/2008, 13:16:42] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[02/08/2008, 13:16:42] - Finished Searching Browser Helper Objects
[02/08/2008, 13:16:42] - Finishing up...
[02/08/2008, 13:16:42] - A restart is needed.
[02/08/2008, 13:16:42] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[02/08/2008, 13:17:12] - Attempting to Restart via STOP error (Blue Screen!)

Edited by Rog53, 08 February 2008 - 08:07 AM.

[Advertisements]

Hello


Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[Rorschach112]

Hello


Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[Rog53]

Hi,

Thanks for replying so fast. This is much appreciated.

combofix.exe and HiJackthis log as requested. Any suggestions on getting rid of ''Windows XP Home Edition'' off my desktop?

ComboFix 08-02.05.3 - Roger Douek 2008-02-08 15:36:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT 0:00]
Running from: C:\Documents and Settings\Roger Douek\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ljjhf.dll
C:\WINDOWS\system32\_003561_.tmp.dll
C:\WINDOWS\system32\_003718_.tmp.dll
C:\WINDOWS\system32\_003720_.tmp.dll
C:\WINDOWS\system32\_003728_.tmp.dll
C:\WINDOWS\system32\_003729_.tmp.dll
C:\WINDOWS\system32\_003730_.tmp.dll
C:\WINDOWS\system32\_003732_.tmp.dll
C:\WINDOWS\system32\_003733_.tmp.dll
C:\WINDOWS\system32\_003736_.tmp.dll
C:\WINDOWS\system32\_003737_.tmp.dll
C:\WINDOWS\system32\_003739_.tmp.dll
C:\WINDOWS\system32\_003740_.tmp.dll
C:\WINDOWS\system32\_003741_.tmp.dll
C:\WINDOWS\system32\_003742_.tmp.dll
C:\WINDOWS\system32\_003743_.tmp.dll
C:\WINDOWS\system32\_003744_.tmp.dll
C:\WINDOWS\system32\_003746_.tmp.dll
C:\WINDOWS\system32\_003750_.tmp.dll
C:\WINDOWS\system32\_003751_.tmp.dll
C:\WINDOWS\system32\_003753_.tmp.dll
C:\WINDOWS\system32\_003756_.tmp.dll
C:\WINDOWS\system32\_003758_.tmp.dll
C:\WINDOWS\system32\_003759_.tmp.dll
C:\WINDOWS\system32\_003760_.tmp.dll
C:\WINDOWS\system32\_003761_.tmp.dll
C:\WINDOWS\system32\_003762_.tmp.dll
C:\WINDOWS\system32\_003765_.tmp.dll
C:\WINDOWS\system32\_003767_.tmp.dll
C:\WINDOWS\system32\_003768_.tmp.dll
C:\WINDOWS\system32\_003769_.tmp.dll
C:\WINDOWS\system32\_003773_.tmp.dll
C:\WINDOWS\system32\_003990_.tmp.dll
C:\WINDOWS\system32\_003993_.tmp.dll
C:\WINDOWS\system32\_003996_.tmp.dll
C:\WINDOWS\system32\_004150_.tmp.dll
C:\WINDOWS\system32\_004152_.tmp.dll
C:\WINDOWS\system32\_004160_.tmp.dll
C:\WINDOWS\system32\_004161_.tmp.dll
C:\WINDOWS\system32\_004163_.tmp.dll
C:\WINDOWS\system32\_004164_.tmp.dll
C:\WINDOWS\system32\_004167_.tmp.dll
C:\WINDOWS\system32\_004168_.tmp.dll
C:\WINDOWS\system32\_004170_.tmp.dll
C:\WINDOWS\system32\_004171_.tmp.dll
C:\WINDOWS\system32\_004172_.tmp.dll
C:\WINDOWS\system32\_004174_.tmp.dll
C:\WINDOWS\system32\_004175_.tmp.dll
C:\WINDOWS\system32\_004177_.tmp.dll
C:\WINDOWS\system32\_004181_.tmp.dll
C:\WINDOWS\system32\_004182_.tmp.dll
C:\WINDOWS\system32\_004184_.tmp.dll
C:\WINDOWS\system32\_004187_.tmp.dll
C:\WINDOWS\system32\_004189_.tmp.dll
C:\WINDOWS\system32\_004190_.tmp.dll
C:\WINDOWS\system32\_004191_.tmp.dll
C:\WINDOWS\system32\_004192_.tmp.dll
C:\WINDOWS\system32\_004193_.tmp.dll
C:\WINDOWS\system32\_004196_.tmp.dll
C:\WINDOWS\system32\_004198_.tmp.dll
C:\WINDOWS\system32\_004199_.tmp.dll
C:\WINDOWS\system32\_004200_.tmp.dll
C:\WINDOWS\system32\_004204_.tmp.dll
C:\WINDOWS\system32\covqiayy.dll
C:\WINDOWS\system32\cyijlopj.ini
C:\WINDOWS\system32\ddfii.ini
C:\WINDOWS\system32\ddfii.ini2
C:\WINDOWS\system32\egbhymbs.ini
C:\WINDOWS\system32\emcdrqtp.dll
C:\WINDOWS\system32\epusubmw.dll
C:\WINDOWS\system32\evpsqwcm.dll
C:\WINDOWS\system32\ffqkylti.dll
C:\WINDOWS\system32\fhjjl.ini
C:\WINDOWS\system32\fhjjl.ini2
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gjkmp.ini2
C:\WINDOWS\system32\glnphuev.dll
C:\WINDOWS\system32\joaujcmk.dll
C:\WINDOWS\system32\jpoljiyc.dll
C:\WINDOWS\system32\kmcjuaoj.ini
C:\WINDOWS\system32\ljjhf.dll
C:\WINDOWS\system32\lrkmkkmn.ini
C:\WINDOWS\system32\ltotulmk.dll
C:\WINDOWS\system32\lyemghit.dll
C:\WINDOWS\system32\nmkkmkrl.dll
C:\WINDOWS\system32\pmnmnom.dll
C:\WINDOWS\system32\rrstv.ini
C:\WINDOWS\system32\rrstv.ini2
C:\WINDOWS\system32\sbmyhbge.dll
C:\WINDOWS\system32\sstss.ini
C:\WINDOWS\system32\sstss.ini2
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\ststv.ini2
C:\WINDOWS\system32\vqqalfxx.dll
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\winkoh32.dll
C:\WINDOWS\system32\xaycf.ini
C:\WINDOWS\system32\xaycf.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm
-------\ntload


((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-08 09:44 . 2008-02-08 09:57 2,966 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-08 09:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-08 09:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-08 09:43 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-08 09:43 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-08 09:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-08 09:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-08 09:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\OLD4A6.tmp
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\OLD4A3.tmp
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\OLD4A0.tmp
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10021.nls
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10005.nls
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10004.nls
2008-02-07 22:11 . 2001-08-17 13:51 13,824 --a------ C:\WINDOWS\system32\dllcache\OLD49D.tmp
2008-02-07 22:11 . 2001-08-17 13:51 13,824 --a------ C:\WINDOWS\system32\dllcache\bulltlp3.sys
2008-02-07 22:09 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\OLD441.tmp
2008-02-07 22:08 . 2001-08-18 11:00 1,817,687 --a------ C:\WINDOWS\system32\dllcache\OLD42E.tmp
2008-02-07 22:07 . 2001-08-17 14:55 382,592 --a------ C:\WINDOWS\system32\dllcache\OLD3B8.tmp
2008-02-07 22:06 . 2004-08-04 00:56 331,264 --a------ C:\WINDOWS\system32\dllcache\OLD398.tmp
2008-02-07 22:05 . 2001-08-17 12:19 747,392 --a------ C:\WINDOWS\system32\dllcache\OLD34F.tmp
2008-02-07 22:04 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\OLD30B.tmp
2008-02-07 22:02 . 2004-08-04 00:56 32,827 --a------ C:\WINDOWS\system32\dllcache\tcptest.exe
2008-02-07 22:02 . 2004-08-04 00:56 32,827 --a--c--- C:\WINDOWS\system32\dllcache\OLD300.tmp
2008-02-07 22:02 . 2004-08-04 00:56 16,384 --a------ C:\WINDOWS\system32\dllcache\tcptsat.dll
2008-02-07 22:02 . 2004-08-04 00:56 16,384 --a--c--- C:\WINDOWS\system32\dllcache\OLD303.tmp
2008-02-07 22:01 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-02-07 22:01 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\OLD2F7.tmp
2008-02-07 22:01 . 2004-08-04 00:56 20,536 --a------ C:\WINDOWS\system32\dllcache\shtml.dll
2008-02-07 22:01 . 2004-08-04 00:56 20,536 --a--c--- C:\WINDOWS\system32\dllcache\OLD2FA.tmp
2008-02-07 22:01 . 2004-08-04 00:56 16,437 --a------ C:\WINDOWS\system32\dllcache\shtml.exe
2008-02-07 22:01 . 2004-08-04 00:56 16,437 --a--c--- C:\WINDOWS\system32\dllcache\OLD2FD.tmp
2008-02-07 21:59 . 2004-08-04 00:56 188,480 --a--c--- C:\WINDOWS\system32\dllcache\OLD2C0.tmp
2008-02-07 16:29 . 2008-02-07 17:00 534 --ahs---- C:\WINDOWS\system32\tvgkqare.ini
2008-02-07 08:46 . 2008-02-07 15:18 414 --ahs---- C:\WINDOWS\system32\bpkxqpys.ini
2008-02-06 16:52 . 2008-02-06 16:52 26,624 --a------ C:\WINDOWS\system32\jkkjige.dll.vir
2008-02-06 13:38 . 2008-02-06 13:57 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\System Tweaker
2008-02-06 13:25 . 2008-02-06 13:25 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\Uniblue
2008-02-06 13:24 . 2008-02-06 13:38 <DIR> d-------- C:\Program Files\Uniblue
2008-02-06 11:39 . 2008-02-06 12:27 <DIR> d-------- C:\VundoFix Backups
2008-02-06 11:33 . 2008-02-08 13:27 <DIR> d-------- C:\Program Files\HJT
2008-02-06 10:43 . 2004-05-20 09:46 929,792 --a------ C:\WINDOWS\system32\AegisE5.dll
2008-02-06 10:43 . 2004-05-20 09:46 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-02-06 10:43 . 2004-05-20 09:46 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-02-06 10:24 . 2008-02-06 10:24 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-02-06 08:35 . 2008-02-06 16:58 1,254 --ahs---- C:\WINDOWS\system32\wybbqqxq.ini
2008-02-06 07:48 . 2008-02-08 08:04 3,179 --a------ C:\WINDOWS\wininit.ini
2008-02-06 04:19 . 2008-02-07 12:13 <DIR> d-------- C:\Program Files\Google
2008-02-06 03:45 . 2008-02-06 03:30 294 --ahs---- C:\WINDOWS\system32\iwcolnjs.ini
2008-02-06 02:54 . 2008-02-06 02:54 294 --ahs---- C:\WINDOWS\system32\iwcolnjs.tmp
2008-02-06 02:33 . 2008-02-06 02:33 39,424 --a------ C:\WINDOWS\system32\awttstu.dll.vir
2008-02-06 02:33 . 2008-02-06 02:34 38 --a------ C:\WINDOWS\system32\a.bat
2008-02-02 16:36 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-02 16:36 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-02 16:36 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-02 12:21 . 2008-02-02 12:21 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\Yahoo!
2008-02-02 12:09 . 2008-02-02 16:36 <DIR> d-------- C:\Program Files\Symantec
2008-02-02 12:09 . 2008-02-02 12:25 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-02 12:09 . 2008-02-02 12:25 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-02 12:08 . 2008-02-02 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-02 12:07 . 2002-01-05 06:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-02-02 12:07 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-02-02 12:02 . 2008-02-02 12:59 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-01 10:32 . 2008-02-01 10:32 <DIR> d-------- C:\Brother
2008-02-01 10:32 . 2006-01-16 15:52 163,840 --a------ C:\WINDOWS\system32\NSSearch.dll
2008-02-01 10:32 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-02-01 10:32 . 2002-11-26 13:43 106,496 --a------ C:\WINDOWS\system32\BrMuSNMP.dll
2008-02-01 10:32 . 2005-09-16 18:21 54,784 --a------ C:\WINDOWS\system32\BrNetSti.dll
2008-02-01 10:32 . 2005-08-09 18:59 53,248 --a------ C:\WINDOWS\system32\BrMfNt.dll
2008-02-01 10:32 . 2006-01-19 20:33 37,376 --a------ C:\WINDOWS\system32\Brnsplg.dll
2008-02-01 10:32 . 2006-01-19 20:18 34,816 --a------ C:\WINDOWS\system32\BrWiaNCp.dll
2008-02-01 10:32 . 2003-11-28 18:57 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-01-26 22:29 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-26 22:28 . 2008-01-26 22:28 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-26 22:27 . 2008-01-26 22:28 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-26 22:24 . 2008-01-26 22:24 <DIR> dr-h----- C:\MSOCache
2008-01-22 19:35 . 2008-01-22 19:35 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-01-11 08:52 . 2008-02-02 17:37 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-11 08:50 . 2005-04-20 11:32 2,916,352 --------- C:\WINDOWS\UNNeroVision.exe
2008-01-11 08:50 . 2004-07-09 09:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-01-11 08:50 . 2005-06-07 09:40 154,855 --------- C:\WINDOWS\UNNeroVision.cfg
2008-01-11 08:44 . 2008-01-11 08:44 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-11 08:42 . 2004-07-26 17:16 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-01-11 08:42 . 2004-07-26 17:16 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-01-11 08:42 . 2004-07-26 17:16 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-01-11 08:42 . 2004-07-26 17:16 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-01-11 08:42 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-11 08:42 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-11 08:28 . 2008-01-11 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-11 08:28 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-10 19:48 . 2008-01-11 01:46 38 --a------ C:\WINDOWS\avisplitter.INI
2008-01-09 16:10 . 2008-01-09 16:10 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\Media Player Classic
2008-01-09 16:08 . 2008-01-09 16:08 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-01-08 17:21 . 2003-05-12 00:46 2,244,608 --a------ C:\Program Files\MyCDPro.exe
2008-01-08 16:58 . 2008-01-08 16:58 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\Sonic
2008-01-08 16:47 . 2008-01-08 16:47 <DIR> d-------- C:\Program Files\Common Files\Sonic
2008-01-08 16:10 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-08 16:09 . 2008-02-06 04:42 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-08 14:09 . 2008-01-08 14:09 <DIR> dr------- C:\Documents and Settings\Roger Douek\Application Data\Brother
2008-01-08 14:00 . 2008-02-01 11:00 419 --a------ C:\WINDOWS\BRWMARK.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 15:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-08 15:31 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\Spamihilator
2008-02-06 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 07:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-02 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-02 12:59 --------- d-----r C:\Program Files\Programs
2008-02-02 12:25 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-02 12:25 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-25 15:35 --------- d-----w C:\Program Files\CCleaner
2008-01-19 17:09 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\Ahead
2008-01-18 21:10 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-11 08:50 --------- d-----w C:\Program Files\Ahead
2008-01-11 08:42 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-10 18:31 17,136 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-09 15:52 --------- d-----w C:\Program Files\DivX
2008-01-08 13:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-07 20:32 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\DivX
2008-01-07 19:10 --------- d-----w C:\Program Files\Shareaza
2008-01-07 16:36 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-06 22:38 --------- d-----w C:\Program Files\Spamihilator
2008-01-04 22:58 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\Shareaza
2008-01-04 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2004-07-17 22:55 460,728 -c--a-w C:\WINDOWS\Fonts\SET585.tmp
2004-07-17 22:55 460,728 -c--a-w C:\WINDOWS\Fonts\SET4B8.tmp
2004-07-17 22:55 383,140 -c--a-w C:\WINDOWS\Fonts\SET584.tmp
2004-07-17 22:55 383,140 -c--a-w C:\WINDOWS\Fonts\SET4B7.tmp
2004-07-17 22:55 355,436 -c--a-w C:\WINDOWS\Fonts\SET583.tmp
2004-07-17 22:55 355,436 -c--a-w C:\WINDOWS\Fonts\SET4B6.tmp
2004-07-17 11:39 409,280 -c--a-w C:\WINDOWS\Fonts\SET582.tmp
2004-07-17 11:39 409,280 -c--a-r C:\WINDOWS\Fonts\SET4B5.tmp
2004-07-17 11:39 398,372 -c--a-w C:\WINDOWS\Fonts\SET581.tmp
2004-07-17 11:39 398,372 -c--a-w C:\WINDOWS\Fonts\SET4B4.tmp
2004-07-17 11:39 367,112 -c--a-w C:\WINDOWS\Fonts\SET588.tmp
2004-07-17 11:39 367,112 -c--a-w C:\WINDOWS\Fonts\SET4BC.tmp
2004-07-17 11:39 352,224 -c--a-w C:\WINDOWS\Fonts\SET587.tmp
2004-07-17 11:39 352,224 -c--a-w C:\WINDOWS\Fonts\SET4BB.tmp
2004-07-17 11:39 171,792 -c--a-w C:\WINDOWS\Fonts\SET4B3.tmp
2004-07-17 11:39 155,068 -c--a-w C:\WINDOWS\Fonts\SET4B9.tmp
2004-07-17 11:39 127,596 -c--a-w C:\WINDOWS\Fonts\SET586.tmp
2004-07-17 11:39 127,596 -c--a-w C:\WINDOWS\Fonts\SET4BA.tmp
2005-04-19 13:54 32 -csha-w C:\WINDOWS\{160F4D01-396B-427D-842E-99F16A58D5AD}.dat
2004-04-25 03:37 32 -csha-w C:\WINDOWS\{3163A6AC-9F2A-4C37-8CFF-5403623C8118}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\{47948CE7-A928-4672-B746-322B2E4F8357}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\{5A76103C-58A3-4999-B69E-57B407A81573}.dat
2005-04-19 13:56 32 -csha-w C:\WINDOWS\{8A69565C-7C77-490B-993E-57CAF680FBF2}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\{9FB4824F-BBF0-4C6A-9223-E6A4357B1CC4}.dat
2005-04-19 13:55 32 -csha-w C:\WINDOWS\{C6005F11-A3C9-4D41-A7A2-6872FFA889FC}.dat
2005-04-19 13:54 32 -csha-w C:\WINDOWS\system32\{048DF445-E432-44B9-8F63-552BF14FBBC0}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\system32\{86B0B412-59B8-4CC7-A613-1338C169ABB3}.dat
2005-04-19 13:55 32 -csha-w C:\WINDOWS\system32\{8E9A0E73-B30A-4891-ABB8-7838879C8FD7}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\system32\{927B028C-6109-42F7-8108-9260F3BC5700}.dat
2004-04-25 03:37 32 -csha-w C:\WINDOWS\system32\{BE4EE5D5-0912-419D-86D0-FC5A392DE7C8}.dat
2005-04-19 13:56 32 -csha-w C:\WINDOWS\system32\{C228CC31-C212-42EA-A73B-1C8B0CF8DA6A}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\system32\{FD8A37F8-2FE9-468B-888E-955CF5D0C76C}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07CECA9C-D8FA-43E2-A3BA-1582C42C7717}]
C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09FBEEEB-7A59-482B-8F13-284A837BDE5C}]
C:\WINDOWS\system32\ddcyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CD8AFCA-891D-4E30-BB57-C43F8B5804E8}]
C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{555DC70A-74F5-4688-B8B2-64234232A4D5}]
C:\WINDOWS\system32\fcyax.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C42693C2-580E-4B87-8DA8-A13F8024A7B5}]
C:\WINDOWS\system32\pmkjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9CBB51E-D0E6-44FD-9C66-4040FABE948A}]
C:\WINDOWS\system32\sstss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBDFA3F0-2DAD-452B-BA1F-57F10E151D8B}]
C:\WINDOWS\system32\vtsrr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE0F2322-A9ED-4588-AA0A-538CD18DEA0B}]
C:\WINDOWS\system32\vtsts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 16:56 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-09-10 20:32 167936 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 33280 C:\WINDOWS\system32\rundll32.exe]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 23:06 32768]
"Audio"="C:\PNP\AUDIO\SOUNDMAN.EXE" [2002-11-19 20:01 46592]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 128000 C:\WINDOWS\system32\sbusbdll.dll]
"RMC"="C:\WINDOWS\system32\drivers\RMC.exe" [2005-08-17 15:46 24576]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2008-01-06 11:20 1003520]
"QD FastAndSafe"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-04-25 02:21 26112]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 07:11 771704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMFUprogramsList"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ljjhf.dll
Notification Packages REG_MULTI_SZ scecli scecli scecli

R2 MTC0001_RMC;Remove Control Device;C:\WINDOWS\system32\drivers\RMC.sys [2005-04-22 14:24]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S3 akS56USB;AKAI S5000/S6000 Driver;C:\WINDOWS\system32\Drivers\akS56USB.sys [2000-08-23 13:14]
S3 MTC0001_ESB;ESB device driver;C:\WINDOWS\system32\ntESB.sys []
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys [2005-06-10 09:39]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 02:40:34 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Roger Douek.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe
"2008-01-29 23:22:38 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 15:48:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-02-08 15:53:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 15:52:29
.
2008-01-27 10:48:54 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55:21, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\pctspk.exe
C:\PNP\AUDIO\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\drivers\RMC.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...t...earch&meta=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:81;gopher=127.0.0.1:81;http=localhost:2323;https=127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {07CECA9C-D8FA-43E2-A3BA-1582C42C7717} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {09FBEEEB-7A59-482B-8F13-284A837BDE5C} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O2 - BHO: (no name) - {2CD8AFCA-891D-4E30-BB57-C43F8B5804E8} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {555DC70A-74F5-4688-B8B2-64234232A4D5} - C:\WINDOWS\system32\fcyax.dll (file missing)
O2 - BHO: (no name) - {C42693C2-580E-4B87-8DA8-A13F8024A7B5} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {C9CBB51E-D0E6-44FD-9C66-4040FABE948A} - C:\WINDOWS\system32\sstss.dll (file missing)
O2 - BHO: (no name) - {CBDFA3F0-2DAD-452B-BA1F-57F10E151D8B} - C:\WINDOWS\system32\vtsrr.dll (file missing)
O2 - BHO: (no name) - {DE0F2322-A9ED-4588-AA0A-538CD18DEA0B} - C:\WINDOWS\system32\vtsts.dll (file missing)
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Audio] C:\PNP\AUDIO\SOUNDMAN.EXE
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [RMC] C:\WINDOWS\system32\drivers\RMC.exe
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02999FD7-E09B-4E84-8F1D-722A74F19683}: NameServer = 192.168.10.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6759 bytes




THANKS AGAIN !!
Rog 53

[Rorschach112]

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {07CECA9C-D8FA-43E2-A3BA-1582C42C7717} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {09FBEEEB-7A59-482B-8F13-284A837BDE5C} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O2 - BHO: (no name) - {2CD8AFCA-891D-4E30-BB57-C43F8B5804E8} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {555DC70A-74F5-4688-B8B2-64234232A4D5} - C:\WINDOWS\system32\fcyax.dll (file missing)
O2 - BHO: (no name) - {C42693C2-580E-4B87-8DA8-A13F8024A7B5} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {C9CBB51E-D0E6-44FD-9C66-4040FABE948A} - C:\WINDOWS\system32\sstss.dll (file missing)
O2 - BHO: (no name) - {CBDFA3F0-2DAD-452B-BA1F-57F10E151D8B} - C:\WINDOWS\system32\vtsrr.dll (file missing)
O2 - BHO: (no name) - {DE0F2322-A9ED-4588-AA0A-538CD18DEA0B} - C:\WINDOWS\system32\vtsts.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\tvgkqare.ini
C:\WINDOWS\system32\bpkxqpys.ini
C:\WINDOWS\system32\jkkjige.dll.vir
C:\WINDOWS\system32\wybbqqxq.ini
C:\WINDOWS\system32\iwcolnjs.ini
C:\WINDOWS\system32\iwcolnjs.tmp
C:\WINDOWS\system32\awttstu.dll.vir
C:\WINDOWS\system32\a.bat

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log

[Rog53]

Thanks again.

Log attached:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:07:13, on 09/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\pctspk.exe
C:\PNP\AUDIO\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\drivers\RMC.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...=en&btnG=Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:81;gopher=127.0.0.1:81;http=localhost:2323;https=127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Audio] C:\PNP\AUDIO\SOUNDMAN.EXE
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [RMC] C:\WINDOWS\system32\drivers\RMC.exe
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02999FD7-E09B-4E84-8F1D-722A74F19683}: NameServer = 192.168.10.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5993 bytes

I noticed that my 'Effects' tab is missing on my Display Properties. All the other tabs are ther. Any idea what I can do about this? ... and the Windows XP Home SP2 is still in the corner of my Desktop. Any suggestions would be appreciated.

[Rorschach112]

Can you post the ComboFix log

Then do this

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Then tell me how your PC is running

[Rog53]

ComboFix log as requested:

ComboFix 08-02.05.3 - Roger Douek 2008-02-09 19:00:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.249 [GMT 0:00]
Running from: C:\Program Files\ComboFix\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 02:53 . 2004-08-04 00:56 388,608 --a------ C:\kmd.exe
2008-02-09 02:48 . 2008-02-09 02:54 <DIR> d-------- C:\Program Files\ComboFix
2008-02-09 01:03 . 2008-02-09 01:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-08 09:44 . 2008-02-08 09:57 2,966 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-08 09:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-08 09:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-08 09:43 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-08 09:43 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-08 09:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-08 09:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-08 09:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\OLD4A6.tmp
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\OLD4A3.tmp
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\OLD4A0.tmp
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10021.nls
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10005.nls
2008-02-07 22:11 . 2001-08-18 11:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10004.nls
2008-02-07 22:11 . 2001-08-17 13:51 13,824 --a------ C:\WINDOWS\system32\dllcache\OLD49D.tmp
2008-02-07 22:11 . 2001-08-17 13:51 13,824 --a------ C:\WINDOWS\system32\dllcache\bulltlp3.sys
2008-02-07 22:09 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\OLD441.tmp
2008-02-07 22:08 . 2001-08-18 11:00 1,817,687 --a------ C:\WINDOWS\system32\dllcache\OLD42E.tmp
2008-02-07 22:07 . 2001-08-17 14:55 382,592 --a------ C:\WINDOWS\system32\dllcache\OLD3B8.tmp
2008-02-07 22:06 . 2004-08-04 00:56 331,264 --a------ C:\WINDOWS\system32\dllcache\OLD398.tmp
2008-02-07 22:05 . 2001-08-17 12:19 747,392 --a------ C:\WINDOWS\system32\dllcache\OLD34F.tmp
2008-02-07 22:04 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\OLD30B.tmp
2008-02-07 22:02 . 2004-08-04 00:56 32,827 --a------ C:\WINDOWS\system32\dllcache\tcptest.exe
2008-02-07 22:02 . 2004-08-04 00:56 32,827 --a--c--- C:\WINDOWS\system32\dllcache\OLD300.tmp
2008-02-07 22:02 . 2004-08-04 00:56 16,384 --a------ C:\WINDOWS\system32\dllcache\tcptsat.dll
2008-02-07 22:02 . 2004-08-04 00:56 16,384 --a--c--- C:\WINDOWS\system32\dllcache\OLD303.tmp
2008-02-07 22:01 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-02-07 22:01 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\OLD2F7.tmp
2008-02-07 22:01 . 2004-08-04 00:56 20,536 --a------ C:\WINDOWS\system32\dllcache\shtml.dll
2008-02-07 22:01 . 2004-08-04 00:56 20,536 --a--c--- C:\WINDOWS\system32\dllcache\OLD2FA.tmp
2008-02-07 22:01 . 2004-08-04 00:56 16,437 --a------ C:\WINDOWS\system32\dllcache\shtml.exe
2008-02-07 22:01 . 2004-08-04 00:56 16,437 --a--c--- C:\WINDOWS\system32\dllcache\OLD2FD.tmp
2008-02-07 21:59 . 2004-08-04 00:56 188,480 --a--c--- C:\WINDOWS\system32\dllcache\OLD2C0.tmp
2008-02-06 13:38 . 2008-02-06 13:57 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\System Tweaker
2008-02-06 13:25 . 2008-02-06 13:25 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\Uniblue
2008-02-06 13:24 . 2008-02-09 02:21 <DIR> d-------- C:\Program Files\Uniblue
2008-02-06 11:39 . 2008-02-06 12:27 <DIR> d-------- C:\VundoFix Backups
2008-02-06 11:33 . 2008-02-09 03:06 <DIR> d-------- C:\Program Files\HJT
2008-02-06 10:43 . 2004-05-20 09:46 929,792 --a------ C:\WINDOWS\system32\AegisE5.dll
2008-02-06 10:43 . 2004-05-20 09:46 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-02-06 10:43 . 2004-05-20 09:46 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-02-06 10:24 . 2008-02-06 10:24 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-02-06 07:48 . 2008-02-08 08:04 3,179 --a------ C:\WINDOWS\wininit.ini
2008-02-06 04:19 . 2008-02-07 12:13 <DIR> d-------- C:\Program Files\Google
2008-02-02 16:36 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-02 16:36 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-02 16:36 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-02 12:21 . 2008-02-02 12:21 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\Yahoo!
2008-02-02 12:09 . 2008-02-02 16:36 <DIR> d-------- C:\Program Files\Symantec
2008-02-02 12:09 . 2008-02-02 12:25 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-02 12:09 . 2008-02-02 12:25 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-02 12:08 . 2008-02-02 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-02 12:07 . 2002-01-05 06:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-02-02 12:07 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-02-02 12:02 . 2008-02-02 12:59 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-01 10:32 . 2008-02-01 10:32 <DIR> d-------- C:\Brother
2008-02-01 10:32 . 2006-01-16 15:52 163,840 --a------ C:\WINDOWS\system32\NSSearch.dll
2008-02-01 10:32 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-02-01 10:32 . 2002-11-26 13:43 106,496 --a------ C:\WINDOWS\system32\BrMuSNMP.dll
2008-02-01 10:32 . 2005-09-16 18:21 54,784 --a------ C:\WINDOWS\system32\BrNetSti.dll
2008-02-01 10:32 . 2005-08-09 18:59 53,248 --a------ C:\WINDOWS\system32\BrMfNt.dll
2008-02-01 10:32 . 2006-01-19 20:33 37,376 --a------ C:\WINDOWS\system32\Brnsplg.dll
2008-02-01 10:32 . 2006-01-19 20:18 34,816 --a------ C:\WINDOWS\system32\BrWiaNCp.dll
2008-02-01 10:32 . 2003-11-28 18:57 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-01-26 22:29 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-26 22:28 . 2008-01-26 22:28 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-26 22:27 . 2008-01-26 22:28 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-26 22:24 . 2008-01-26 22:24 <DIR> dr-h----- C:\MSOCache
2008-01-22 19:35 . 2008-01-22 19:35 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-01-11 08:52 . 2008-02-02 17:37 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-11 08:50 . 2005-04-20 11:32 2,916,352 --------- C:\WINDOWS\UNNeroVision.exe
2008-01-11 08:50 . 2004-07-09 09:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-01-11 08:50 . 2005-06-07 09:40 154,855 --------- C:\WINDOWS\UNNeroVision.cfg
2008-01-11 08:44 . 2008-01-11 08:44 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-11 08:42 . 2004-07-26 17:16 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-01-11 08:42 . 2004-07-26 17:16 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-01-11 08:42 . 2004-07-26 17:16 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-01-11 08:42 . 2004-07-26 17:16 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-01-11 08:42 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-11 08:42 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-11 08:28 . 2008-01-11 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-11 08:28 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-10 19:48 . 2008-01-11 01:46 38 --a------ C:\WINDOWS\avisplitter.INI
2008-01-09 16:10 . 2008-01-09 16:10 <DIR> d-------- C:\Documents and Settings\Roger Douek\Application Data\Media Player Classic
2008-01-09 16:08 . 2008-01-09 16:08 <DIR> d-------- C:\Program Files\K-Lite Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 18:56 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\Spamihilator
2008-02-09 01:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 07:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 04:42 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-02 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-02 12:59 --------- d-----r C:\Program Files\Programs
2008-02-02 12:25 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-02 12:25 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-25 15:35 --------- d-----w C:\Program Files\CCleaner
2008-01-19 17:09 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\Ahead
2008-01-18 21:10 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-11 08:50 --------- d-----w C:\Program Files\Ahead
2008-01-11 08:42 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-10 18:31 17,136 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-09 15:52 --------- d-----w C:\Program Files\DivX
2008-01-08 16:58 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\Sonic
2008-01-08 16:47 --------- d-----w C:\Program Files\Common Files\Sonic
2008-01-08 14:25 --------- d-----w C:\Program Files\ScanSoft
2008-01-08 14:09 --------- d-----r C:\Documents and Settings\Roger Douek\Application Data\Brother
2008-01-08 13:59 --------- d-----w C:\Program Files\Brother
2008-01-08 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-08 13:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-08 13:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Brother
2008-01-07 20:32 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\DivX
2008-01-07 19:10 --------- d-----w C:\Program Files\Shareaza
2008-01-07 16:36 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-06 22:38 --------- d-----w C:\Program Files\Spamihilator
2008-01-04 22:58 --------- d-----w C:\Documents and Settings\Roger Douek\Application Data\Shareaza
2008-01-04 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2004-07-17 22:55 460,728 -c--a-w C:\WINDOWS\Fonts\SET585.tmp
2004-07-17 22:55 460,728 -c--a-w C:\WINDOWS\Fonts\SET4B8.tmp
2004-07-17 22:55 383,140 -c--a-w C:\WINDOWS\Fonts\SET584.tmp
2004-07-17 22:55 383,140 -c--a-w C:\WINDOWS\Fonts\SET4B7.tmp
2004-07-17 22:55 355,436 -c--a-w C:\WINDOWS\Fonts\SET583.tmp
2004-07-17 22:55 355,436 -c--a-w C:\WINDOWS\Fonts\SET4B6.tmp
2004-07-17 11:39 409,280 -c--a-w C:\WINDOWS\Fonts\SET582.tmp
2004-07-17 11:39 409,280 -c--a-r C:\WINDOWS\Fonts\SET4B5.tmp
2004-07-17 11:39 398,372 -c--a-w C:\WINDOWS\Fonts\SET581.tmp
2004-07-17 11:39 398,372 -c--a-w C:\WINDOWS\Fonts\SET4B4.tmp
2004-07-17 11:39 367,112 -c--a-w C:\WINDOWS\Fonts\SET588.tmp
2004-07-17 11:39 367,112 -c--a-w C:\WINDOWS\Fonts\SET4BC.tmp
2004-07-17 11:39 352,224 -c--a-w C:\WINDOWS\Fonts\SET587.tmp
2004-07-17 11:39 352,224 -c--a-w C:\WINDOWS\Fonts\SET4BB.tmp
2004-07-17 11:39 171,792 -c--a-w C:\WINDOWS\Fonts\SET4B3.tmp
2004-07-17 11:39 155,068 -c--a-w C:\WINDOWS\Fonts\SET4B9.tmp
2004-07-17 11:39 127,596 -c--a-w C:\WINDOWS\Fonts\SET586.tmp
2004-07-17 11:39 127,596 -c--a-w C:\WINDOWS\Fonts\SET4BA.tmp
2003-05-12 00:46 2,244,608 ----a-w C:\Program Files\MyCDPro.exe
2005-04-19 13:54 32 -csha-w C:\WINDOWS\{160F4D01-396B-427D-842E-99F16A58D5AD}.dat
2004-04-25 03:37 32 -csha-w C:\WINDOWS\{3163A6AC-9F2A-4C37-8CFF-5403623C8118}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\{47948CE7-A928-4672-B746-322B2E4F8357}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\{5A76103C-58A3-4999-B69E-57B407A81573}.dat
2005-04-19 13:56 32 -csha-w C:\WINDOWS\{8A69565C-7C77-490B-993E-57CAF680FBF2}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\{9FB4824F-BBF0-4C6A-9223-E6A4357B1CC4}.dat
2005-04-19 13:55 32 -csha-w C:\WINDOWS\{C6005F11-A3C9-4D41-A7A2-6872FFA889FC}.dat
2005-04-19 13:54 32 -csha-w C:\WINDOWS\system32\{048DF445-E432-44B9-8F63-552BF14FBBC0}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\system32\{86B0B412-59B8-4CC7-A613-1338C169ABB3}.dat
2005-04-19 13:55 32 -csha-w C:\WINDOWS\system32\{8E9A0E73-B30A-4891-ABB8-7838879C8FD7}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\system32\{927B028C-6109-42F7-8108-9260F3BC5700}.dat
2004-04-25 03:37 32 -csha-w C:\WINDOWS\system32\{BE4EE5D5-0912-419D-86D0-FC5A392DE7C8}.dat
2005-04-19 13:56 32 -csha-w C:\WINDOWS\system32\{C228CC31-C212-42EA-A73B-1C8B0CF8DA6A}.dat
2004-04-25 03:39 32 -csha-w C:\WINDOWS\system32\{FD8A37F8-2FE9-468B-888E-955CF5D0C76C}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 16:56 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-09-10 20:32 167936 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 33280 C:\WINDOWS\system32\rundll32.exe]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 23:06 32768]
"Audio"="C:\PNP\AUDIO\SOUNDMAN.EXE" [2002-11-19 20:01 46592]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 128000 C:\WINDOWS\system32\sbusbdll.dll]
"RMC"="C:\WINDOWS\system32\drivers\RMC.exe" [2005-08-17 15:46 24576]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2008-01-06 11:20 1003520]
"QD FastAndSafe"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-04-25 02:21 26112]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 07:11 771704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMFUprogramsList"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli

R2 MTC0001_RMC;Remove Control Device;C:\WINDOWS\system32\drivers\RMC.sys [2005-04-22 14:24]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S3 akS56USB;AKAI S5000/S6000 Driver;C:\WINDOWS\system32\Drivers\akS56USB.sys [2000-08-23 13:14]
S3 MTC0001_ESB;ESB device driver;C:\WINDOWS\system32\ntESB.sys []
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys [2005-06-10 09:39]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 02:40:34 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Roger Douek.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-01-29 23:22:38 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 19:06:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-02-09 19:08:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 19:07:56
ComboFix2.txt 2008-02-09 03:01:55
ComboFix3.txt 2008-02-08 15:53:25
.
2008-01-27 10:48:54 --- E O F ---

[Rorschach112]

Ok post the SUPERAntiSpyware log when it is done and tell me how your PC is running

[Rog53]

AntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2008 at 08:34 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 01:09:45

Memory items scanned : 417
Memory threats detected : 0
Registry items scanned : 5257
Registry threats detected : 1
File items scanned : 45760
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\Roger Douek\Cookies\roger [email protected][1].txt
C:\Documents and Settings\Roger Douek\Cookies\roger douek@tacoda[1].txt
C:\Documents and Settings\Roger Douek\Cookies\roger [email protected][2].txt
C:\Documents and Settings\Roger Douek\Cookies\roger [email protected][1].txt
C:\Documents and Settings\Roger Douek\Cookies\roger douek@revsci[2].txt
C:\Documents and Settings\Roger Douek\Cookies\roger [email protected][2].txt
C:\Documents and Settings\Roger Douek\Cookies\roger douek@1062747809[1].txt
C:\Documents and Settings\Roger Douek\Cookies\roger douek@xiti[1].txt
C:\Documents and Settings\Roger Douek\Cookies\roger [email protected][1].txt
C:\Documents and Settings\Roger Douek\Cookies\roger douek@servlet[2].txt

Unclassified.PC MightyMax
HKU\S-1-5-21-1177238915-813497703-1343024091-1004\Software\PC MightyMax
C:\DOWNLOAD\PCMIGHTYMAXSETUP.EXE

Trojan.Unclassifed/AffiliateBundle
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AWTTSTU.DLL.VIR.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PMNMNOM.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000083.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000072.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000073.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000074.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000075.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000076.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000077.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000078.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000079.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000080.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000081.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000082.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000084.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000085.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D2A9913B-953A-42AD-A001-A7F4C9E2F69D}\RP3\A0000102.DLL


_____________________________________

PC working well.

Sill have no tab on Display (Display Properties) for 'Effects', and Windows XP Home Edition still on desktop.
Any ideas on this?

[Rorschach112]

Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

The above procedure will do the following:

• Delete ComboFix and its associated files and folders.
• Delete VundoFix backups, if present
• Delete the C:\Deckard folder, if present
• Delete the C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

[Rog53]

I can't thank you enough.

I will take up all your suggestions.

P.S. There is no Effects tab on Display on XP.

Have a great day!!!

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.