[rikc]

Hi
Please can someone help. My PC is doing very strange things recently. First it started with pop up all over the place. Mainly free scan ones. \when I closed them they tried to download. Now i get all sorts popping up. When I close them all my desk top icons disappear. Sometimes I can't even get task manager up to shut down. Shutting down is the only thing thats gets my icons back. I have recently ran ccleaner, ad-ware and also vga but it is still happening.

Should I follow the malware removal guide first and if so do I need to do any back ups before I carry out this procedure.

I also get buffer overrun messages appearing a lot.

This is happening several times a day. In fact this is the 3rd time I have tried to type this message. Page keeps closing down. I am now using laptop.

Advice would be very much appreciated. By the way I don't know much about the technical side of computers!

Thanks

[Advertisements]

Hi

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

[loophole]

Hi

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

[rikc]

Hi Loophole thanks for helping me.

Should I be backing anything up before I start any of these procedures? Like I have said I an not very technical, well not at all really!


I have ran the Hijackthis and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:57:10, on 19/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOW\system32\spoolsv.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOW\VM_STI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOW\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOW\system32\HPZipm12.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOW\wanmpsvc.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOW\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOW\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOW\VM_STI.EXE VIMICRO USB PC Camera L
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOW\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [6ccc7fb7] rundll32.exe "C:\WINDOW\System32\segwrpdd.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-c3.orang...va/cfs31248.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponrep...123/csauie1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://tiscaliuk.obe...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOW\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOW\wanmpsvc.exe

--
End of file - 7584 bytes

[loophole]

Hi rikc

Backing up is always a good idea, but lets hold off and see what malware we find.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[rikc]

Hi Loophole

I have disabled AVG, didn't know how to disable Ad-Adware 2007 so uninstalled it and disabled macafee but when I run combofix i get a message from macafee saying it has found a suspicious script. I clicked to allow the entire script. Don't now if this will interfer with results of the log. I will post logs shortly. Oh also my computer restarted itself during the running of combofix!

[rikc]

Hi Loophole

Here is the comboxfix log

ComboFix 08-01-20.1 - rik 2008-01-20 8:20:20.2 - NTFSx86
Running from: C:\Documents and Settings\rik\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOW\system32\iiiii.ini
C:\WINDOW\system32\iiiii.ini2
C:\WINDOW\system32\umfxipqr.ini
.
---- Previous Run -------
.
C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Rik.TRUDI.000\Application Data\MessengerSkinner
C:\Documents and Settings\Rik.TRUDI.000\Application Data\MessengerSkinner\Userdata\languages.xml
C:\Documents and Settings\Rik.TRUDI.000\Application Data\MessengerSkinner\Userdata\pack1.cab
C:\WINDOW\cookies.ini
C:\WINDOW\system32\aamwosff.dll
C:\WINDOW\system32\agnimtac.dll
C:\WINDOW\system32\alog.txt
C:\WINDOW\system32\conf.dat
C:\WINDOW\system32\ddprwges.ini
C:\WINDOW\system32\dovhwspl.ini
C:\WINDOW\system32\hrjeselj.dll
C:\WINDOW\system32\iiiii.ini
C:\WINDOW\system32\iiiii.ini2
C:\WINDOW\system32\jbalcbbk.ini
C:\WINDOW\system32\jdkppves.dll
C:\WINDOW\system32\jlesejrh.ini
C:\WINDOW\system32\kbbclabj.dll
C:\WINDOW\system32\knpoq.ini
C:\WINDOW\system32\knpoq.ini2
C:\WINDOW\system32\limevmhv.dll
C:\WINDOW\system32\lpswhvod.dll
C:\WINDOW\system32\mcrh.tmp
C:\WINDOW\system32\mpjsegsv.dll
C:\WINDOW\system32\njjtjdsu.dll
C:\WINDOW\system32\nnsaimvr.dll
C:\WINDOW\system32\ojjutxsw.dll
C:\WINDOW\system32\segwrpdd.dll
C:\WINDOW\system32\spbnhqpu.ini
C:\WINDOW\system32\upqhnbps.dll
C:\WINDOW\system32\vpwnnuek.dll
C:\WINDOW\system32\vsgesjpm.ini
C:\WINDOW\system32\wsxtujjo.ini
C:\WINDOW\system32\wvshiyoq.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOW\NirCmd.exe
2008-01-18 10:35 . 2008-01-18 10:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 19:09 . 2008-01-16 19:09 1 --a------ C:\WINDOW\system32\rc.dat
2008-01-16 19:09 . 2008-01-16 19:09 1 --a------ C:\WINDOW\system32\ps1.dat
2008-01-16 19:08 . 2008-01-16 19:08 52,224 --a------ C:\WINDOW\system32\halifax2.dll
2008-01-16 19:07 . 2008-01-16 19:07 5,499 --a------ C:\Documents and Settings\rik\957123845.exe
2008-01-16 19:07 . 2008-01-16 19:07 5,499 --a------ C:\Documents and Settings\rik\462.exe
2008-01-16 19:07 . 2008-01-16 19:07 5,499 --a------ C:\Documents and Settings\rik\440.exe
2008-01-12 10:51 . 2008-01-12 10:51 <DIR> d-------- C:\WINDOW\LastGood
2008-01-11 20:49 . 2008-01-11 20:49 51,712 --a------ C:\WINDOW\system32\halifax1.dll
2008-01-03 07:54 . 2002-08-29 03:41 286,720 --a------ C:\WINDOW\system32\msh263.drv
2008-01-03 07:54 . 2002-08-29 03:41 49,664 --a------ C:\WINDOW\system32\vfwwdm32.dll
2008-01-03 07:54 . 2001-08-17 22:36 45,568 --a------ C:\WINDOW\system32\iyuv_32.dll
2008-01-03 07:54 . 2001-08-17 22:36 8,192 --a------ C:\WINDOW\system32\tsbyuv.dll
2008-01-03 07:53 . 2004-11-24 11:29 647,333 --a------ C:\WINDOW\system32\drivers\Capt905c.sys
2008-01-03 07:53 . 2004-05-07 15:31 24,382 --a------ C:\WINDOW\system32\drivers\Camd905c.sys
2007-12-31 16:45 . 2007-12-31 16:45 93 --a------ C:\WINDOW\wininit.ini
2007-12-31 14:42 . 2008-01-15 13:10 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW\Application Data\Spybot - Search & Destroy
2007-12-31 09:51 . 2007-12-31 09:51 <DIR> d-------- C:\Documents and Settings\rik\Application Data\Grisoft
2007-12-31 09:50 . 2007-12-31 09:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW\Application Data\Grisoft
2007-12-31 09:50 . 2007-05-30 12:10 10,872 --a------ C:\WINDOW\system32\drivers\AvgAsCln.sys
2007-12-31 09:00 . 2007-12-31 09:07 <DIR> d-------- C:\WINDOW\LastGood.Tmp
2007-12-27 15:42 . 2007-12-27 15:42 314,752 --a------ C:\WINDOW\system32\iiiii.dll
2007-12-23 21:34 . 2007-12-23 21:34 314,624 --a------ C:\WINDOW\system32\qopnk.dll
2007-12-21 15:37 . 2007-12-21 15:37 526,848 --a------ C:\RIGHT TO BUY DOC.doc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 07:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 17:21 --------- d-----w C:\Documents and Settings\rik\Application Data\DataLayer
2008-01-12 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-12 13:33 --------- d-----w C:\Documents and Settings\rik\Application Data\McAfee.com Personal Firewall
2008-01-12 13:29 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\McAfee.com Personal Firewall
2008-01-02 21:11 --------- d-----w C:\Program Files\Oberon Media
2007-12-31 14:17 --------- d-----w C:\Program Files\Lavasoft
2007-12-09 00:58 23,728 ----a-w C:\WINDOW\system32\vtuvwuu.dll
2007-11-26 16:52 --------- d-----w C:\Program Files\QuickTime
2007-07-27 18:08 150,672 ----a-w C:\Documents and Settings\Sandra\printclearly.zip
2007-05-28 11:55 576 ----a-w C:\Program Files\userdata.dat
2007-05-28 11:55 176 ----a-w C:\Program Files\log.txt
2007-02-05 20:00 88 --sh--r C:\WINDOW\system32\D36C1C2D64.sys
2007-02-05 20:00 2,516 --sha-w C:\WINDOW\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13E6025E-AA55-4694-9ADE-4C6F25E69F81}]
2007-12-27 15:42 314752 --a------ C:\WINDOW\System32\iiiii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28C703D0-B4A9-4b2f-9123-CE8294761861}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOW\System32\ctfmon.exe" [2002-08-30 04:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-02-22 16:18 1302528]
"PowerBar"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MPFEXE"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00 1005096]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 13:31 296488]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 15:16 1121792]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"BigDogPath"="C:\WINDOW\VM_STI.exe" [2004-12-15 18:01 40960]
"NeroFilterCheck"="C:\WINDOW\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-26 16:52 286720]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"adiras"="adiras.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOW\System32\CTFMON.EXE" [2002-08-30 04:00 13312]

C:\Documents and Settings\Rik.TRUDI.000\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 23:00:00 111376]

C:\Documents and Settings\rik\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 23:00:00 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-20 23:00:00 51984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvuvu]
vtuvuvu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOW\System32\iiiii.dll

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 08:33:03 C:\WINDOW\Tasks\RegCure Program Check.job"
- C:\Documents and Settings\rik\Desktop\RegCure\RegCure.exe
"2008-01-03 03:00:00 C:\WINDOW\Tasks\RegCure.job"
- C:\Documents and Settings\rik\Desktop\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 08:35:46
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOW\system32\lsass.exe [5.01.2600.1106]
-> C:\WINDOW\System32\iiiii.dll

PROCESS: C:\WINDOW\Explorer.EXE [6.00.2800.1106]
-> C:\WINDOW\System32\iiiii.dll
.
Completion time: 2008-01-20 8:43:04 - machine was rebooted [rik]
ComboFix-quarantined-files.txt 2008-01-20 08:42:56

[rikc]

Here is the HJThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:50:50, on 20/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOW\system32\HPZipm12.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\wanmpsvc.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOW\System32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOW\VM_STI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOW\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOW\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOW\VM_STI.EXE VIMICRO USB PC Camera L
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOW\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-c3.orang...va/cfs31248.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponrep...123/csauie1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://tiscaliuk.obe...aploader_v6.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOW\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOW\wanmpsvc.exe

--
End of file - 7376 bytes

[loophole]

Hi rik

I'm sorry for the delay,please delete your current combofix and download a new copy from Here rerun it according to previous instructions and post the log

Thanks

[rikc]

Hi Loophole

I would do as you have asked but my compute will not load any of my desktop icons. All i get is my screensaver. Can't do anything. I have restarted several times and it still happens. I used it yesterday and did get a lot of script error messages. Don't know if this has anything to do with it. any suggestions on how to get my icons back?

Thanks

[rikc]

Also

I have tried to open a word document through task manager and nothing happens!!!

Task manage is all I can get up. I am using laptop at moment.

Edited by rikc, 22 January 2008 - 08:56 AM.

[rikc]

Hi

Sorry to keep bombarding you with messages. JUst restarted computer and all the icons are back! how wierd. Will now do as you have suggested and post log.

[rikc]

hi loophole

I can't seem to get a log from the combofix. I have run it but after it goes through the stages some more writing comes up which is too fast for me to read and then all my icons disappear and the combofix box disappears and I am just let with the wallpaper again and have to restart my computer. \by the way I do disable my mcafee antivirus but when combofix runs i get a box pop up saying it has found a suspicious script.

[loophole]

Sorry for the delay in your time of crisis.

If you open task manager and click file >> new task (run) and type explorer, will the desktop load

[rikc]

HI Loophole

Thanks for getting back to me.

My computer seems to be a bit temperamental at the moment. Sometimes it loads sometimes it doesn't. Next time it happens i will try running explorer from the task manager.

It has been loading ok the last few times but as mentioned I can't seem to get combofix to complete and produce a log for me for post.
Any suggestions would be appreciated.

Thanks

[rikc]

Hi Loophole

Managed to run combofix. Here is log


ComboFix 08-01-23.2 - rik 2008-01-24 10:20:58.10 - NTFSx86
Running from: C:\Documents and Settings\rik\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOW\system32\iiiii.ini
C:\WINDOW\system32\iiiii.ini2
.
---- Previous Run -------
.
C:\WINDOW\cookies.ini
C:\WINDOW\system32\avniljlb.ini
C:\WINDOW\system32\bljlinva.dll
C:\WINDOW\system32\dnvcexfx.ini
C:\WINDOW\system32\iiiii.ini
C:\WINDOW\system32\iiiii.ini2
C:\WINDOW\system32\lajkuoin.dll
C:\WINDOW\system32\txlwudpd.dll
C:\WINDOW\system32\xfxecvnd.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 11:48 . 2008-01-24 11:51 320 --ahs---- C:\WINDOW\system32\iiiii.ini
2008-01-20 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOW\NirCmd.exe
2008-01-18 10:35 . 2008-01-18 10:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 19:09 . 2008-01-16 19:09 1 --a------ C:\WINDOW\system32\rc.dat
2008-01-16 19:09 . 2008-01-16 19:09 1 --a------ C:\WINDOW\system32\ps1.dat
2008-01-16 19:08 . 2008-01-16 19:08 52,224 --a------ C:\WINDOW\system32\halifax2.dll
2008-01-12 10:51 . 2008-01-12 10:51 <DIR> d-------- C:\WINDOW\LastGood
2008-01-11 20:49 . 2008-01-11 20:49 51,712 --a------ C:\WINDOW\system32\halifax1.dll
2008-01-03 07:54 . 2002-08-29 03:41 286,720 --a------ C:\WINDOW\system32\msh263.drv
2008-01-03 07:54 . 2002-08-29 03:41 49,664 --a------ C:\WINDOW\system32\vfwwdm32.dll
2008-01-03 07:54 . 2001-08-17 22:36 45,568 --a------ C:\WINDOW\system32\iyuv_32.dll
2008-01-03 07:54 . 2001-08-17 22:36 8,192 --a------ C:\WINDOW\system32\tsbyuv.dll
2008-01-03 07:53 . 2004-11-24 11:29 647,333 --a------ C:\WINDOW\system32\drivers\Capt905c.sys
2008-01-03 07:53 . 2004-05-07 15:31 24,382 --a------ C:\WINDOW\system32\drivers\Camd905c.sys
2007-12-31 16:45 . 2007-12-31 16:45 93 --a------ C:\WINDOW\wininit.ini
2007-12-31 09:50 . 2007-05-30 12:10 10,872 --a------ C:\WINDOW\system32\drivers\AvgAsCln.sys
2007-12-31 09:00 . 2007-12-31 09:07 <DIR> d-------- C:\WINDOW\LastGood.Tmp
2007-12-27 15:42 . 2007-12-27 15:42 314,752 --a------ C:\WINDOW\system32\iiiii.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 07:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 21:11 --------- d-----w C:\Program Files\Oberon Media
2007-12-31 14:17 --------- d-----w C:\Program Files\Lavasoft
2007-12-23 21:34 314,624 ----a-w C:\WINDOW\system32\qopnk.dll
2007-12-09 00:58 23,728 ----a-w C:\WINDOW\system32\vtuvwuu.dll
2007-11-26 16:52 --------- d-----w C:\Program Files\QuickTime
2007-05-28 11:55 576 ----a-w C:\Program Files\userdata.dat
2007-05-28 11:55 176 ----a-w C:\Program Files\log.txt
2007-02-05 20:00 88 --sh--r C:\WINDOW\system32\D36C1C2D64.sys
2007-02-05 20:00 2,516 --sha-w C:\WINDOW\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_ 8.40.16.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 08:02:40 233,472 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 10:01:17 233,472 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 08:02:40 8,192 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 10:01:17 8,192 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 08:02:40 233,472 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 10:01:18 233,472 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 08:02:40 8,192 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 10:01:18 8,192 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 08:02:40 3,207,168 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 10:01:19 3,207,168 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 08:02:41 110,592 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 10:01:19 110,592 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-20 06:46:22 16,384 -c--a-w C:\WINDOW\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-23 21:06:51 16,384 -c--a-w C:\WINDOW\system32\config\systemprofile\Cookies\index.dat
- 2008-01-20 06:46:22 32,768 -c--a-w C:\WINDOW\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-23 21:06:51 32,768 -c--a-w C:\WINDOW\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-20 06:46:22 32,768 -c--a-w C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-23 21:06:51 32,768 -c--a-w C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-20 08:03:16 262,144 ----a-w C:\WINDOW\system32\config\systemprofile\ntuser.dat
+ 2008-01-24 10:02:00 262,144 ----a-w C:\WINDOW\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28C703D0-B4A9-4b2f-9123-CE8294761861}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2BD1E58-5C0D-47B4-9485-906C10256702}]
2007-12-27 15:42 314752 --a------ C:\WINDOW\System32\iiiii.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOW\System32\ctfmon.exe" [2002-08-30 04:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-02-22 16:18 1302528]
"PowerBar"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"MPFEXE"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00 1005096]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 13:31 296488]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 15:16 1121792]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"BigDogPath"="C:\WINDOW\VM_STI.exe" [2004-12-15 18:01 40960]
"NeroFilterCheck"="C:\WINDOW\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-26 16:52 286720]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"adiras"="adiras.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOW\System32\CTFMON.EXE" [2002-08-30 04:00 13312]

C:\Documents and Settings\Rik.TRUDI.000\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 23:00:00 111376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvuvu]
vtuvuvu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOW\System32\iiiii.dll

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 11:48:15 C:\WINDOW\Tasks\RegCure Program Check.job"
- C:\Documents and Settings\rik\Desktop\RegCure\RegCure.exe
"2008-01-03 03:00:00 C:\WINDOW\Tasks\RegCure.job"
- C:\Documents and Settings\rik\Desktop\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 11:51:14
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOW\system32\lsass.exe [5.01.2600.1106]
-> C:\WINDOW\System32\iiiii.dll

PROCESS: C:\WINDOW\Explorer.EXE [6.00.2800.1106]
-> C:\WINDOW\System32\iiiii.dll
.