continuous pop-ups and being prompted out of active window

[Bastage]

Logfile of HijackThis v1.99.1
Scan saved at 11:55:12 AM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\blaeapcn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ryda\My Documents\Scanners\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mtgwxmnq.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [1420bae1] rundll32.exe "C:\WINDOWS\system32\ohgnkwdj.dll",b
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\blaeapcn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

.........................................

this is my log file... im pretty sure its
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mtgwxmnq.dll
that is causing my problem but im lost as how to correct it... i have shtu down all running process's even explorer and checked the problem and sleected fix but it still remains

any help to this would be greatly appreciated

 

[Jintan]

Howdy Bastage,

Welcome to TSG. Infection is here, and also the system has SpyNoMore, which has been listed here in the past. So perhaps is not considered a keeper as far as protective software goes. You can uninstall this through Add/Remove Programs at this time.


Then Disable Spyware Doctor, as it may interfere with repairs.

1. Open Spyware Doctor
2. Click on the 'Settings' button on the left hand panel
3. Then click on the 'Startup Settings' under 'Pick a Category'
4. Uncheck the box on the right that says 'Run at Windows Startup'

Be sure to temporarily disable all other protective software when doing these next steps.

Download a new copy from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-------------------------------

Also Download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there.

NOTE: Please do not run any other options from SmitfraudFix until we discuss the results.


Then post back a new HijackThis log, along with the combofix.txt and rapport.txt logs please.

 

[Bastage]

cant seem to get combofix to do a full analysis... after the promt that a new window will appear to complete the disinfection i get a error in the second command window stating *sed is not a batch file etc etc. ...

this is the rapport
SmitFraudFix v2.242

Scan done at 11:46:58.56, 2007-10-29
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

this is my current hijack
Logfile of HijackThis v1.99.1
Scan saved at 11:51, on 2007-10-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ryda\My Documents\Scanners\scanner.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7E0C533C-7E7F-4AE2-AE2C-36DEEF56A833} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\tuvusqo.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [1420bae1] rundll32.exe "C:\WINDOWS\system32\xgyfgbdd.dll",b
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: mtgwxmnq - mtgwxmnq.dll (file missing)
O20 - Winlogon Notify: tuvusqo - C:\WINDOWS\SYSTEM32\tuvusqo.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

any further help would be greatly appreciated

 

[Bastage]

here is the exact message from the 2nd command window
'sed' is not recognized as an internal or external command, operabple program or batch file.

 

[Bastage]

ok apologies for the mix up but after runnin a few times i got it i think

ComboFix 07-10-29.1 - Ryda 2007-10-29 11:56:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1548 [GMT -5:00]
Running from: C:\Documents and Settings\Ryda\My Documents\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\sfsync02.sys
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Ryda\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Ryda\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Ryda\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Ryda\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Ryda\err.log
C:\Documents and Settings\Ryda\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Ryda\My Documents\FNTS~1
C:\Documents and Settings\Ryda\My Documents\MBOLS~1
C:\Program Files\Common Files\{1420B~1
C:\Program Files\Common Files\{3420B~1
C:\Program Files\Common Files\{3420B~1\UnInstall.exe
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive5.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\Online Services\potef83122.dll
C:\Program Files\outlook
C:\Program Files\outlook\p.zip
C:\Program Files\poolsv
C:\Program Files\racle~1
C:\Program Files\svhost
C:\Program Files\winpop
C:\RECYCLER\svchost.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\mcroso~1
C:\WINDOWS\retadpu.exe.bin
C:\WINDOWS\system32\aiotgbct.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cbeeg.tmp
C:\WINDOWS\system32\d3
C:\WINDOWS\system32\ddbgfygx.ini
C:\WINDOWS\system32\ddbgfygx.ini2
C:\WINDOWS\system32\f22
C:\WINDOWS\system32\f22\bc1224wv.exe
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\jdwkngho.ini
C:\WINDOWS\system32\jdwkngho.tmp
C:\WINDOWS\system32\mtgwxmnq.dllbox
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\ohgnkwdj.dll
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\oTt02e\oTt02e1065.exe
C:\WINDOWS\system32\oulxsrxv.dll
C:\WINDOWS\system32\p8
C:\WINDOWS\system32\p8\stallbb1.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pegwgksx.ini
C:\WINDOWS\system32\s2
C:\WINDOWS\system32\s2\EMDT83122.exe
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\uyvvtnqe.exe
C:\WINDOWS\system32\v1
C:\WINDOWS\system32\v1\bcb49ene.exe
C:\WINDOWS\system32\W1
C:\WINDOWS\system32\W2
C:\WINDOWS\system32\W3
C:\WINDOWS\system32\W4
C:\WINDOWS\system32\W5
C:\WINDOWS\system32\whlcqxby.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\xbmgudfh.exe
C:\WINDOWS\system32\xgyfgbdd.dll
C:\WINDOWS\system32\xskgwgep.dll
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.tmp
C:\WINDOWS\system32\ybxqclhw.ini
C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\system32\yyadd.ini
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\LEGACY_PRW76SKS
-------\LEGACY_SFSYNC02
-------\DomainService
-------\sfsync02


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\LEGACY_PRW76SKS
-------\LEGACY_SFSYNC02
-------\DomainService
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.

2007-10-29 11:47 842 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-29 11:46 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-29 11:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-29 11:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-29 11:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-29 11:46 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-29 11:21 589 --a------ C:\WINDOWS\system32\wpvworbo.dll
2007-10-29 11:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 02:09 34,816 --a------ C:\WINDOWS\system32\vtuttut.dll
2007-10-28 18:24 13,824 --a------ C:\WINDOWS\plite731.exe
2007-10-28 18:23 294,668 --a------ C:\WINDOWS\frexup2.exe
2007-10-27 12:10 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-27 11:45 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-10-27 11:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-26 19:25 34,816 --------- C:\WINDOWS\system32\tuvusqo.dll
2007-10-26 19:25 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-19 20:43 <DIR> d-------- C:\Program Files\SpeedFan
2007-10-19 17:20 <DIR> d-------- C:\Program Files\sunplus
2007-10-19 17:14 <DIR> d-------- C:\Program Files\Multimedia Transcoding Tool
2007-10-19 17:13 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-10-19 17:11 <DIR> d-------- C:\Program Files\Ringz Studio
2007-10-16 01:20 <DIR> d-------- C:\Program Files\support.com
2007-10-16 01:20 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-10-07 13:26 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-10-07 12:09 <DIR> d-------- C:\Documents and Settings\Ryda\My Games
2007-10-07 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Microsoft
2007-09-30 23:43 <DIR> d-------- C:\WINDOWS\system32\3Planesoft
2007-09-30 23:43 <DIR> d-------- C:\Program Files\3Planesoft Screensaver Manager
2007-09-30 23:43 6,708,736 --a------ C:\WINDOWS\system32\Ice Clock 3D Screensaver.exe
2007-09-30 23:43 883,712 --a------ C:\WINDOWS\system32\Ice_Clock_3D_Screensaver.scr
2007-09-30 23:43 385,024 --a------ C:\WINDOWS\system32\3Planesoft_Screensaver_Manager.scr
2007-09-30 23:37 3,698,688 --a------ C:\WINDOWS\system32\Sun 3D Screensaver.scr
2007-09-30 23:35 7,077,888 --a------ C:\WINDOWS\system32\Star Wars 3D Screensaver.scr
2007-09-30 23:33 7,078,912 --a------ C:\WINDOWS\system32\Space Tunnels 3D Screensaver.scr
2007-09-30 23:31 14,667,776 --a------ C:\WINDOWS\system32\Solar System 3D Screensaver.scr
2007-09-30 23:30 7,942,144 --a------ C:\WINDOWS\system32\Planet Earth 3D Screensaver.scr
2007-09-30 23:03 12,439,552 --a------ C:\WINDOWS\system32\Night City 3D Screensaver.scr
2007-09-30 23:01 10,301,440 --a------ C:\WINDOWS\system32\Winter 3D Screensaver.scr
2007-09-30 22:58 20,545,536 --a------ C:\WINDOWS\system32\3D Wild Dolphin Screensaver.scr
2007-09-30 22:57 10,366,976 --a------ C:\WINDOWS\system32\3D Waterfall Screensaver.scr
2007-09-30 22:54 722,944 --a------ C:\WINDOWS\system32\Sea Storm 3D Screensaver.scr
2007-09-30 22:51 8,724,480 --a------ C:\WINDOWS\system32\Sea Voyage 3D Screensaver.scr
2007-09-30 22:45 10,403,840 --a------ C:\WINDOWS\system32\Mountain Lake 3D Screensaver.scr
2007-09-30 22:43 <DIR> d-------- C:\Documents and Settings\Ryda\Application Data\TERMINAL Studio
2007-09-30 22:43 16,277,504 --a------ C:\WINDOWS\system32\Marine Life 3D Screensaver.scr
2007-09-30 22:43 92,216 --a------ C:\WINDOWS\system32\bass.dll
2007-09-30 22:41 5,222,400 --a------ C:\WINDOWS\system32\Lighthouse 3D Screensaver.scr
2007-09-30 22:39 8,773,632 --a------ C:\WINDOWS\system32\Japanese Garden 3D Screensaver.scr
2007-09-30 22:36 9,261,056 --a------ C:\WINDOWS\system32\Green Valley 3D Screensaver.scr
2007-09-30 22:30 4,751,360 --a------ C:\WINDOWS\system32\Forest Life 3D Screensaver.scr
2007-09-30 22:29 8,622,080 --a------ C:\WINDOWS\system32\Flower Clock 3D Screensaver.scr
2007-09-30 22:26 8,663,040 --a------ C:\WINDOWS\system32\Fish Aquarium 3D Screensaver.scr
2007-09-30 22:21 7,331,840 --a------ C:\WINDOWS\system32\3D Bungalow Aquarium Screensaver.scr
2007-09-30 22:19 21,061,632 --a------ C:\WINDOWS\system32\Golden Autumn 3D Screensaver.scr
2007-09-30 22:15 <DIR> d-------- C:\Program Files\screensavers
2007-09-30 22:15 <DIR> d-------- C:\Program Files\Astro Gemini Software
2007-09-30 22:15 15,486,976 --a------ C:\WINDOWS\system32\Atlantis 3D Screensaver.scr
2007-09-30 22:15 528,384 --a------ C:\WINDOWS\system32\Astro Gemini Screensaver Manager.scr
2007-09-30 16:02 6,986 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-09-30 16:01 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-09-30 15:53 <DIR> d-------- C:\Program Files\EA SPORTS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 17:06 81,186,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-29 17:06 129,920 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-29 17:06 1,373,728 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-29 17:06 1,079,444 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-29 03:26 --------- d-----w C:\Documents and Settings\Ryda\Application Data\uTorrent
2007-10-28 23:56 --------- d-----w C:\Program Files\Spyware Doctor
2007-10-27 11:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-21 21:49 --------- d-----w C:\Program Files\PhoTags Express
2007-10-19 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 22:13 --------- d-----w C:\Program Files\Media Player Classic
2007-10-19 22:13 --------- d-----w C:\Documents and Settings\Ryda\Application Data\Apple Computer
2007-10-19 22:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-19 22:11 --------- d-----w C:\Program Files\Common Files\Real
2007-10-15 23:44 --------- d-----w C:\Program Files\WoW
2007-09-30 22:57 --------- d-----w C:\Program Files\Viewpoint
2007-09-30 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-30 21:02 --------- d-----w C:\Program Files\Electronic Arts
2007-09-26 00:54 --------- d-----w C:\Program Files\MSN Messenger
2007-09-21 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2003-08-16 18:56:00 579,584 --sha-r C:\WINDOWS\system32\cd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
2007-10-26 19:25 34816 --------- C:\WINDOWS\system32\tuvusqo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 02:17]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"plite731"="C:\WINDOWS\plite731.exe" [2007-10-29 02:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-14 15:38:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2007-04-08 18:03 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 11:58 77824]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\system32\tuvusqo.dll [2007-10-26 19:25 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-02-27 11:24 159744 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-29 03:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mtgwxmnq]
mtgwxmnq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvusqo]
tuvusqo.dll 2007-10-26 19:25 34816 C:\WINDOWS\system32\tuvusqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1134124099\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P and now I post my Hijack log]
C:\WINDOWS\system32\warez.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]
C:\Program Files\MediaGateway\MediaGateway.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntdp]
C:\WINDOWS\system32\ntdp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Secure Folder Hider Pro]
C:\Program Files\RS Secure Folder Hider Pro Full\sfhpf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\skmsg]
C:\WINDOWS\system32\skmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\DOCUME~1\Ryda\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTray]
C:\Program Files\paytime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
C:\winstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wisk]
C:\WINDOWS\system32\wisk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"EA Core"=C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SAClient"="C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe" /admincheck
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

R1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
S1 SABDIFSV;SABDIFSV;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS
S3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys
S3 CA500AI;Chameleon XP Digital Camera;C:\WINDOWS\system32\Drivers\LG_BULK.sys
S3 CA500AV;Chameleon XP Video Camera;C:\WINDOWS\system32\DRIVERS\CA500AV.SYS
S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys
S4 EvenSystems;EvenSystems;c:\Recycler\svchost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command - F:\Autorun\UbiAutorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 22:26:05 C:\WINDOWS\Tasks\1-Click Maintenance.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 12:09:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-29 12:13:25 - machine was rebooted
.
--- E O F ---

 

[Jintan]

Good you got that ComboFix going, and the logs are showing both a good bit removed and the seriousness of the infection remaining. There is a unique startup that here is being obscured by that Kaspersky setting - do you still have Kaspersky Internet Security 6.0 installed here? If so, we will need to get a way to surgically remove what right now is a hidden registry entry.

 

[Bastage]

yes i have kaspersky still installed but only is active when i prompt it... i have been runnin it alot so the analysis may have been produced after a reboot with kaspersky... im still gettin the occaisonal pop up and for some reason now my toolbar totalyl defaults everytime i reboot now

 

[Jintan]

The system still is fairly infected. the question on Kaspersky is more an issue of how to swap out a registry key where infection appears to be "hiding next to" Kaspersky. If the change causes any issues we'll make a registry backup you can click/merge if needed to undo changes there. You have many startups disabled by different means there, especially msconfig. One item disabled is known to not only suggest attempts to download pirate software but is known to be installed when folks download illegal software (odd sense of humor by the bad guys). Suggests some of these problems are self-inflicted.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P and now I post my Hijack log]
C:\WINDOWS\system32\warez.exe



Make very sure all protective software is disabled while doing these steps - very high chance it will interfere with repairs there.


As you are about to make registry changes, you will need to backup the registry to have if needed. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup (not to a temp folder). Close the Registry Editor. Backup is just a sound precaution when making any registry changes.

Regedit4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"

Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it aifixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

-----------------------------

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

KILLALL::
Driver::
EvenSystems
File::
C:\Program Files\paytime.exe
C:\winstall.exe
C:\WINDOWS\system32\wisk.exe
C:\WINDOWS\system32\ntdp.exe
C:\WINDOWS\system32\warez.exe
C:\WINDOWS\system32\wpvworbo.dll
C:\WINDOWS\system32\vtuttut.dll
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\windrv.sys
Folder::
c:\Recycler
C:\Program Files\Ringz Studio
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plite731"=-
"StormCodec_Helper"=-
"SNM"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISMPack6"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mtgwxmnq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvusqo] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\skmsg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wisk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntdp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P and now I post my Hijack log]

Save this as "CFScript"

(include the "quotation marks" with the name)

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.


Post back a new HijackThis log and the ComboFix.txt log please.

 

[Bastage]

sorry for the delay, appreciate ur time and assistance with help... had some RL matters to attend to... here is my combofix & hijack logs

ComboFix 07-10-29.1 - Ryda 2007-11-03 16:12:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1532 [GMT -5:00]
Running from: C:\Documents and Settings\Ryda\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryda\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\paytime.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\ntdp.exe
C:\WINDOWS\system32\vtuttut.dll
C:\WINDOWS\system32\warez.exe
C:\WINDOWS\system32\windrv.sys
C:\WINDOWS\system32\wisk.exe
C:\WINDOWS\system32\wpvworbo.dll
C:\winstall.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Ryda\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Ryda\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Ryda\Favorites\Online Security Guide.lnk
C:\Program Files\Ringz Studio
C:\Program Files\Ringz Studio\Storm Codec\AviC.exe
C:\Program Files\Ringz Studio\Storm Codec\Codecs\aac_ps.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\atidvdv.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\CFLAC.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\CoreAVC.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\DmoDec.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\DVDNavExt.exe
C:\Program Files\Ringz Studio\Storm Codec\Codecs\dxr.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\empgdmx.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\FCZip.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_kerneldeint.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_liba52.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_libdts.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_realaac.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_samplerate.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_tremor.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\h264dec.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\languages\ffdshow.1033.en
C:\Program Files\Ringz Studio\Storm Codec\Codecs\languages\ffdshow.2052.sc
C:\Program Files\Ringz Studio\Storm Codec\Codecs\libavcodec.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\libmplayer.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\MACDec.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\MASource.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\mkunicode.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\mkx.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\mkzlib.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\mlcom.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\mp4.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\nvviddec.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\ogm.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\RLMPCDec.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\RMSplt.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\splitter.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\tomsmocomp_ff.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\TRLDRP6.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\TTASplt.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\TTL2Dec.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\VgmAudio.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\vgmbgr.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\VgmSplt.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\vgmv2k2.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\Vid1Dec.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\VSFilter.dll
C:\Program Files\Ringz Studio\Storm Codec\Codecs\xebdec.ax
C:\Program Files\Ringz Studio\Storm Codec\Codecs\xebnav.ax
C:\Program Files\Ringz Studio\Storm Codec\ebaylink.ico
C:\Program Files\Ringz Studio\Storm Codec\GSpot.exe
C:\Program Files\Ringz Studio\Storm Codec\GSpot25.dat
C:\Program Files\Ringz Studio\Storm Codec\keys.dat
C:\Program Files\Ringz Studio\Storm Codec\mplayerc.exe
C:\Program Files\Ringz Studio\Storm Codec\Plugins\nppl3260.dll
C:\Program Files\Ringz Studio\Storm Codec\Plugins\nppl3260.xpt
C:\Program Files\Ringz Studio\Storm Codec\Plugins\npqtplugin.dll
C:\Program Files\Ringz Studio\Storm Codec\Plugins\nprpjplug.dll
C:\Program Files\Ringz Studio\Storm Codec\Plugins\nsIQTScriptablePlugin.xpt
C:\Program Files\Ringz Studio\Storm Codec\Plugins\nsJSRealPlayerPlugin.xpt
C:\Program Files\Ringz Studio\Storm Codec\Plugins\QuickTimePlugin.class
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CFCharacterSetBitmaps.bitmap
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CoreVideo.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CoreVideo.Resources\CoreVideo.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CoreVideo.Resources\en.lproj\CoreVideoLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CoreVideo.Resources\zh_CN.lproj\CoreVideoLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QTCheck.ocx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QTPlugi0.ocx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.cpl
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.qts
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.Resources\QuickTime.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.Resources\zh_CN.lproj\QuickTimeLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime3GPP.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime3GPP.Resources\en.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime3GPP.Resources\QuickTime3GPP.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime3GPP.Resources\zh_CN.lproj\QuickTime3GPPLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeAudioSupport.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeAudioSupport.Resources\QuickTimeAudioSupport.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeAudioSupport.Resources\zh_CN.lproj\QuickTimeAudioSupportLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeEssentials.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeEssentials.Resources\en.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeEssentials.Resources\QuickTimeEssentials.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeEssentials.Resources\zh_CN.lproj\QuickTimeEssentialsLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeH264.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeH264.Resources\en.lproj\QuickTimeH264Localized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeH264.Resources\QuickTimeH264.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeH264.Resources\zh_CN.lproj\QuickTimeH264Localized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeInternetExtras.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeInternetExtras.Resources\en.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeInternetExtras.Resources\QuickTimeInternetExtras.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeInternetExtras.Resources\zh_CN.lproj\QuickTimeInternetExtrasLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeMPEG4.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeMPEG4.Resources\en.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeMPEG4.Resources\QuickTimeMPEG4.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeMPEG4.Resources\zh_CN.lproj\QuickTimeMPEG4Localized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreaming.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreaming.Resources\QuickTimeStreaming.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreaming.Resources\zh_CN.lproj\QuickTimeStreamingLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreamingExtras.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreamingExtras.Resources\en.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreamingExtras.Resources\QuickTimeStreamingExtras.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreamingExtras.Resources\zh_CN.lproj\QuickTimeStreamingExtrasLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeVR.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeVR.Resources\en.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeVR.Resources\QuickTimeVR.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeVR.Resources\zh_CN.lproj\QuickTimeVRLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeWebHelper.qtx
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeWebHelper.Resources\en.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeWebHelper.Resources\QuickTimeWebHelper.qtr
C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeWebHelper.Resources\zh_CN.lproj\QuickTimeWebHelperLocalized.qtr
C:\Program Files\Ringz Studio\Storm Codec\stormicl.dll
C:\Program Files\Ringz Studio\Storm Codec\stormicl.txt
C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe
C:\Program Files\Ringz Studio\Storm Codec\uninst6.04.08.exe
c:\Recycler
c:\Recycler\S-1-5-18\desktop.ini
c:\Recycler\S-1-5-18\INFO2
c:\Recycler\S-1-5-21-735536637-386832627-3918677628-1006\desktop.ini
c:\Recycler\S-1-5-21-735536637-386832627-3918677628-1006\INFO2
c:\Recycler\S-1-5-21-735536637-386832627-3918677628-501\desktop.ini
c:\Recycler\S-1-5-21-735536637-386832627-3918677628-501\INFO2
C:\WINDOWS\cookies.ini
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\blyhanhs.ini
C:\WINDOWS\system32\blyhanhs.ini2
C:\WINDOWS\system32\hjjlm.bak1
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\hjjlm.tmp
C:\WINDOWS\system32\iratuxpm.ini
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\mpkvsahj.ini
C:\WINDOWS\system32\mpkvsahj.ini2
C:\WINDOWS\system32\mpxutari.dll
C:\WINDOWS\system32\ounyjmph.exe
C:\WINDOWS\system32\qbmyreme.exe
C:\WINDOWS\system32\rickadnx.exe
C:\WINDOWS\system32\rxdvdctn.exe
C:\WINDOWS\system32\trkuqvei.dllbox
C:\WINDOWS\system32\windrv.sys
C:\WINDOWS\system32\wlbosshc.dll
C:\WINDOWS\system32\wpvworbo.dll
C:\WINDOWS\system32\yrwbilfo.ini
C:\WINDOWS\system32\yrwbilfo.ini2
C:\WINDOWS\system32\yrwbilfo.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_EVENSYSTEMS
-------\DomainService
-------\EvenSystems


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 16:11 81,472 --a------ C:\WINDOWS\system32\rnpqyfjb.dll
2007-11-03 16:08 87,616 --a------ C:\WINDOWS\system32\shnahylb.dll
2007-11-03 12:37 87,616 --a------ C:\WINDOWS\system32\gxakyqqh.dll
2007-11-03 12:28 87,616 --a------ C:\WINDOWS\system32\jhasvkpm.dll
2007-11-03 00:30 87,616 --a------ C:\WINDOWS\system32\oflibwry.dll
2007-11-03 00:24 87,616 --a------ C:\WINDOWS\system32\clktdbir.dll
2007-11-03 00:19 <DIR> d-------- C:\Documents and Settings\Ryda\Application Data\DAEMON Tools Pro
2007-11-03 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2007-11-03 00:17 340,032 --a------ C:\WINDOWS\system32\slwgsoxj.dll
2007-11-02 23:55 87,616 --------- C:\WINDOWS\system32\rlxqysnh.dll
2007-11-02 23:44 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2007-11-02 23:43 340,032 --a------ C:\WINDOWS\system32\knmuvssc.dll
2007-11-02 04:30 589 --a------ C:\WINDOWS\system32\uimsgoup.dll
2007-10-31 21:10 340,032 --a------ C:\WINDOWS\system32\nksyutmp.dll
2007-10-31 17:37 340,032 --a------ C:\WINDOWS\system32\wvbphgus.dll
2007-10-29 15:54 589 --a------ C:\WINDOWS\system32\xtfuajif.dll
2007-10-29 11:47 842 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-29 11:46 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-29 11:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-29 11:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-29 11:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-29 11:46 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-29 11:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-28 18:23 294,668 --a------ C:\WINDOWS\frexup2.exe
2007-10-27 12:10 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-27 11:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-19 20:43 <DIR> d-------- C:\Program Files\SpeedFan
2007-10-19 17:20 <DIR> d-------- C:\Program Files\sunplus
2007-10-19 17:14 <DIR> d-------- C:\Program Files\Multimedia Transcoding Tool
2007-10-19 17:13 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-10-16 01:20 <DIR> d-------- C:\Program Files\support.com
2007-10-16 01:20 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-10-07 13:26 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-10-07 12:09 <DIR> d-------- C:\Documents and Settings\Ryda\My Games
2007-10-07 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 21:22 83,593,248 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-03 21:21 1,407,520 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-03 21:19 134,048 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-03 21:19 1,120,580 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-03 20:58 --------- d-----w C:\Documents and Settings\Ryda\Application Data\uTorrent
2007-11-03 04:34 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-03 04:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 04:31 --------- d-----w C:\Program Files\TrojanHunter 4.7
2007-10-28 23:56 --------- d-----w C:\Program Files\Spyware Doctor
2007-10-27 11:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-21 21:49 --------- d-----w C:\Program Files\PhoTags Express
2007-10-19 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 22:13 --------- d-----w C:\Program Files\Media Player Classic
2007-10-19 22:13 --------- d-----w C:\Documents and Settings\Ryda\Application Data\Apple Computer
2007-10-19 22:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-19 22:11 --------- d-----w C:\Program Files\Common Files\Real
2007-10-15 23:44 --------- d-----w C:\Program Files\WoW
2007-10-01 05:08 --------- d-----w C:\Program Files\screensavers
2007-10-01 04:43 --------- d-----w C:\Program Files\3Planesoft Screensaver Manager
2007-10-01 04:03 --------- d-----w C:\Program Files\Astro Gemini Software
2007-10-01 03:43 --------- d-----w C:\Documents and Settings\Ryda\Application Data\TERMINAL Studio
2007-09-30 22:57 --------- d-----w C:\Program Files\Viewpoint
2007-09-30 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-30 21:02 --------- d-----w C:\Program Files\Electronic Arts
2007-09-30 20:53 --------- d-----w C:\Program Files\EA SPORTS
2007-09-26 00:54 --------- d-----w C:\Program Files\MSN Messenger
2007-09-21 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2003-08-16 18:56:00 579,584 --sha-r C:\WINDOWS\system32\cd.exe
.

((((((((((((((((((((((((((((( [email protected]_12.11.36.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-12-12 05:15:08 34,308 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2007-11-03 05:18:58 9,728 ----a-w C:\WINDOWS\system32\BASSMOD.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9dc02a5d-c7db-44cf-8576-b1f70900adee}]
2007-11-03 16:11 81472 --a------ C:\WINDOWS\system32\rnpqyfjb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"1420bae1"="C:\WINDOWS\system32\shnahylb.dll" [2007-11-03 16:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 08:08]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-14 15:38:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2007-04-08 18:03 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 11:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-02-27 11:24 159744 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-29 03:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\trkuqvei]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1134124099\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]
C:\Program Files\MediaGateway\MediaGateway.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Secure Folder Hider Pro]
C:\Program Files\RS Secure Folder Hider Pro Full\sfhpf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\DOCUME~1\Ryda\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTray]
C:\Program Files\paytime.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"EA Core"=C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SAClient"="C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe" /admincheck
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

R1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
S1 SABDIFSV;SABDIFSV;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS
S3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys
S3 CA500AI;Chameleon XP Digital Camera;C:\WINDOWS\system32\Drivers\LG_BULK.sys
S3 CA500AV;Chameleon XP Video Camera;C:\WINDOWS\system32\DRIVERS\CA500AV.SYS
S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command - F:\Autorun\UbiAutorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 22:17:29 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 16:21:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 16:23:44 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-31 18:13
C:\ComboFix3.txt ... 2007-10-29 12:13
.
--- E O F ---

 

[Bastage]

wouldnt let me post both logs in 1 reply...

Logfile of HijackThis v1.99.1
Scan saved at 4:26:46 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ryda\My Documents\Scanners\scanner.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: {eeda0090-7f1b-6758-fc44-bd7cd5a20cd9} - {9dc02a5d-c7db-44cf-8576-b1f70900adee} - C:\WINDOWS\system32\rnpqyfjb.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [1420bae1] rundll32.exe "C:\WINDOWS\system32\shnahylb.dll",b
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: trkuqvei - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

 

[Jintan]

More hidden infection activity now showing, but still quite a bit to go. Looks like we are working against an installed software there, and plenty of the recent infection activity centers around that DAEMON Tools Pro software. This sells for 35 Eu ($50 USD). Daemon's free version is known for bringing the WhenU adware/search hijacker install but not more than that. Is this a paid for version?

 

[Bastage]

its the Pro Advanced version... dont think it is the demo r free version

 

[Jintan]

It has a startup key value, so be sure to open it and disable it, and if the option is there disable the startup for it as well. Also make sure to disable SpywareDoctor and SuperAntiSpyware for any steps we do here now.

Had been informed of that Anti-Blaxx software, showing here, in the past, and it's use to bypass legit security settings to make unauthorized game/CD copies. I did a quick check on that - uses a unique tool called SubInACL to literally change the ACE's (Access Control Entries - your registry security system) on any key it wants, and appears to create a temp user as well to perform it's deeds, with the astute warning:

2. The use of Anti-Blaxx on own danger.

Now there is something I am sure to trust and install. This system also has many startups disabled through msconfig, and it appears perhaps SpyBot as well. To do a complete cleaning here at some point these will need to be re-enabled at least once, but not just yet.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"

Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it twofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry. You already created a registry backup to use if ever needed.

----------------------------------

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

KILLALL
File::
C:\WINDOWS\system32\rnpqyfjb.dll
C:\WINDOWS\system32\shnahylb.dll
C:\WINDOWS\system32\gxakyqqh.dll
C:\WINDOWS\system32\jhasvkpm.dll
C:\WINDOWS\system32\oflibwry.dll
C:\WINDOWS\system32\clktdbir.dll
C:\WINDOWS\system32\slwgsoxj.dll
C:\WINDOWS\system32\rlxqysnh.dll
C:\WINDOWS\system32\knmuvssc.dll
C:\WINDOWS\system32\uimsgoup.dll
C:\WINDOWS\system32\nksyutmp.dll
C:\WINDOWS\system32\wvbphgus.dll
C:\WINDOWS\system32\xtfuajif.dll
C:\WINDOWS\system32\mljjh.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9dc02a5d-c7db-44cf-8576-b1f70900adee}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1420bae1"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\trkuqvei]

Save this as "CFScript"

(include the "quotation marks" with the name)

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

---------------------------------

Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".


Then post back a new HijackThis log, the ComboFix.txt log along with the Kaspersky log please.