Tech Support Forum - View Single Post - Constant IE popups, core.cache.dsk, vundo, and more! Please help!

Lewis Tanner · 03-28-2008, 07:11 PM

COMBOFIX LOG
ComboFix 08-03-20.5 - Administrator 2008-03-28 2:21:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\STEM32~1
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\mcroso~1\M?crosoft\
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\BM871a7e58.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\c2
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\drivers\wanarpp.sys
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pjhaijtm.ini
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\s7\gbsu011.exe
C:\WINDOWS\system32\uynpihuk.ini
C:\WINDOWS\system32\x3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Legacy_WANARPP
-------\Service_TnIDriver
-------\Service_wanarpp

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 18:59 . 2004-08-04 02:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-27 18:59 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-27 18:59 . 2004-08-04 00:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-27 18:59 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-21 12:40 . 2008-03-21 12:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-21 00:42 . 2008-03-21 00:42 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-21 00:40 . 2008-03-21 00:40 <DIR> d-------- C:\Deckard
2008-03-20 22:53 . 2008-03-20 23:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 22:53 . 2008-03-20 22:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-20 22:53 . 2008-03-20 22:53 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-20 22:53 . 2008-03-20 22:53 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-19 15:05 . 2008-03-19 15:05 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-18 17:15 . 2008-03-18 17:15 <DIR> d-------- C:\Program Files\NCH Software
2008-03-18 17:15 . 2008-03-18 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-03-18 17:14 . 2008-03-18 17:15 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-03-18 16:10 . 2008-03-18 16:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-03-18 16:10 . 2008-03-18 16:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Roxio
2008-03-18 16:10 . 2008-03-25 22:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-18 16:10 . 2008-03-18 16:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-18 16:09 . 2008-03-18 16:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Research In Motion
2008-03-18 16:09 . 2008-03-25 22:02 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-18 16:03 . 2008-03-18 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-03-18 16:03 . 2008-03-18 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-18 16:00 . 2008-03-18 16:02 <DIR> d-------- C:\Program Files\Roxio
2008-03-18 16:00 . 2008-03-18 16:03 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-18 16:00 . 2008-03-18 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-03-18 15:59 . 2008-03-18 16:01 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-18 15:52 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-03-18 15:51 . 2008-03-18 15:51 <DIR> d-------- C:\Program Files\Research In Motion
2008-03-18 15:51 . 2008-03-18 15:51 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-03-13 18:07 . 2008-03-13 18:14 1,430,048 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2008-03-13 18:07 . 2008-03-13 18:15 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let
2008-03-13 18:02 . 2008-03-13 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-03-13 17:58 . 2008-03-13 17:58 392,320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-03-13 17:58 . 2008-03-13 17:58 120,992 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-03-13 17:58 . 2008-03-13 17:58 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-03-13 17:56 . 2008-03-13 17:56 <DIR> d-------- C:\Program Files\Seagate
2008-03-13 17:56 . 2008-03-13 17:57 <DIR> d-------- C:\Program Files\Common Files\Seagate
2008-03-13 17:27 . 2006-03-16 02:22 76,288 -ra------ C:\WINDOWS\system32\SilSupp.cpl
2008-03-13 17:27 . 2006-06-20 02:44 62,336 -ra------ C:\WINDOWS\system32\drivers\SI3112.sys
2008-03-13 17:27 . 2004-10-31 23:21 10,368 -ra------ C:\WINDOWS\system32\drivers\SiWinAcc.sys
2008-03-13 17:27 . 2006-04-17 22:49 5,504 -ra------ C:\WINDOWS\system32\drivers\SiRemFil.sys
2008-03-08 00:57 . 2008-03-08 00:57 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-08 00:57 . 2008-03-08 00:57 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-08 00:56 . 2008-03-08 00:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-08 00:56 . 2008-03-28 02:25 5,696,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-08 00:56 . 2008-03-28 02:25 109,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-08 00:56 . 2008-03-28 02:24 81,500 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-08 00:56 . 2008-03-28 02:24 13,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-08 00:19 . 2008-03-08 00:19 <DIR> d-------- C:\kav
2008-03-08 00:06 . 2008-03-28 02:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-07 23:59 . 2008-03-08 00:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-07 10:02 . 2008-03-07 22:34 474 --ahs---- C:\WINDOWS\system32\dkthaakb.ini
2008-03-06 09:50 . 2008-03-07 09:50 354 --ahs---- C:\WINDOWS\system32\jdyesqtp.ini
2008-03-05 09:47 . 2008-03-06 09:47 294 --ahs---- C:\WINDOWS\system32\mykenjrl.ini
2008-03-04 23:47 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-04 09:44 . 2008-03-04 20:25 414 --ahs---- C:\WINDOWS\system32\budrsdfn.ini
2008-02-29 20:34 . 2008-03-04 23:42 <DIR> d-------- C:\Program Files\FileASSASSIN
2008-02-29 19:00 . 2008-02-29 20:09 <DIR> d--hs---- C:\WINDOWS\TGV3aXMgVGFubmVy
2008-02-29 14:14 . 2008-03-01 22:34 <DIR> d-------- C:\WINDOWS\system32\DRIVERS2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 06:47 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-28 01:08 --------- d-----w C:\Program Files\SmartFTP
2008-03-27 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-21 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 05:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-21 03:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-18 21:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-08 19:54 --------- d-----w C:\Program Files\Pinnacle
2008-03-01 02:59 --------- d-----w C:\Program Files\SpamBayes
2008-03-01 02:59 --------- d-----w C:\Program Files\Real Alternative
2008-03-01 02:59 --------- d-----w C:\Program Files\Oriens Solution
2008-02-09 00:35 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-02-06 15:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 01:50 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-06 01:50 --------- d-----w C:\Program Files\Java Web Start
2008-02-06 01:50 --------- d-----w C:\Program Files\ICQ
2008-02-06 01:50 --------- d-----w C:\Program Files\FinePixViewer
2008-02-06 01:50 --------- d-----w C:\Program Files\AIM
2007-12-30 23:12 155 ----a-w C:\DelUS.bat
2004-01-30 23:23 60,816 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BB40A17-ABF6-46A3-9302-5DB7FCBF91E8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E339FBE-2E28-5CF9-0211-5200B7CEDABB}]
C:\WINDOWS\system32\mmknujsh.dll__SpybotSDDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556BA68-FA9F-40BF-9C2E-CE957DAF731C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69F08224-5FEC-446C-8FFE-15390F54C36A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E04D2EF7-7FC0-4902-94D6-512B6522DED1}]
C:\WINDOWS\system32\jkhfc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-29 17:50 921600 C:\WINDOWS\system32\nwiz.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 19:36 227856]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24 1169744]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29 149024]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-29 17:50 4620288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec Network Driver Update Warning"="C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE" [2004-04-30 18:02 91256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcyyv]
gebcyyv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"84294dc4"=rundll32.exe "C:\WINDOWS\system32\kuhipnyu.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"84294dc4"=rundll32.exe "C:\WINDOWS\system32\kuhipnyu.dll",b
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"TraySantaCruz"=C:\WINDOWS\system32\tbctray.exe
"SNPSTD2"=C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\ICQ\\Icq.exe"=
"C:\\Program Files\\Java\\j2re1.4.1_02\\bin\\javaw.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Documents and Settings\\Administrator\\Desktop\\iexplore.exe"=
"C:\\kav\\kav7\\setup.exe"=

R0 SI3112;SiI-3512 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys [2006-06-20 02:44]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 14:28]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2002-04-17 15:51]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2002-04-17 15:51]
R3 USBFVNETR;NETGEAR MA101 USB Adapter;C:\WINDOWS\system32\DRIVERS\ma101rndxp.sys [2002-02-28 07:12]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 iMSPQMn;iMSPQMn;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iMSPQMn.sys []
S3 RivaTuner;RivaTuner;C:\Program Files\RivaTuner\RivaTuner.sys []
S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-03-22 22:31]
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2002-03-21 20:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d30d56-b753-11dc-8817-00095b2880ef}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 07:25:15 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 02:25:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-28 2:27:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 07:27:33
.
2008-03-19 20:05:50 --- E O F ---

Hijack This log

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-28 21:01:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:08 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss(3).exe
C:\DOCUME~1\ADMINI~1\Desktop\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://corner-carvers.com/forums/index.php?s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BB40A17-ABF6-46A3-9302-5DB7FCBF91E8} - (no file)
O2 - BHO: (no name) - {3E339FBE-2E28-5CF9-0211-5200B7CEDABB} - C:\WINDOWS\system32\mmknujsh.dll__SpybotSDDisabled (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6556BA68-FA9F-40BF-9C2E-CE957DAF731C} - (no file)
O2 - BHO: (no name) - {69F08224-5FEC-446C-8FFE-15390F54C36A} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {E04D2EF7-7FC0-4902-94D6-512B6522DED1} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://usa.kaspersky.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://*.kasperskyusa.com
O15 - Trusted Zone: http://www.pandasecurity.com
O15 - Trusted Zone: http://housecall65.trendmicro.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1130982446750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199056992937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: gebcyyv - gebcyyv.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 6836 bytes

-- Files created between 2008-02-28 and 2008-03-28 -----------------------------

2008-03-28 02:14:12 0 d-------- C:\cmdcons
2008-03-28 02:13:16 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-28 02:13:16 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-28 02:13:16 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-28 02:13:16 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-21 00:42:48 0 d-------- C:\Program Files\SpywareBlaster
2008-03-21 00:28:59 0 d-------- C:\WINDOWS\pss
2008-03-20 22:53:14 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-19 15:05:43 0 d-------- C:\Program Files\MSXML 6.0
2008-03-18 17:15:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-03-18 17:15:24 0 d-------- C:\Program Files\NCH Software
2008-03-18 17:14:48 0 d-------- C:\Program Files\NCH Swift Sound
2008-03-18 16:10:35 0 d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-03-18 16:10:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Roxio
2008-03-18 16:09:47 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-18 16:09:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Research In Motion
2008-03-18 16:03:37 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-18 16:03:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-03-18 16:00:08 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-18 16:00:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-03-18 16:00:07 0 d-------- C:\Program Files\Roxio
2008-03-18 15:59:42 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-18 15:51:04 0 d-------- C:\Program Files\Common Files\Research In Motion
2008-03-18 15:51:03 0 d-------- C:\Program Files\Research In Motion
2008-03-13 18:02:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-03-13 17:58:31 392320 --a------ C:\WINDOWS\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
2008-03-13 17:58:31 32768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
2008-03-13 17:56:52 0 d-------- C:\Program Files\Common Files\Seagate
2008-03-13 17:56:51 0 d-------- C:\Program Files\Seagate
2008-03-08 00:57:58 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-08 00:57:58 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-08 00:56:05 111136 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-08 00:56:05 5709344 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-08 00:56:03 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-08 00:19:55 0 d-------- C:\kav
2008-03-08 00:06:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-07 23:59:49 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-04 23:47:49 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-29 20:34:20 0 d-------- C:\Program Files\FileASSASSIN
2008-02-29 19:00:54 0 d--hs---- C:\WINDOWS\TGV3aXMgVGFubmVy
2008-02-29 14:14:47 0 d-------- C:\WINDOWS\system32\DRIVERS2

-- Find3M Report ---------------------------------------------------------------

2008-03-28 02:21:30 0 d-------- C:\Program Files\Common Files
2008-03-28 01:47:57 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-03-27 20:08:27 0 d-------- C:\Program Files\SmartFTP
2008-03-20 22:39:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-18 16:00:08 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 14:54:08 0 d-------- C:\Program Files\Pinnacle
2008-02-29 21:59:34 0 d-------- C:\Program Files\Real Alternative
2008-02-29 21:59:32 0 d-------- C:\Program Files\SpamBayes
2008-02-29 21:59:31 0 d-------- C:\Program Files\Oriens Solution
2008-02-06 10:14:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-05 20:50:32 0 d-------- C:\Program Files\Movie Maker
2008-02-05 20:50:31 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-05 20:50:30 0 d-------- C:\Program Files\messenger
2008-02-05 20:50:29 0 d-------- C:\Program Files\Java Web Start
2008-02-05 20:50:28 0 d-------- C:\Program Files\ICQ
2008-02-05 20:50:28 0 d-------- C:\Program Files\AIM
2008-02-05 20:50:27 0 d-------- C:\Program Files\FinePixViewer
2007-12-30 18:12:09 155 --a------ C:\DelUS.bat
2007-12-30 16:26:20 4 --a------ C:\WINDOWS\vx86036.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BB40A17-ABF6-46A3-9302-5DB7FCBF91E8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E339FBE-2E28-5CF9-0211-5200B7CEDABB}]
C:\WINDOWS\system32\mmknujsh.dll__SpybotSDDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556BA68-FA9F-40BF-9C2E-CE957DAF731C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69F08224-5FEC-446C-8FFE-15390F54C36A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E04D2EF7-7FC0-4902-94D6-512B6522DED1}]
C:\WINDOWS\system32\jkhfc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [10/29/2004 05:50 PM C:\WINDOWS\system32\nwiz.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 07:36 PM]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [04/19/2007 09:24 PM]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [04/19/2007 09:38 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [04/19/2007 09:29 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/29/2004 05:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec Network Driver Update Warning"=C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcyyv]
gebcyyv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"84294dc4"=rundll32.exe "C:\WINDOWS\system32\kuhipnyu.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"84294dc4"=rundll32.exe "C:\WINDOWS\system32\kuhipnyu.dll",b
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"TraySantaCruz"=C:\WINDOWS\system32\tbctray.exe
"SNPSTD2"=C:\WINDOWS\vsnpstd2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d30d56-b753-11dc-8817-00095b2880ef}]
AutoRun\command- E:\setupSNK.exe

-- End of Deckard's System Scanner: finished at 2008-03-28 21:02:40 ------------

After running combofix, I haven't gotten any popups, but my C drive still has a red X next to it in windows explorer, and I got an error when running DSS - an invalid procedure call. It appeared to run fine, though.

Thanks for your help with this! Sorry if I'm slow in responding, my wife just had our first child on monday and I'm not always available to check back in on this problem.

03-28-2008, 07:11 PM	#4 (permalink)
Lewis Tanner Registered User Join Date: Mar 2008 Posts: 5 OS: XP	Re: Constant IE popups, core.cache.dsk, vundo, and more! Please help! COMBOFIX LOG ComboFix 08-03-20.5 - Administrator 2008-03-28 2:21:14.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT -5:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Application Data\STEM32~1 C:\Program Files\Common Files\mcroso~1 C:\Program Files\Common Files\mcroso~1\M?crosoft\ C:\Program Files\outerinfo C:\Program Files\outerinfo\OiUninstaller.exe C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\sanR24 C:\Temp\sanR24\lDii.log C:\temp\tn3 C:\WINDOWS\BM871a7e58.xml C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\c2 C:\WINDOWS\system32\c4 C:\WINDOWS\system32\cfhkj.ini C:\WINDOWS\system32\cfhkj.ini2 C:\WINDOWS\system32\drivers\wanarpp.sys C:\WINDOWS\system32\iDlo01 C:\WINDOWS\system32\k8 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\pjhaijtm.ini C:\WINDOWS\system32\s7 C:\WINDOWS\system32\s7\gbsu011.exe C:\WINDOWS\system32\uynpihuk.ini C:\WINDOWS\system32\x3 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TNIDRIVER -------\Legacy_WANARPP -------\Service_TnIDriver -------\Service_wanarpp ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 ))))))))))))))))))))))))))))))) . 2008-03-27 18:59 . 2004-08-04 02:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll 2008-03-27 18:59 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2008-03-27 18:59 . 2004-08-04 00:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys 2008-03-27 18:59 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2008-03-21 12:40 . 2008-03-21 12:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-21 00:42 . 2008-03-21 00:42 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-03-21 00:40 . 2008-03-21 00:40 <DIR> d-------- C:\Deckard 2008-03-20 22:53 . 2008-03-20 23:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-03-20 22:53 . 2008-03-20 22:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-03-20 22:53 . 2008-03-20 22:53 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-20 22:53 . 2008-03-20 22:53 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-03-19 15:05 . 2008-03-19 15:05 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-03-18 17:15 . 2008-03-18 17:15 <DIR> d-------- C:\Program Files\NCH Software 2008-03-18 17:15 . 2008-03-18 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound 2008-03-18 17:14 . 2008-03-18 17:15 <DIR> d-------- C:\Program Files\NCH Swift Sound 2008-03-18 16:10 . 2008-03-18 16:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio 2008-03-18 16:10 . 2008-03-18 16:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Roxio 2008-03-18 16:10 . 2008-03-25 22:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-18 16:10 . 2008-03-18 16:10 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-18 16:09 . 2008-03-18 16:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Research In Motion 2008-03-18 16:09 . 2008-03-25 22:02 256 --a------ C:\WINDOWS\system32\pool.bin 2008-03-18 16:03 . 2008-03-18 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic 2008-03-18 16:03 . 2008-03-18 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield 2008-03-18 16:00 . 2008-03-18 16:02 <DIR> d-------- C:\Program Files\Roxio 2008-03-18 16:00 . 2008-03-18 16:03 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared 2008-03-18 16:00 . 2008-03-18 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio 2008-03-18 15:59 . 2008-03-18 16:01 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared 2008-03-18 15:52 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys 2008-03-18 15:51 . 2008-03-18 15:51 <DIR> d-------- C:\Program Files\Research In Motion 2008-03-18 15:51 . 2008-03-18 15:51 <DIR> d-------- C:\Program Files\Common Files\Research In Motion 2008-03-13 18:07 . 2008-03-13 18:14 1,430,048 --a------ C:\WINDOWS\system32\AutoPartNt.exe 2008-03-13 18:07 . 2008-03-13 18:15 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let 2008-03-13 18:02 . 2008-03-13 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate 2008-03-13 17:58 . 2008-03-13 17:58 392,320 --a------ C:\WINDOWS\system32\drivers\timntr.sys 2008-03-13 17:58 . 2008-03-13 17:58 120,992 --a------ C:\WINDOWS\system32\drivers\snapman.sys 2008-03-13 17:58 . 2008-03-13 17:58 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys 2008-03-13 17:56 . 2008-03-13 17:56 <DIR> d-------- C:\Program Files\Seagate 2008-03-13 17:56 . 2008-03-13 17:57 <DIR> d-------- C:\Program Files\Common Files\Seagate 2008-03-13 17:27 . 2006-03-16 02:22 76,288 -ra------ C:\WINDOWS\system32\SilSupp.cpl 2008-03-13 17:27 . 2006-06-20 02:44 62,336 -ra------ C:\WINDOWS\system32\drivers\SI3112.sys 2008-03-13 17:27 . 2004-10-31 23:21 10,368 -ra------ C:\WINDOWS\system32\drivers\SiWinAcc.sys 2008-03-13 17:27 . 2006-04-17 22:49 5,504 -ra------ C:\WINDOWS\system32\drivers\SiRemFil.sys 2008-03-08 00:57 . 2008-03-08 00:57 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-03-08 00:57 . 2008-03-08 00:57 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-03-08 00:56 . 2008-03-08 00:56 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-03-08 00:56 . 2008-03-28 02:25 5,696,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-03-08 00:56 . 2008-03-28 02:25 109,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-03-08 00:56 . 2008-03-28 02:24 81,500 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-03-08 00:56 . 2008-03-28 02:24 13,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-03-08 00:19 . 2008-03-08 00:19 <DIR> d-------- C:\kav 2008-03-08 00:06 . 2008-03-28 02:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-07 23:59 . 2008-03-08 00:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6 2008-03-07 10:02 . 2008-03-07 22:34 474 --ahs---- C:\WINDOWS\system32\dkthaakb.ini 2008-03-06 09:50 . 2008-03-07 09:50 354 --ahs---- C:\WINDOWS\system32\jdyesqtp.ini 2008-03-05 09:47 . 2008-03-06 09:47 294 --ahs---- C:\WINDOWS\system32\mykenjrl.ini 2008-03-04 23:47 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-03-04 09:44 . 2008-03-04 20:25 414 --ahs---- C:\WINDOWS\system32\budrsdfn.ini 2008-02-29 20:34 . 2008-03-04 23:42 <DIR> d-------- C:\Program Files\FileASSASSIN 2008-02-29 19:00 . 2008-02-29 20:09 <DIR> d--hs---- C:\WINDOWS\TGV3aXMgVGFubmVy 2008-02-29 14:14 . 2008-03-01 22:34 <DIR> d-------- C:\WINDOWS\system32\DRIVERS2 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-28 06:47 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-03-28 01:08 --------- d-----w C:\Program Files\SmartFTP 2008-03-27 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-03-21 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-21 05:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-21 03:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-18 21:00 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-03-08 19:54 --------- d-----w C:\Program Files\Pinnacle 2008-03-01 02:59 --------- d-----w C:\Program Files\SpamBayes 2008-03-01 02:59 --------- d-----w C:\Program Files\Real Alternative 2008-03-01 02:59 --------- d-----w C:\Program Files\Oriens Solution 2008-02-09 00:35 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat 2008-02-06 15:14 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-06 01:50 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-02-06 01:50 --------- d-----w C:\Program Files\Java Web Start 2008-02-06 01:50 --------- d-----w C:\Program Files\ICQ 2008-02-06 01:50 --------- d-----w C:\Program Files\FinePixViewer 2008-02-06 01:50 --------- d-----w C:\Program Files\AIM 2007-12-30 23:12 155 ----a-w C:\DelUS.bat 2004-01-30 23:23 60,816 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BB40A17-ABF6-46A3-9302-5DB7FCBF91E8}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E339FBE-2E28-5CF9-0211-5200B7CEDABB}] C:\WINDOWS\system32\mmknujsh.dll__SpybotSDDisabled [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556BA68-FA9F-40BF-9C2E-CE957DAF731C}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69F08224-5FEC-446C-8FFE-15390F54C36A}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E04D2EF7-7FC0-4902-94D6-512B6522DED1}] C:\WINDOWS\system32\jkhfc.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2004-10-29 17:50 921600 C:\WINDOWS\system32\nwiz.exe] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 19:36 227856] "DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24 1169744] "AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38 1945688] "Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29 149024] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-29 17:50 4620288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Symantec Network Driver Update Warning"="C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE" [2004-04-30 18:02 91256] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcyyv] gebcyyv.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "84294dc4"=rundll32.exe "C:\WINDOWS\system32\kuhipnyu.dll",b [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "84294dc4"=rundll32.exe "C:\WINDOWS\system32\kuhipnyu.dll",b "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime "REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN "TraySantaCruz"=C:\WINDOWS\system32\tbctray.exe "SNPSTD2"=C:\WINDOWS\vsnpstd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Valve\\Steam\\Steam.exe"= "C:\\Program Files\\ICQ\\Icq.exe"= "C:\\Program Files\\Java\\j2re1.4.1_02\\bin\\javaw.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\WINDOWS\\system32\\rundll32.exe"= "C:\\Program Files\\SmartFTP\\SmartFTP.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Documents and Settings\\Administrator\\Desktop\\iexplore.exe"= "C:\\kav\\kav7\\setup.exe"= R0 SI3112;SiI-3512 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys [2006-06-20 02:44] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 14:28] R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2002-04-17 15:51] R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2002-04-17 15:51] R3 USBFVNETR;NETGEAR MA101 USB Adapter;C:\WINDOWS\system32\DRIVERS\ma101rndxp.sys [2002-02-28 07:12] S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [] S3 iMSPQMn;iMSPQMn;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iMSPQMn.sys [] S3 RivaTuner;RivaTuner;C:\Program Files\RivaTuner\RivaTuner.sys [] S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-03-22 22:31] S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2002-03-21 20:44] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d30d56-b753-11dc-8817-00095b2880ef}] \Shell\AutoRun\command - E:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2008-03-28 07:25:15 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-28 02:25:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe . ********************************************************************** . Completion time: 2008-03-28 2:27:36 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-28 07:27:33 . 2008-03-19 20:05:50 --- E O F --- Hijack This log** Deckard's System Scanner v20071014.68 Run by Administrator on 2008-03-28 21:01:37 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Administrator.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:02:08 PM, on 3/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator\Desktop\dss(3).exe C:\DOCUME~1\ADMINI~1\Desktop\ADMINI~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://corner-carvers.com/forums/index.php?s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {3BB40A17-ABF6-46A3-9302-5DB7FCBF91E8} - (no file) O2 - BHO: (no name) - {3E339FBE-2E28-5CF9-0211-5200B7CEDABB} - C:\WINDOWS\system32\mmknujsh.dll__SpybotSDDisabled (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6556BA68-FA9F-40BF-9C2E-CE957DAF731C} - (no file) O2 - BHO: (no name) - {69F08224-5FEC-446C-8FFE-15390F54C36A} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: (no name) - {E04D2EF7-7FC0-4902-94D6-512B6522DED1} - C:\WINDOWS\system32\jkhfc.dll (file missing) O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [Symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'Default user') O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O15 - Trusted Zone: http://usa.kaspersky.com O15 - Trusted Zone: http://www.kaspersky.com O15 - Trusted Zone: http://.kasperskyusa.com O15 - Trusted Zone: http://www.pandasecurity.com O15 - Trusted Zone: http://housecall65.trendmicro.com O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1130982446750 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199056992937 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: gebcyyv - gebcyyv.dll (file missing) O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 6836 bytes -- Files created between 2008-02-28 and 2008-03-28 ----------------------------- 2008-03-28 02:14:12 0 d-------- C:\cmdcons 2008-03-28 02:13:16 68096 --a------ C:\WINDOWS\system32\zip.exe 2008-03-28 02:13:16 98816 --a------ C:\WINDOWS\system32\sed.exe 2008-03-28 02:13:16 80412 --a------ C:\WINDOWS\system32\grep.exe 2008-03-28 02:13:16 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-03-21 00:42:48 0 d-------- C:\Program Files\SpywareBlaster 2008-03-21 00:28:59 0 d-------- C:\WINDOWS\pss 2008-03-20 22:53:14 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-03-19 15:05:43 0 d-------- C:\Program Files\MSXML 6.0 2008-03-18 17:15:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound 2008-03-18 17:15:24 0 d-------- C:\Program Files\NCH Software 2008-03-18 17:14:48 0 d-------- C:\Program Files\NCH Swift Sound 2008-03-18 16:10:35 0 d-------- C:\Documents and Settings\LocalService\Application Data\Roxio 2008-03-18 16:10:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Roxio 2008-03-18 16:09:47 256 --a------ C:\WINDOWS\system32\pool.bin 2008-03-18 16:09:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Research In Motion 2008-03-18 16:03:37 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield 2008-03-18 16:03:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Sonic 2008-03-18 16:00:08 0 d-------- C:\Program Files\Common Files\Sonic Shared 2008-03-18 16:00:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio 2008-03-18 16:00:07 0 d-------- C:\Program Files\Roxio 2008-03-18 15:59:42 0 d-------- C:\Program Files\Common Files\Roxio Shared 2008-03-18 15:51:04 0 d-------- C:\Program Files\Common Files\Research In Motion 2008-03-18 15:51:03 0 d-------- C:\Program Files\Research In Motion 2008-03-13 18:02:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Seagate 2008-03-13 17:58:31 392320 --a------ C:\WINDOWS\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image> 2008-03-13 17:58:31 32768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image> 2008-03-13 17:56:52 0 d-------- C:\Program Files\Common Files\Seagate 2008-03-13 17:56:51 0 d-------- C:\Program Files\Seagate 2008-03-08 00:57:58 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-03-08 00:57:58 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-03-08 00:56:05 111136 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-03-08 00:56:05 5709344 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-03-08 00:56:03 0 d-------- C:\Program Files\Kaspersky Lab 2008-03-08 00:19:55 0 d-------- C:\kav 2008-03-08 00:06:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-07 23:59:49 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6 2008-03-04 23:47:49 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2008-02-29 20:34:20 0 d-------- C:\Program Files\FileASSASSIN 2008-02-29 19:00:54 0 d--hs---- C:\WINDOWS\TGV3aXMgVGFubmVy 2008-02-29 14:14:47 0 d-------- C:\WINDOWS\system32\DRIVERS2 -- Find3M Report --------------------------------------------------------------- 2008-03-28 02:21:30 0 d-------- C:\Program Files\Common Files 2008-03-28 01:47:57 0 d-------- C:\Program Files\Mozilla Thunderbird 2008-03-27 20:08:27 0 d-------- C:\Program Files\SmartFTP 2008-03-20 22:39:46 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-03-18 16:00:08 0 d-------- C:\Program Files\Common Files\InstallShield 2008-03-08 14:54:08 0 d-------- C:\Program Files\Pinnacle 2008-02-29 21:59:34 0 d-------- C:\Program Files\Real Alternative 2008-02-29 21:59:32 0 d-------- C:\Program Files\SpamBayes 2008-02-29 21:59:31 0 d-------- C:\Program Files\Oriens Solution 2008-02-06 10:14:16 0 d-------- C:\Program Files\Common Files\Adobe 2008-02-05 20:50:32 0 d-------- C:\Program Files\Movie Maker 2008-02-05 20:50:31 0 d-------- C:\Program Files\Windows Media Connect 2 2008-02-05 20:50:30 0 d-------- C:\Program Files\messenger 2008-02-05 20:50:29 0 d-------- C:\Program Files\Java Web Start 2008-02-05 20:50:28 0 d-------- C:\Program Files\ICQ 2008-02-05 20:50:28 0 d-------- C:\Program Files\AIM 2008-02-05 20:50:27 0 d-------- C:\Program Files\FinePixViewer 2007-12-30 18:12:09 155 --a------ C:\DelUS.bat 2007-12-30 16:26:20 4 --a------ C:\WINDOWS\vx86036.dat -- Registry Dump --------------------------------------------------------------- Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BB40A17-ABF6-46A3-9302-5DB7FCBF91E8}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E339FBE-2E28-5CF9-0211-5200B7CEDABB}] C:\WINDOWS\system32\mmknujsh.dll__SpybotSDDisabled [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556BA68-FA9F-40BF-9C2E-CE957DAF731C}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69F08224-5FEC-446C-8FFE-15390F54C36A}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E04D2EF7-7FC0-4902-94D6-512B6522DED1}] C:\WINDOWS\system32\jkhfc.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [10/29/2004 05:50 PM C:\WINDOWS\system32\nwiz.exe] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 07:36 PM] "DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [04/19/2007 09:24 PM] "AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [04/19/2007 09:38 PM] "Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [04/19/2007 09:29 PM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/29/2004 05:50 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Symantec Network Driver Update Warning"=C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcyyv] gebcyyv.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 relog_ap [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "84294dc4"=rundll32.exe "C:\WINDOWS\system32\kuhipnyu.dll",b [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "84294dc4"=rundll32.exe "C:\WINDOWS\system32\kuhipnyu.dll",b "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime "REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN "TraySantaCruz"=C:\WINDOWS\system32\tbctray.exe "SNPSTD2"=C:\WINDOWS\vsnpstd2.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d30d56-b753-11dc-8817-00095b2880ef}] AutoRun\command- E:\setupSNK.exe -- End of Deckard's System Scanner: finished at 2008-03-28 21:02:40 ------------ After running combofix, I haven't gotten any popups, but my C drive still has a red X next to it in windows explorer, and I got an error when running DSS - an invalid procedure call. It appeared to run fine, though. Thanks for your help with this! Sorry if I'm slow in responding, my wife just had our first child on monday and I'm not always available to check back in on this problem.