Kicks

I had problems for a while, then got help here and everything was working fairly well. Every once in a while, there'd be a popup or two. Then my comp started slowing down tons randomly--like for 30 seconds i couldn't do anything then for 5-10 seconds i could do stuff, then it'd start back to 30 not being able to do anything. Then like a day later I started up my computer and my desktop was blank. So now I don't have a desktop literally just the wallpaper, no start menu or status bar or anything. Now I have to start programs, and access files, etc through task manager. I did most of the steps in the tutorial on this site, but couldnt do some of it because some programs won't start.
Here's my log with the extra log as an attachment...

Deckard's System Scanner v20070426.43
Run by Ocha on 2007-05-08 at 20:53:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
48: 2007-05-09 02:53:32 UTC - RP1432 - Deckard's System Scanner Restore Point
47: 2007-05-05 06:49:40 UTC - RP1431 - Spybot-S&D Spyware removal
46: 2007-05-04 22:33:58 UTC - RP1430 - Installed AVG 7.5
45: 2007-05-04 20:34:38 UTC - RP1429 - Installed AVG 7.5
44: 2007-05-04 20:33:48 UTC - RP1428 - Removed AVG 7.5


-- First Restore Point --
1: 2007-03-21 05:33:15 UTC - RP1385 - Spybot-S&D Spyware removal


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Ocha.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:01:29 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ocha\Desktop\dss.exe
C:\DOCUME~1\Ocha\Desktop\Ocha.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20C18254-E44C-468D-B564-C0C80AABF138} - C:\WINDOWS\system32\ddcca.dll (file missing)
O2 - BHO: (no name) - {B2BCD0D0-480D-4ADE-B1D4-2E64DE0AB339} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll
O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\opadrygv.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .protected
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163648224296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll (file missing)
O20 - Winlogon Notify: hggghhi - C:\WINDOWS\SYSTEM32\hggghhi.dll
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O20 - Winlogon Notify: rqrqnkh - C:\WINDOWS\SYSTEM32\rqrqnkh.dll
O20 - Winlogon Notify: rqrqrsp - C:\WINDOWS\SYSTEM32\rqrqrsp.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\lt0027dmg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S2 poof - c:\windows\system32\poof (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 kprof - c:\windows\system32\kprof (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-05-08 21:02:00 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (D6FYH341-Ocha).job
2007-05-03 02:01:03 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2007-04-08 and 2007-05-08 -----------------------------

2007-05-08 20:46:39 0 d-------- C:\WINDOWS\LastGood
2007-05-04 16:35:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\AVG7
2007-05-04 16:34:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-04 16:34:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-04 14:34:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-05-04 02:07:44 1397965 ---hs---- C:\WINDOWS\system32\ihkmp.bak1
2007-05-04 02:07:31 284244 ---hs---- C:\WINDOWS\system32\pmkhi.dll
2007-05-04 00:19:40 1404852 --ahs---- C:\WINDOWS\system32\accdd.ini2
2007-05-04 00:00:11 132660 --a------ C:\WINDOWS\system32\wgqqfxwu.dll
2007-05-03 23:59:40 49204 --a------ C:\WINDOWS\system32\yaahaabj.dll
2007-05-03 23:58:33 48708 --a------ C:\WINDOWS\system32\mykeicfv.dll
2007-05-03 23:58:24 123972 --a------ C:\WINDOWS\system32\lhreegfk.dll
2007-05-03 23:24:41 132660 --a------ C:\WINDOWS\system32\yvtamght.dll
2007-05-03 23:24:35 49204 --a------ C:\WINDOWS\system32\tbtpbhwg.dll
2007-05-02 23:24:24 49204 --a------ C:\WINDOWS\system32\xrpnujna.dll
2007-05-02 23:24:04 123972 --a------ C:\WINDOWS\system32\rddaupcq.dll
2007-05-02 00:39:19 132660 --a------ C:\WINDOWS\system32\qjteiteg.dll
2007-05-01 19:01:36 49204 --a------ C:\WINDOWS\system32\ybbdmdyh.dll
2007-05-01 15:17:16 132660 --a------ C:\WINDOWS\system32\uwncsdug.dll
2007-05-01 15:13:33 64000 --a------ C:\WINDOWS\system32\tzwtfke.dll
2007-05-01 15:13:33 86528 --a------ C:\WINDOWS\system32\rifakdn.dll
2007-05-01 15:13:23 26678 --a------ C:\WINDOWS\system32\mljiigg.dll
2007-05-01 13:18:15 49204 --a------ C:\WINDOWS\system32\uwcvlbvk.dll
2007-05-01 12:01:14 26678 --a------ C:\WINDOWS\system32\jkkklmk.dll
2007-05-01 03:06:41 49204 --a------ C:\WINDOWS\system32\uapxpolu.dll
2007-04-30 20:26:23 132660 --a------ C:\WINDOWS\system32\ndkpqqdm.dll
2007-04-30 03:06:02 49204 --a------ C:\WINDOWS\system32\kjomwogi.dll
2007-04-30 00:20:59 132660 --a------ C:\WINDOWS\system32\wdtglthu.dll
2007-04-29 14:38:02 49204 --a------ C:\WINDOWS\system32\qxctnxpm.dll
2007-04-28 15:48:18 132660 --a------ C:\WINDOWS\system32\rxxlucql.dll
2007-04-28 15:16:40 49204 --a------ C:\WINDOWS\system32\ydefqvoy.dll
2007-04-28 13:49:04 49204 --a------ C:\WINDOWS\system32\blhayobg.dll
2007-04-28 13:32:31 49204 --a------ C:\WINDOWS\system32\tpqnriqt.dll
2007-04-28 13:32:24 132660 --a------ C:\WINDOWS\system32\intpbbjn.dll
2007-04-27 13:32:11 49204 --a------ C:\WINDOWS\system32\degbqpbb.dll
2007-04-26 13:31:47 49204 --a------ C:\WINDOWS\system32\bgialedu.dll
2007-04-26 13:30:45 132660 --a------ C:\WINDOWS\system32\reitfvrx.dll
2007-04-25 13:18:16 53248 --a------ C:\WINDOWS\system32\bbdacadfbcebcd.dll
2007-04-25 13:17:59 26678 --a------ C:\WINDOWS\system32\ljjijji.dll
2007-04-25 13:17:55 86528 --a------ C:\WINDOWS\system32\zpcxcyc.dll
2007-04-25 13:17:55 63488 --a------ C:\WINDOWS\system32\cpiicbc.dll
2007-04-25 13:08:41 132660 --a------ C:\WINDOWS\system32\wshvhhdn.dll
2007-04-24 13:08:21 123972 --a------ C:\WINDOWS\system32\yxtfddyi.dll
2007-04-23 13:08:01 123972 --a------ C:\WINDOWS\system32\kgasnsap.dll
2007-04-22 13:08:01 123972 --a------ C:\WINDOWS\system32\gedvaeuy.dll
2007-04-21 13:07:52 123972 --a------ C:\WINDOWS\system32\eemhwsft.dll
2007-04-20 12:01:11 123972 --a------ C:\WINDOWS\system32\earecjiy.dll
2007-04-19 13:10:53 123972 --a------ C:\WINDOWS\system32\kfuvyklj.dll
2007-04-18 10:41:49 123972 --a------ C:\WINDOWS\system32\wqwckotc.dll
2007-04-18 10:41:43 48708 --a------ C:\WINDOWS\system32\hhmedaaa.dll
2007-04-17 16:32:56 123972 --a------ C:\WINDOWS\system32\tpoijgkk.dll
2007-04-17 16:32:49 48708 --a------ C:\WINDOWS\system32\ncpgaiet.dll
2007-04-17 13:46:53 123972 --a------ C:\WINDOWS\system32\jnmagthi.dll
2007-04-17 13:46:45 48708 --a------ C:\WINDOWS\system32\sixaqihu.dll
2007-04-16 12:55:24 48708 --a------ C:\WINDOWS\system32\wwvbnrpm.dll
2007-04-16 12:55:17 123972 --a------ C:\WINDOWS\system32\mtcwufve.dll
2007-04-15 12:55:20 48708 --a------ C:\WINDOWS\system32\lqlhgjse.dll
2007-04-15 12:55:10 123972 --a------ C:\WINDOWS\system32\kgsrqhvx.dll
2007-04-14 12:55:03 123972 --a------ C:\WINDOWS\system32\icyakemp.dll
2007-04-14 12:54:56 48708 --a------ C:\WINDOWS\system32\yjfdfpuc.dll
2007-04-14 03:58:25 0 d-------- C:\Program Files\GUILTY GEAR XX #RELOAD
2007-04-13 12:54:53 123972 --a------ C:\WINDOWS\system32\aerusvyq.dll
2007-04-13 12:54:48 48708 --a------ C:\WINDOWS\system32\gifjtttp.dll
2007-04-12 12:54:32 48708 --a------ C:\WINDOWS\system32\htluklhh.dll
2007-04-12 12:54:22 123972 --a------ C:\WINDOWS\system32\sjoveprq.dll
2007-04-11 12:54:17 123972 --a------ C:\WINDOWS\system32\nxuhjguy.dll
2007-04-11 12:54:14 48708 --a------ C:\WINDOWS\system32\kcnwgirq.dll
2007-04-10 12:54:45 48708 --a------ C:\WINDOWS\system32\wlglbagg.dll


-- Find3M Report ---------------------------------------------------------------

2007-05-03 23:59:38 1407118 --ahs---- C:\WINDOWS\system32\accdd.bak2
2007-05-03 23:24:29 1406912 --ahs---- C:\WINDOWS\system32\accdd.bak1
2007-05-03 13:01:21 0 d-------- C:\Documents and Settings\Ocha\Application Data\WeatherBug
2007-05-03 11:41:30 13358 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-03 11:37:35 0 d-------- C:\Program Files\WAV to MP3 Encoder
2007-05-01 15:13:44 32179 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-04-26 19:44:01 0 d-------- C:\Program Files\mIRC
2007-04-25 13:12:37 0 d-------- C:\Documents and Settings\Ocha\Application Data\uTorrent
2007-04-05 01:52:52 123972 --a------ C:\WINDOWS\system32\mhorooet.dll
2007-04-03 23:50:12 123972 --a------ C:\WINDOWS\system32\wjsqitew.dll
2007-04-02 23:50:00 123972 --a------ C:\WINDOWS\system32\wlhjlhkf.dll
2007-03-31 23:50:04 123972 --a------ C:\WINDOWS\system32\ptrdwkfn.dll
2007-03-30 18:20:32 123972 --a------ C:\WINDOWS\system32\dkfwuaaq.dll
2007-03-29 18:20:20 123972 --a------ C:\WINDOWS\system32\olhgvblf.dll
2007-03-29 15:23:46 26730 --a------ C:\WINDOWS\system32\hggghhi.dll
2007-03-28 21:53:39 26694 --a------ C:\WINDOWS\system32\rqrqrsp.dll
2007-03-28 21:53:36 86016 --a------ C:\WINDOWS\system32\ywdlat.dll
2007-03-28 21:53:36 63488 --a------ C:\WINDOWS\system32\xgokgxl.dll
2007-03-28 21:00:21 26730 --a------ C:\WINDOWS\system32\opnollk.dll
2007-03-28 18:20:27 123972 --a------ C:\WINDOWS\system32\wfuefcro.dll
2007-03-28 15:51:51 88340 --a------ C:\WINDOWS\system32\crhbthsg.exe
2007-03-28 12:08:32 26730 --a------ C:\WINDOWS\system32\ddcddee.dll
2007-03-27 18:25:04 26730 --a------ C:\WINDOWS\system32\iifdbby.dll
2007-03-27 18:24:55 26730 --a------ C:\WINDOWS\system32\hggeedc.dll
2007-03-27 18:19:56 123972 --a------ C:\WINDOWS\system32\pkqsgdhv.dll
2007-03-25 13:37:48 123972 --a------ C:\WINDOWS\system32\ktjbojyx.dll
2007-03-24 13:37:15 123972 --a------ C:\WINDOWS\system32\ihcktuhl.dll
2007-03-23 11:48:49 0 d-------- C:\Program Files\Windows Media Connect 2
2007-03-23 11:38:08 123972 --a------ C:\WINDOWS\system32\bwsospkg.dll
2007-03-21 20:42:38 123412 --a------ C:\WINDOWS\system32\kssvunku.dll
2007-03-21 01:41:55 81408 --a------ C:\WINDOWS\system32\qvcjvfj.dll
2007-03-21 01:41:43 26697 --a------ C:\WINDOWS\system32\wvuroml.dll
2007-03-21 00:08:42 123412 --a------ C:\WINDOWS\system32\upbjulrs.dll
2007-03-20 23:49:53 88340 --a------ C:\WINDOWS\system32\cblnaujn.exe
2007-03-19 17:08:20 123412 --a------ C:\WINDOWS\system32\kvcubxfj.dll
2007-03-19 09:43:19 81920 --a------ C:\WINDOWS\system32\clhrzsb.dll
2007-03-19 02:56:24 123412 --a------ C:\WINDOWS\system32\itavxogk.dll
2007-03-18 13:39:32 88340 --a------ C:\WINDOWS\system32\tbhiovre.exe
2007-03-17 22:27:53 123412 --a------ C:\WINDOWS\system32\dxrnigeu.dll
2007-03-17 20:15:28 123412 --a------ C:\WINDOWS\system32\tytkvwbo.dll
2007-03-16 04:55:24 123412 --a------ C:\WINDOWS\system32\mtsuaxsi.dll
2007-03-14 14:56:20 123412 --a------ C:\WINDOWS\system32\mbcepkum.dll
2007-03-14 14:38:19 81408 --a------ C:\WINDOWS\system32\dntopsd.dll
2007-03-14 14:36:34 88340 --a------ C:\WINDOWS\system32\xxfmnjel.exe
2007-03-13 20:11:43 80896 --a------ C:\WINDOWS\system32\phyeppn.dll
2007-03-13 18:45:35 123412 --a------ C:\WINDOWS\system32\pojaqrhe.dll
2007-03-12 18:44:58 88340 --a------ C:\WINDOWS\system32\llspecey.exe
2007-03-12 14:39:02 81408 --a------ C:\WINDOWS\system32\nwqajmf.dll
2007-03-12 14:36:58 88340 --a------ C:\WINDOWS\system32\jpuiilem.exe
2007-03-12 03:11:47 81408 --a------ C:\WINDOWS\system32\qeeddch.dll
2007-03-12 01:51:18 123412 --a------ C:\WINDOWS\system32\mjgajopn.dll
2007-03-12 01:20:30 0 d-------- C:\Program Files\Enigma Software Group
2007-03-12 01:12:43 88340 --a------ C:\WINDOWS\system32\tflieeyh.exe
2007-03-12 01:12:32 118804 --a------ C:\WINDOWS\system32\ihiurmnv.dll
2007-03-11 22:54:29 0 d-------- C:\Program Files\Ultimate Cleaner
2007-03-11 22:24:46 57344 --a------ C:\WINDOWS\system32\jgnxjbj.dll
2007-03-11 22:24:44 81408 --a------ C:\WINDOWS\system32\trdqsad.dll
2007-03-11 21:59:48 123412 --a------ C:\WINDOWS\system32\nnllxerx.dll
2007-03-11 21:46:22 123412 --a------ C:\WINDOWS\system32\yfoehcva.dll
2007-03-11 21:34:09 118804 --a------ C:\WINDOWS\system32\onpiilhh.dll
2007-03-11 20:45:23 123412 --a------ C:\WINDOWS\system32\pugltxxx.dll
2007-03-11 19:45:16 123412 --a------ C:\WINDOWS\system32\prmongnd.dll
2007-03-11 17:58:13 123412 --a------ C:\WINDOWS\system32\lnctgwjo.dll
2007-03-10 17:32:08 123412 --a------ C:\WINDOWS\system32\kdtrappr.dll
2007-03-08 16:36:17 123412 --a------ C:\WINDOWS\system32\djoyyajx.dll
2007-03-07 14:34:26 123412 --a------ C:\WINDOWS\system32\xeqtdwuj.dll
2007-03-06 18:20:45 123412 --a------ C:\WINDOWS\system32\ljrqvomj.dll
2007-03-06 17:49:08 118804 --a------ C:\WINDOWS\system32\apmkkqjo.dll
2007-03-05 17:48:57 118804 --a------ C:\WINDOWS\system32\ubjneqqv.dll
2007-03-04 22:22:53 0 --a------ C:\WINDOWS\winuk.dll
2007-03-04 22:22:37 149504 --a------ C:\WINDOWS\UNWISE.EXE
2007-03-04 22:22:33 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-03-04 22:22:05 0 --a------ C:\WINDOWS\test
2007-03-04 22:22:04 0 --a------ C:\WINDOWS\sysxr32.dll
2007-03-04 22:21:41 7473 --a------ C:\WINDOWS\plqca.dat
2007-03-04 22:21:38 3547 --a------ C:\WINDOWS\oncsc.dat
2007-03-04 22:21:38 0 --a----c- C:\WINDOWS\ofqd.exe
2007-03-04 22:21:34 0 --a----c- C:\WINDOWS\n_xdrfqf.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aqcvyu.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aakuom.dat
2007-03-04 22:21:33 0 --a----c- C:\WINDOWS\ntiy.dll
2007-03-04 22:21:32 335 --a------ C:\WINDOWS\nsreg.dat
2007-03-04 22:21:32 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2007-03-04 22:21:31 0 --a----c- C:\WINDOWS\mstasks4.exe
2007-03-04 22:21:25 0 --a----c- C:\WINDOWS\mfqwx.dll
2007-03-04 22:21:24 0 --a----c- C:\WINDOWS\mfcca.dll
2007-03-04 22:21:06 0 --a----c- C:\WINDOWS\javamf.dll
2007-03-04 22:21:06 0 --a----c- C:\WINDOWS\javago32.dll
2007-03-04 22:21:06 0 --a----c- C:\WINDOWS\ieli.dll
2007-03-04 22:21:06 0 --a----c- C:\WINDOWS\hsyua.dll
2007-03-04 22:20:55 8192 --a------ C:\WINDOWS\d3dx.dat
2007-03-04 22:20:55 0 --a----c- C:\WINDOWS\crsk32.dll
2007-03-04 22:20:54 0 --a----c- C:\WINDOWS\crge32.dll
2007-03-04 22:19:32 0 --a----c- C:\WINDOWS\b2_t_%22NEKKETSU+KOUHA+KUNIO-KUN
2007-03-04 22:18:59 0 --a----c- C:\WINDOWS\apidx.dll
2007-03-04 17:48:50 118804 --a------ C:\WINDOWS\system32\cqphiukm.dll
2007-03-03 17:30:46 88340 --a------ C:\WINDOWS\system32\yirlujiu.exe
2007-03-03 17:30:40 118804 --a------ C:\WINDOWS\system32\dqtqfixt.dll
2007-03-03 17:13:41 26637 --ahs---- C:\WINDOWS\system32\rqrqnkh.dll
2007-03-03 17:13:25 81408 --a------ C:\WINDOWS\system32\ungpwhe.dll
2007-03-03 17:13:25 57344 --a------ C:\WINDOWS\system32\rqaatzc.dll
2007-03-03 17:13:17 20992 --a------ C:\WINDOWS\system32\winrvc32.dll
2007-03-03 17:13:06 2 --a------ C:\1145084210
2007-02-19 15:45:33 155648 --a------ C:\WINDOWS\system32\PoporuAgent.exe <Not Verified; (?) ?? ??????; ??? ?? ?? ????>
2007-02-19 15:45:33 106496 --a------ C:\WINDOWS\system32\PoporuAgent.dll <Not Verified; (?) ?? ??????; ??? ?? ?? ????>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{20C18254-E44C-468D-B564-C0C80AABF138} C:\WINDOWS\system32\ddcca.dll [x]
{B2BCD0D0-480D-4ADE-B1D4-2E64DE0AB339} C:\WINDOWS\system32\pmkhi.dll
{E44527F6-1296-4A84-B67D-A6CEA6ED4B69} C:\WINDOWS\system32\hggghhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"VaCtrls"="v7"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\opadrygv.dll\",realset"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Sonic RecordNow!"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{904CCFDB-F34A-4A0A-8B09-B2F33A4FBF05}"=""
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggghhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqnkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqrsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Shell Extensions
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Shell Extentions
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csvde.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ \0scecli\0scecli\0scecli\0scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bridge"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\Downloaded Program Files\\bridge.dll\",Load"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-08 at 21:03:41 ---------

Any help would be much appreciated. Thanks!
-K

Attached Files

extra.txt (11.5 KB, 1 views)

Kicks

My desktop is sorta working now... My comp got worse for a while, wouldn't start, and would shut down by itself, etc...
Is a little better since the beginning, but I'd like to make sure I can get rid of all my problems, then format my harddrive.
Please help if you can!
-K

tetonbob

If you format, all your problems should be resolved, assuming you save all data you want and have all drivers you need ahead of time. There would be no need to fix anything, as format, killdisk, and clean install means all is wiped from the disk.

This does, seem like a fixable situation, should you want to try to clean the machine and not format. However, there is sign of some backdoor infections, so you may want to format instead of cleaning. If you choose format, cleaning is really unneccessary.

If you decide you want to try to clean...here's what to do:

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------



Download combofix.exe to your desktop.


* IMPORTANT !!! Place it on your Desktop. We'll use this shortly.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.
• See this link for a tutorial

Run ComboFix

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe" /v winrvc32

When finished, it shall produce a log for you. Post that log in your next reply, at the end of this fix.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {20C18254-E44C-468D-B564-C0C80AABF138} - C:\WINDOWS\system32\ddcca.dll (file missing)
O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
O4 - Startup: .protected
O4 - Global Startup: .protected
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\lt0027dmg.dll (file missing)

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Run HijackThis again, and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please post logs from:

ComboFix(C:\ComboFix.txt)
SmitfraudFix(C:\rapport.txt)
HJT

__________________

** PC Safety and Security--What Do I Need? **

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Kicks

Thanks for the help! I really appreciate this!! I couldn't delete
O4 - Startup: .protected
or
O4 - Global Startup: .protected
for both, HJT asked me to shut them down via task manager, then redo HJT, but I couldn't really get that to work. There was also a bunch of stuff that didn't show up when I ran HJT, but here're my logs...


COMBOFIX

"Ocha" - 2007-05-10 23:03:04 Service Pack 2
ComboFix 07-05.11.3V - Running from: "C:\Documents and Settings\Ocha\Desktop\"
Command switches used :: "/v winrvc32"


((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}]
@=""

[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting SeDebugPrivilege to Administrators ... successful



(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\winrvc32.dll
C:\WINDOWS\system32\wvuroml.dll
C:\WINDOWS\system32\winrvc32.dll
C:\WINDOWS\system32\pmnoomm.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\{44409~1\system.dll
C:\DOCUME~1\Ocha\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\unsvchosts.lzma
C:\Program Files\Common Files\{44409~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\FNTS~1
C:\qoobox\purity\C\WINDOWS\SYSTEM32\FNTS~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_POOF
-------\cmdService
-------\kprof
-------\poof


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-10 ))))))))))))))))))))))))))))))))))


2007-05-09 22:56 <DIR> d-------- C:\DOCUME~1\Ocha\APPLIC~1\Symantec
2007-05-09 21:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-05-09 18:49 <DIR> d-------- C:\Program Files\Norton 360
2007-05-09 18:44 <DIR> d-------- C:\Program Files\Symantec
2007-05-09 18:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-09 18:41 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-09 03:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-08 21:33 1,493,869 ---hs---- C:\WINDOWS\SYSTEM32\ihkmp.bak2
2007-05-08 21:32 1,493,984 ---hs---- C:\WINDOWS\SYSTEM32\ihkmp.ini2
2007-05-08 20:52 <DIR> d-------- C:\Deckard
2007-05-04 02:07 1,397,965 --ahs---- C:\WINDOWS\SYSTEM32\ihkmp.bak1
2007-05-04 00:19 1,404,852 --ahs---- C:\WINDOWS\SYSTEM32\accdd.ini2
2007-05-01 15:13 86,528 --a------ C:\WINDOWS\SYSTEM32\rifakdn.dll
2007-05-01 15:13 64,000 --a------ C:\WINDOWS\SYSTEM32\tzwtfke.dll
2007-04-25 13:18 53,248 --a------ C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll
2007-04-25 13:17 86,528 --a------ C:\WINDOWS\SYSTEM32\zpcxcyc.dll
2007-04-25 13:17 63,488 --a------ C:\WINDOWS\SYSTEM32\cpiicbc.dll
2007-04-14 03:58 <DIR> d-------- C:\Program Files\GUILTY GEAR XX #RELOAD


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-10 02:07:13 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8781.sys
2007-05-10 02:05:00 -------- d-----w C:\DOCUME~1\Ocha\APPLIC~1\WeatherBug
2007-05-04 05:59:38 1,407,118 --sha-w C:\WINDOWS\system32\accdd.bak2
2007-05-04 05:24:29 1,406,912 --sha-w C:\WINDOWS\system32\accdd.bak1
2007-05-03 17:41:30 13,358 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-03 17:37:35 -------- d-----w C:\Program Files\WAV to MP3 Encoder
2007-04-27 01:44:01 -------- d-----w C:\Program Files\mIRC
2007-04-25 19:12:37 -------- d-----w C:\DOCUME~1\Ocha\APPLIC~1\uTorrent
2007-03-29 03:53:36 86,016 ----a-w C:\WINDOWS\system32\ywdlat.dll
2007-03-29 03:53:36 63,488 ----a-w C:\WINDOWS\system32\xgokgxl.dll
2007-03-23 17:48:49 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-21 07:41:55 81,408 ----a-w C:\WINDOWS\system32\qvcjvfj.dll
2007-03-19 15:43:19 81,920 ----a-w C:\WINDOWS\system32\clhrzsb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 20:38:19 81,408 ----a-w C:\WINDOWS\system32\dntopsd.dll
2007-03-14 02:11:43 80,896 ----a-w C:\WINDOWS\system32\phyeppn.dll
2007-03-12 20:39:02 81,408 ----a-w C:\WINDOWS\system32\nwqajmf.dll
2007-03-12 09:11:47 81,408 ----a-w C:\WINDOWS\system32\qeeddch.dll
2007-03-12 07:20:30 -------- d-----w C:\Program Files\Enigma Software Group
2007-03-12 04:54:29 -------- d-----w C:\Program Files\Ultimate Cleaner
2007-03-12 04:24:46 57,344 ----a-w C:\WINDOWS\system32\jgnxjbj.dll
2007-03-12 04:24:44 81,408 ----a-w C:\WINDOWS\system32\trdqsad.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 22:30:36 -------- d-----w C:\Program Files\SpywareBlaster
2007-03-05 04:22:57 707 ----a-w C:\WINDOWS\_DEFAULT.PIF
2007-03-05 04:22:53 0 ----a-w C:\WINDOWS\winuk.dll
2007-03-05 04:22:48 256,192 ----a-w C:\WINDOWS\WINHELP.EXE
2007-03-05 04:22:44 18,944 ----a-w C:\WINDOWS\VMMREG32.DLL
2007-03-05 04:22:37 149,504 ----a-w C:\WINDOWS\UNWISE.EXE
2007-03-05 04:22:33 90,112 ----a-w C:\WINDOWS\unvise32.exe
2007-03-05 04:22:27 25,600 ----a-w C:\WINDOWS\TWUNK_32.EXE
2007-03-05 04:22:25 25,600 ----a-w C:\WINDOWS\TWUNK_32(2).EXE
2007-03-05 04:22:24 49,680 ----a-w C:\WINDOWS\TWUNK_16.EXE
2007-03-05 04:22:24 49,680 ----a-w C:\WINDOWS\TWUNK_16(9).EXE
2007-03-05 04:22:23 49,680 ----a-w C:\WINDOWS\TWUNK_16(8).EXE
2007-03-05 04:22:21 49,680 ----a-w C:\WINDOWS\TWUNK_16(8)(2).EXE
2007-03-05 04:22:19 49,680 ----a-w C:\WINDOWS\TWUNK_16(7).EXE
2007-03-05 04:22:19 49,680 ----a-w C:\WINDOWS\TWUNK_16(6).EXE
2007-03-05 04:22:18 49,680 ----a-w C:\WINDOWS\TWUNK_16(5).EXE
2007-03-05 04:22:17 49,680 ----a-w C:\WINDOWS\TWUNK_16(4).EXE
2007-03-05 04:22:15 49,680 ----a-w C:\WINDOWS\TWUNK_16(4)(2).EXE
2007-03-05 04:22:14 49,680 ----a-w C:\WINDOWS\TWUNK_16(3).EXE
2007-03-05 04:22:13 49,680 ----a-w C:\WINDOWS\TWUNK_16(3)(2).EXE
2007-03-05 04:22:12 49,680 ----a-w C:\WINDOWS\TWUNK_16(2).EXE
2007-03-05 04:22:11 49,680 ----a-w C:\WINDOWS\TWUNK_16(12).EXE
2007-03-05 04:22:10 49,680 ----a-w C:\WINDOWS\TWUNK_16(11).EXE
2007-03-05 04:22:08 49,680 ----a-w C:\WINDOWS\TWUNK_16(10).EXE
2007-03-05 04:22:04 0 ----a-w C:\WINDOWS\sysxr32.dll
2007-03-05 04:21:48 33,792 ----a-w C:\WINDOWS\Q330994.exe
2007-03-05 04:21:41 7,473 ----a-w C:\WINDOWS\plqca.dat
2007-03-05 04:21:38 3,547 ----a-w C:\WINDOWS\oncsc.dat
2007-03-05 04:21:38 0 -c--a-w C:\WINDOWS\ofqd.exe
2007-03-05 04:21:37 33,792 ----a-w C:\WINDOWS\oeuninst.exe
2007-03-05 04:21:34 29,256 ----a-w C:\WINDOWS\n_aqcvyu.dat
2007-03-05 04:21:34 29,256 ----a-w C:\WINDOWS\n_aakuom.dat
2007-03-05 04:21:34 0 -c--a-w C:\WINDOWS\n_xdrfqf.dat
2007-03-05 04:21:33 0 -c--a-w C:\WINDOWS\ntiy.dll
2007-03-05 04:21:32 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2007-03-05 04:21:32 335 ----a-w C:\WINDOWS\nsreg.dat
2007-03-05 04:21:31 33,280 ----a-w C:\WINDOWS\muninst.exe
2007-03-05 04:21:31 0 -c--a-w C:\WINDOWS\mstasks4.exe
2007-03-05 04:21:25 0 -c--a-w C:\WINDOWS\mfqwx.dll
2007-03-05 04:21:24 0 -c--a-w C:\WINDOWS\mfcca.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\javamf.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\javago32.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\ieli.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\hsyua.dll
2007-03-05 04:21:01 98,352 ----a-w C:\WINDOWS\dla.exe
2007-03-05 04:20:55 8,192 ----a-w C:\WINDOWS\d3dx.dat
2007-03-05 04:20:55 0 -c--a-w C:\WINDOWS\crsk32.dll
2007-03-05 04:20:54 0 -c--a-w C:\WINDOWS\crge32.dll
2007-03-05 04:18:59 0 -c--a-w C:\WINDOWS\apidx.dll
2007-03-05 00:15:18 -------- d-----w C:\Program Files\Common Files\qrwf
2007-03-03 23:13:25 81,408 ----a-w C:\WINDOWS\system32\ungpwhe.dll
2007-03-03 23:13:25 57,344 ----a-w C:\WINDOWS\system32\rqaatzc.dll
2007-02-19 21:45:33 155,648 ----a-w C:\WINDOWS\system32\PoporuAgent.exe
2007-02-19 21:45:33 106,496 ----a-w C:\WINDOWS\system32\PoporuAgent.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}=C:\WINDOWS\system32\hggghhi.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-30 08:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-03-17 15:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-04 16:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-09-09 17:35]
"AIM"="C:\Program Files\AIM95\aim.exe" [2002-05-22 11:57]
"Sonic RecordNow!"="" [])

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Sonic RecordNow!"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"="C:\WINDOWS\system32\hggghhi.dll" [x]
"{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"="C:\WINDOWS\system32\pmnoomm.dll" [x]


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggghhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqnkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqrsp

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csvde.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages \0scecli\0scecli\0scecli\0scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rundll
rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
Usnsvc usnsvc\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (D6FYH341-Ocha).job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-10 23:18:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-10 23:22:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-10 23:22



SMITFRAUD RAPPORT

SmitFraudFix v2.179

Scan done at 23:38:12.09, Thu 05/10/2007
Run from C:\Documents and Settings\Ocha\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !
C:\WINDOWS\d3??.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ocha


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ocha\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\Ocha\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ocha\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csvde.exe"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.10.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:59:58 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Ocha\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll (file missing)
O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: .protected
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163648224296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: hggghhi - hggghhi.dll (file missing)
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing)
O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)
O20 - Winlogon Notify: rqrqrsp - rqrqrsp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

tetonbob

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

This will take some time.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  
  C:\WINDOWS\SYSTEM32\ihkmp.bak2
  C:\WINDOWS\SYSTEM32\ihkmp.ini2
  C:\WINDOWS\SYSTEM32\ihkmp.bak1
  C:\WINDOWS\SYSTEM32\accdd.ini2
  C:\WINDOWS\SYSTEM32\rifakdn.dll
  C:\WINDOWS\SYSTEM32\tzwtfke.dll
  C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll
  C:\WINDOWS\SYSTEM32\zpcxcyc.dll
  C:\WINDOWS\SYSTEM32\cpiicbc.dll
  C:\WINDOWS\system32\accdd.bak2
  C:\WINDOWS\system32\accdd.bak1
  C:\WINDOWS\system32\ywdlat.dll
  C:\WINDOWS\system32\xgokgxl.dll
  C:\WINDOWS\system32\qvcjvfj.dll
  C:\WINDOWS\system32\clhrzsb.dll
  C:\WINDOWS\system32\dntopsd.dll
  C:\WINDOWS\system32\phyeppn.dll
  C:\WINDOWS\system32\nwqajmf.dll
  C:\WINDOWS\system32\qeeddch.dll
  C:\Program Files\Enigma Software Group
  C:\Program Files\Ultimate Cleaner
  C:\WINDOWS\system32\jgnxjbj.dll
  C:\WINDOWS\system32\trdqsad.dll
  C:\WINDOWS\winuk.dll
  C:\WINDOWS\mstasks4.exe
  C:\WINDOWS\mfqwx.dll
  C:\WINDOWS\mfcca.dll
  C:\WINDOWS\javamf.dll
  C:\WINDOWS\javago32.dll
  C:\WINDOWS\ieli.dll
  C:\WINDOWS\hsyua.dll
  C:\WINDOWS\crsk32.dll
  C:\WINDOWS\crge32.dll
  C:\WINDOWS\apidx.dll
  C:\Program Files\Common Files\qrwf
  C:\WINDOWS\system32\ungpwhe.dll
  C:\WINDOWS\system32\rqaatzc.dll
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the log from OTMoveIt, located here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

---------------------------------------------------------------------------------------------

Next, please do this:

Download AVG Anti Spyware

Please note, this is a different tool from your AVG Anti-Virus, and will help us further clean your system.

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

• Install AVG Anti Spyware
• Double-click the icon on Desktop to launch AVG
• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• We'll use this later.
  
  ---------------------------------------------------------------------------------------------
  
  Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
  
  ---------------------------------------------------------------------------------------------
  
  Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked
  
  O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll (file missing)
  O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
  O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
  O20 - Winlogon Notify: hggghhi - hggghhi.dll (file missing)
  O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing)
  O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)
  O20 - Winlogon Notify: rqrqrsp - rqrqrsp.dll (file missing)
  
  Close HijackThis now.
  
  ---------------------------------------------------------------------------------------------
  
  Double-click smitfraudfix.exe to start the tool.
  Select option #2 - Clean by typing 2 and press Enter.
  Wait for the tool to complete and disk cleanup to finish.
  You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
  The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.
  
  A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot back into in Safe Mode.
  
  The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  
  ---------------------------------------------------------------------------------------------
  
  Clean out your Temporary Internet files.
  
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------------------------------------------------------------------------------------


Run Deckard's System Scanner (DSS) once again, and post it's log, main.txt

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

OTMoveIt
C:\rapport.txt (log from the tool)
AVG Anti-Spyware log
Panda log
DSS (main.txt)

__________________

** PC Safety and Security--What Do I Need? **

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006