Crazy Popups and Spyware now no Desktop

[Kicks]

I had problems for a while, then got help here and everything was working fairly well. Every once in a while, there'd be a popup or two. Then my comp started slowing down tons randomly--like for 30 seconds i couldn't do anything then for 5-10 seconds i could do stuff, then it'd start back to 30 not being able to do anything. Then like a day later I started up my computer and my desktop was blank. So now I don't have a desktop literally just the wallpaper, no start menu or status bar or anything. Now I have to start programs, and access files, etc through task manager. I did most of the steps in the tutorial on this site, but couldnt do some of it because some programs won't start.
Here's my log with the extra log as an attachment...

Deckard's System Scanner v20070426.43
Run by Ocha on 2007-05-08 at 20:53:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
48: 2007-05-09 02:53:32 UTC - RP1432 - Deckard's System Scanner Restore Point
47: 2007-05-05 06:49:40 UTC - RP1431 - Spybot-S&D Spyware removal
46: 2007-05-04 22:33:58 UTC - RP1430 - Installed AVG 7.5
45: 2007-05-04 20:34:38 UTC - RP1429 - Installed AVG 7.5
44: 2007-05-04 20:33:48 UTC - RP1428 - Removed AVG 7.5


-- First Restore Point --
1: 2007-03-21 05:33:15 UTC - RP1385 - Spybot-S&D Spyware removal


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Ocha.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:01:29 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ocha\Desktop\dss.exe
C:\DOCUME~1\Ocha\Desktop\Ocha.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20C18254-E44C-468D-B564-C0C80AABF138} - C:\WINDOWS\system32\ddcca.dll (file missing)
O2 - BHO: (no name) - {B2BCD0D0-480D-4ADE-B1D4-2E64DE0AB339} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll
O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\opadrygv.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .protected
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163648224296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll (file missing)
O20 - Winlogon Notify: hggghhi - C:\WINDOWS\SYSTEM32\hggghhi.dll
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O20 - Winlogon Notify: rqrqnkh - C:\WINDOWS\SYSTEM32\rqrqnkh.dll
O20 - Winlogon Notify: rqrqrsp - C:\WINDOWS\SYSTEM32\rqrqrsp.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\lt0027dmg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S2 poof - c:\windows\system32\poof (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 kprof - c:\windows\system32\kprof (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-05-08 21:02:00 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (D6FYH341-Ocha).job
2007-05-03 02:01:03 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2007-04-08 and 2007-05-08 -----------------------------

2007-05-08 20:46:39 0 d-------- C:\WINDOWS\LastGood
2007-05-04 16:35:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\AVG7
2007-05-04 16:34:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-04 16:34:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-04 14:34:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-05-04 02:07:44 1397965 ---hs---- C:\WINDOWS\system32\ihkmp.bak1
2007-05-04 02:07:31 284244 ---hs---- C:\WINDOWS\system32\pmkhi.dll
2007-05-04 00:19:40 1404852 --ahs---- C:\WINDOWS\system32\accdd.ini2
2007-05-04 00:00:11 132660 --a------ C:\WINDOWS\system32\wgqqfxwu.dll
2007-05-03 23:59:40 49204 --a------ C:\WINDOWS\system32\yaahaabj.dll
2007-05-03 23:58:33 48708 --a------ C:\WINDOWS\system32\mykeicfv.dll
2007-05-03 23:58:24 123972 --a------ C:\WINDOWS\system32\lhreegfk.dll
2007-05-03 23:24:41 132660 --a------ C:\WINDOWS\system32\yvtamght.dll
2007-05-03 23:24:35 49204 --a------ C:\WINDOWS\system32\tbtpbhwg.dll
2007-05-02 23:24:24 49204 --a------ C:\WINDOWS\system32\xrpnujna.dll
2007-05-02 23:24:04 123972 --a------ C:\WINDOWS\system32\rddaupcq.dll
2007-05-02 00:39:19 132660 --a------ C:\WINDOWS\system32\qjteiteg.dll
2007-05-01 19:01:36 49204 --a------ C:\WINDOWS\system32\ybbdmdyh.dll
2007-05-01 15:17:16 132660 --a------ C:\WINDOWS\system32\uwncsdug.dll
2007-05-01 15:13:33 64000 --a------ C:\WINDOWS\system32\tz***ke.dll
2007-05-01 15:13:33 86528 --a------ C:\WINDOWS\system32\rifakdn.dll
2007-05-01 15:13:23 26678 --a------ C:\WINDOWS\system32\mljiigg.dll
2007-05-01 13:18:15 49204 --a------ C:\WINDOWS\system32\uwcvlbvk.dll
2007-05-01 12:01:14 26678 --a------ C:\WINDOWS\system32\jkkklmk.dll
2007-05-01 03:06:41 49204 --a------ C:\WINDOWS\system32\uapxpolu.dll
2007-04-30 20:26:23 132660 --a------ C:\WINDOWS\system32\ndkpqqdm.dll
2007-04-30 03:06:02 49204 --a------ C:\WINDOWS\system32\kjomwogi.dll
2007-04-30 00:20:59 132660 --a------ C:\WINDOWS\system32\wdtglthu.dll
2007-04-29 14:38:02 49204 --a------ C:\WINDOWS\system32\qxctnxpm.dll
2007-04-28 15:48:18 132660 --a------ C:\WINDOWS\system32\rxxlucql.dll
2007-04-28 15:16:40 49204 --a------ C:\WINDOWS\system32\ydefqvoy.dll
2007-04-28 13:49:04 49204 --a------ C:\WINDOWS\system32\blhayobg.dll
2007-04-28 13:32:31 49204 --a------ C:\WINDOWS\system32\tpqnriqt.dll
2007-04-28 13:32:24 132660 --a------ C:\WINDOWS\system32\intpbbjn.dll
2007-04-27 13:32:11 49204 --a------ C:\WINDOWS\system32\degbqpbb.dll
2007-04-26 13:31:47 49204 --a------ C:\WINDOWS\system32\bgialedu.dll
2007-04-26 13:30:45 132660 --a------ C:\WINDOWS\system32\reitfvrx.dll
2007-04-25 13:18:16 53248 --a------ C:\WINDOWS\system32\bbdacadfbcebcd.dll
2007-04-25 13:17:59 26678 --a------ C:\WINDOWS\system32\ljjijji.dll
2007-04-25 13:17:55 86528 --a------ C:\WINDOWS\system32\zpcxcyc.dll
2007-04-25 13:17:55 63488 --a------ C:\WINDOWS\system32\cpiicbc.dll
2007-04-25 13:08:41 132660 --a------ C:\WINDOWS\system32\wshvhhdn.dll
2007-04-24 13:08:21 123972 --a------ C:\WINDOWS\system32\yxtfddyi.dll
2007-04-23 13:08:01 123972 --a------ C:\WINDOWS\system32\kgasnsap.dll
2007-04-22 13:08:01 123972 --a------ C:\WINDOWS\system32\gedvaeuy.dll
2007-04-21 13:07:52 123972 --a------ C:\WINDOWS\system32\eemhwsft.dll
2007-04-20 12:01:11 123972 --a------ C:\WINDOWS\system32\earecjiy.dll
2007-04-19 13:10:53 123972 --a------ C:\WINDOWS\system32\kfuvyklj.dll
2007-04-18 10:41:49 123972 --a------ C:\WINDOWS\system32\wqwckotc.dll
2007-04-18 10:41:43 48708 --a------ C:\WINDOWS\system32\hhmedaaa.dll
2007-04-17 16:32:56 123972 --a------ C:\WINDOWS\system32\tpoijgkk.dll
2007-04-17 16:32:49 48708 --a------ C:\WINDOWS\system32\ncpgaiet.dll
2007-04-17 13:46:53 123972 --a------ C:\WINDOWS\system32\jnmagthi.dll
2007-04-17 13:46:45 48708 --a------ C:\WINDOWS\system32\sixaqihu.dll
2007-04-16 12:55:24 48708 --a------ C:\WINDOWS\system32\wwvbnrpm.dll
2007-04-16 12:55:17 123972 --a------ C:\WINDOWS\system32\mtcwufve.dll
2007-04-15 12:55:20 48708 --a------ C:\WINDOWS\system32\lqlhgjse.dll
2007-04-15 12:55:10 123972 --a------ C:\WINDOWS\system32\kgsrqhvx.dll
2007-04-14 12:55:03 123972 --a------ C:\WINDOWS\system32\icyakemp.dll
2007-04-14 12:54:56 48708 --a------ C:\WINDOWS\system32\yjfdfpuc.dll
2007-04-14 03:58:25 0 d-------- C:\Program Files\GUILTY GEAR XX #RELOAD
2007-04-13 12:54:53 123972 --a------ C:\WINDOWS\system32\aerusvyq.dll
2007-04-13 12:54:48 48708 --a------ C:\WINDOWS\system32\gifjtttp.dll
2007-04-12 12:54:32 48708 --a------ C:\WINDOWS\system32\htluklhh.dll
2007-04-12 12:54:22 123972 --a------ C:\WINDOWS\system32\sjoveprq.dll
2007-04-11 12:54:17 123972 --a------ C:\WINDOWS\system32\nxuhjguy.dll
2007-04-11 12:54:14 48708 --a------ C:\WINDOWS\system32\kcnwgirq.dll
2007-04-10 12:54:45 48708 --a------ C:\WINDOWS\system32\wlglbagg.dll


-- Find3M Report ---------------------------------------------------------------

2007-05-03 23:59:38 1407118 --ahs---- C:\WINDOWS\system32\accdd.bak2
2007-05-03 23:24:29 1406912 --ahs---- C:\WINDOWS\system32\accdd.bak1
2007-05-03 13:01:21 0 d-------- C:\Documents and Settings\Ocha\Application Data\WeatherBug
2007-05-03 11:41:30 13358 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-03 11:37:35 0 d-------- C:\Program Files\WAV to MP3 Encoder
2007-05-01 15:13:44 32179 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-04-26 19:44:01 0 d-------- C:\Program Files\mIRC
2007-04-25 13:12:37 0 d-------- C:\Documents and Settings\Ocha\Application Data\uTorrent
2007-04-05 01:52:52 123972 --a------ C:\WINDOWS\system32\mhorooet.dll
2007-04-03 23:50:12 123972 --a------ C:\WINDOWS\system32\wjsqitew.dll
2007-04-02 23:50:00 123972 --a------ C:\WINDOWS\system32\wlhjlhkf.dll
2007-03-31 23:50:04 123972 --a------ C:\WINDOWS\system32\ptrdwkfn.dll
2007-03-30 18:20:32 123972 --a------ C:\WINDOWS\system32\dkfwuaaq.dll
2007-03-29 18:20:20 123972 --a------ C:\WINDOWS\system32\olhgvblf.dll
2007-03-29 15:23:46 26730 --a------ C:\WINDOWS\system32\hggghhi.dll
2007-03-28 21:53:39 26694 --a------ C:\WINDOWS\system32\rqrqrsp.dll
2007-03-28 21:53:36 86016 --a------ C:\WINDOWS\system32\ywdlat.dll
2007-03-28 21:53:36 63488 --a------ C:\WINDOWS\system32\xgokgxl.dll
2007-03-28 21:00:21 26730 --a------ C:\WINDOWS\system32\opnollk.dll
2007-03-28 18:20:27 123972 --a------ C:\WINDOWS\system32\wfuefcro.dll
2007-03-28 15:51:51 88340 --a------ C:\WINDOWS\system32\crhbthsg.exe
2007-03-28 12:08:32 26730 --a------ C:\WINDOWS\system32\ddcddee.dll
2007-03-27 18:25:04 26730 --a------ C:\WINDOWS\system32\iifdbby.dll
2007-03-27 18:24:55 26730 --a------ C:\WINDOWS\system32\hggeedc.dll
2007-03-27 18:19:56 123972 --a------ C:\WINDOWS\system32\pkqsgdhv.dll
2007-03-25 13:37:48 123972 --a------ C:\WINDOWS\system32\ktjbojyx.dll
2007-03-24 13:37:15 123972 --a------ C:\WINDOWS\system32\ihcktuhl.dll
2007-03-23 11:48:49 0 d-------- C:\Program Files\Windows Media Connect 2
2007-03-23 11:38:08 123972 --a------ C:\WINDOWS\system32\bwsospkg.dll
2007-03-21 20:42:38 123412 --a------ C:\WINDOWS\system32\kssvunku.dll
2007-03-21 01:41:55 81408 --a------ C:\WINDOWS\system32\qvcjvfj.dll
2007-03-21 01:41:43 26697 --a------ C:\WINDOWS\system32\wvuroml.dll
2007-03-21 00:08:42 123412 --a------ C:\WINDOWS\system32\upbjulrs.dll
2007-03-20 23:49:53 88340 --a------ C:\WINDOWS\system32\cblnaujn.exe
2007-03-19 17:08:20 123412 --a------ C:\WINDOWS\system32\kvcubxfj.dll
2007-03-19 09:43:19 81920 --a------ C:\WINDOWS\system32\clhrzsb.dll
2007-03-19 02:56:24 123412 --a------ C:\WINDOWS\system32\itavxogk.dll
2007-03-18 13:39:32 88340 --a------ C:\WINDOWS\system32\tbhiovre.exe
2007-03-17 22:27:53 123412 --a------ C:\WINDOWS\system32\dxrnigeu.dll
2007-03-17 20:15:28 123412 --a------ C:\WINDOWS\system32\tytkvwbo.dll
2007-03-16 04:55:24 123412 --a------ C:\WINDOWS\system32\mtsuaxsi.dll
2007-03-14 14:56:20 123412 --a------ C:\WINDOWS\system32\mbcepkum.dll
2007-03-14 14:38:19 81408 --a------ C:\WINDOWS\system32\dntopsd.dll
2007-03-14 14:36:34 88340 --a------ C:\WINDOWS\system32\xxfmnjel.exe
2007-03-13 20:11:43 80896 --a------ C:\WINDOWS\system32\phyeppn.dll
2007-03-13 18:45:35 123412 --a------ C:\WINDOWS\system32\pojaqrhe.dll
2007-03-12 18:44:58 88340 --a------ C:\WINDOWS\system32\llspecey.exe
2007-03-12 14:39:02 81408 --a------ C:\WINDOWS\system32\nwqajmf.dll
2007-03-12 14:36:58 88340 --a------ C:\WINDOWS\system32\jpuiilem.exe
2007-03-12 03:11:47 81408 --a------ C:\WINDOWS\system32\qeeddch.dll
2007-03-12 01:51:18 123412 --a------ C:\WINDOWS\system32\mjgajopn.dll
2007-03-12 01:20:30 0 d-------- C:\Program Files\Enigma Software Group
2007-03-12 01:12:43 88340 --a------ C:\WINDOWS\system32\tflieeyh.exe
2007-03-12 01:12:32 118804 --a------ C:\WINDOWS\system32\ihiurmnv.dll
2007-03-11 22:54:29 0 d-------- C:\Program Files\Ultimate Cleaner
2007-03-11 22:24:46 57344 --a------ C:\WINDOWS\system32\jgnxjbj.dll
2007-03-11 22:24:44 81408 --a------ C:\WINDOWS\system32\trdqsad.dll
2007-03-11 21:59:48 123412 --a------ C:\WINDOWS\system32\nnllxerx.dll
2007-03-11 21:46:22 123412 --a------ C:\WINDOWS\system32\yfoehcva.dll
2007-03-11 21:34:09 118804 --a------ C:\WINDOWS\system32\onpiilhh.dll
2007-03-11 20:45:23 123412 --a------ C:\WINDOWS\system32\pugltxxx.dll
2007-03-11 19:45:16 123412 --a------ C:\WINDOWS\system32\prmongnd.dll
2007-03-11 17:58:13 123412 --a------ C:\WINDOWS\system32\lnctgwjo.dll
2007-03-10 17:32:08 123412 --a------ C:\WINDOWS\system32\kdtrappr.dll
2007-03-08 16:36:17 123412 --a------ C:\WINDOWS\system32\djoyyajx.dll
2007-03-07 14:34:26 123412 --a------ C:\WINDOWS\system32\xeqtdwuj.dll
2007-03-06 18:20:45 123412 --a------ C:\WINDOWS\system32\ljrqvomj.dll
2007-03-06 17:49:08 118804 --a------ C:\WINDOWS\system32\apmkkqjo.dll
2007-03-05 17:48:57 118804 --a------ C:\WINDOWS\system32\ubjneqqv.dll
2007-03-04 22:22:53 0 --a------ C:\WINDOWS\winuk.dll
2007-03-04 22:22:37 149504 --a------ C:\WINDOWS\UNWISE.EXE
2007-03-04 22:22:33 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-03-04 22:22:05 0 --a------ C:\WINDOWS\test
2007-03-04 22:22:04 0 --a------ C:\WINDOWS\sysxr32.dll
2007-03-04 22:21:41 7473 --a------ C:\WINDOWS\plqca.dat
2007-03-04 22:21:38 3547 --a------ C:\WINDOWS\oncsc.dat
2007-03-04 22:21:38 0 --a----c- C:\WINDOWS\ofqd.exe
2007-03-04 22:21:34 0 --a----c- C:\WINDOWS\n_xdrfqf.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aqcvyu.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aakuom.dat
2007-03-04 22:21:33 0 --a----c- C:\WINDOWS\ntiy.dll
2007-03-04 22:21:32 335 --a------ C:\WINDOWS\nsreg.dat
2007-03-04 22:21:32 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2007-03-04 22:21:31 0 --a----c- C:\WINDOWS\mstasks4.exe
2007-03-04 22:21:25 0 --a----c- C:\WINDOWS\mfqwx.dll
2007-03-04 22:21:24 0 --a----c- C:\WINDOWS\mfcca.dll
2007-03-04 22:21:06 0 --a----c- C:\WINDOWS\javamf.dll
2007-03-04 22:21:06 0 --a----c- C:\WINDOWS\javago32.dll
2007-03-04 22:21:06 0 --a----c- C:\WINDOWS\ieli.dll
2007-03-04 22:21:06 0 --a----c- C:\WINDOWS\hsyua.dll
2007-03-04 22:20:55 8192 --a------ C:\WINDOWS\d3dx.dat
2007-03-04 22:20:55 0 --a----c- C:\WINDOWS\crsk32.dll
2007-03-04 22:20:54 0 --a----c- C:\WINDOWS\crge32.dll
2007-03-04 22:19:32 0 --a----c- C:\WINDOWS\b2_t_%22NEKKETSU+KOUHA+KUNIO-KUN
2007-03-04 22:18:59 0 --a----c- C:\WINDOWS\apidx.dll
2007-03-04 17:48:50 118804 --a------ C:\WINDOWS\system32\cqphiukm.dll
2007-03-03 17:30:46 88340 --a------ C:\WINDOWS\system32\yirlujiu.exe
2007-03-03 17:30:40 118804 --a------ C:\WINDOWS\system32\dqtqfixt.dll
2007-03-03 17:13:41 26637 --ahs---- C:\WINDOWS\system32\rqrqnkh.dll
2007-03-03 17:13:25 81408 --a------ C:\WINDOWS\system32\ungpwhe.dll
2007-03-03 17:13:25 57344 --a------ C:\WINDOWS\system32\rqaatzc.dll
2007-03-03 17:13:17 20992 --a------ C:\WINDOWS\system32\winrvc32.dll
2007-03-03 17:13:06 2 --a------ C:\1145084210
2007-02-19 15:45:33 155648 --a------ C:\WINDOWS\system32\PoporuAgent.exe <Not Verified; (?) ?? ??????; ??? ?? ?? ????>
2007-02-19 15:45:33 106496 --a------ C:\WINDOWS\system32\PoporuAgent.dll <Not Verified; (?) ?? ??????; ??? ?? ?? ????>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{20C18254-E44C-468D-B564-C0C80AABF138} C:\WINDOWS\system32\ddcca.dll [x]
{B2BCD0D0-480D-4ADE-B1D4-2E64DE0AB339} C:\WINDOWS\system32\pmkhi.dll
{E44527F6-1296-4A84-B67D-A6CEA6ED4B69} C:\WINDOWS\system32\hggghhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"VaCtrls"="v7"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\opadrygv.dll\",realset"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Sonic RecordNow!"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{904CCFDB-F34A-4A0A-8B09-B2F33A4FBF05}"=""
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggghhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqnkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqrsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Shell Extensions
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Shell Extentions
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csvde.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ \0scecli\0scecli\0scecli\0scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bridge"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\Downloaded Program Files\\bridge.dll\",Load"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-08 at 21:03:41 ---------

Any help would be much appreciated. Thanks!
-K

[Kicks]

My desktop is sorta working now... My comp got worse for a while, wouldn't start, and would shut down by itself, etc...
Is a little better since the beginning, but I'd like to make sure I can get rid of all my problems, then format my harddrive.
Please help if you can!
-K

[tetonbob]

Quote:

Is a little better since the beginning, but I'd like to make sure I can get rid of all my problems, then format my harddrive.

If you format, all your problems should be resolved, assuming you save all data you want and have all drivers you need ahead of time. There would be no need to fix anything, as format, killdisk, and clean install means all is wiped from the disk.

This does, seem like a fixable situation, should you want to try to clean the machine and not format. However, there is sign of some backdoor infections, so you may want to format instead of cleaning. If you choose format, cleaning is really unneccessary.

If you decide you want to try to clean...here's what to do:

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------



Download combofix.exe to your desktop.


* IMPORTANT !!! Place it on your Desktop. We'll use this shortly.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.
• See this link for a tutorial

Run ComboFix

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe" /v winrvc32

When finished, it shall produce a log for you. Post that log in your next reply, at the end of this fix.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {20C18254-E44C-468D-B564-C0C80AABF138} - C:\WINDOWS\system32\ddcca.dll (file missing)
O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
O4 - Startup: .protected
O4 - Global Startup: .protected
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\lt0027dmg.dll (file missing)

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Run HijackThis again, and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please post logs from:

ComboFix(C:\ComboFix.txt)
SmitfraudFix(C:\rapport.txt)
HJT

[Kicks]

Thanks for the help! I really appreciate this!! I couldn't delete
O4 - Startup: .protected
or
O4 - Global Startup: .protected
for both, HJT asked me to shut them down via task manager, then redo HJT, but I couldn't really get that to work. There was also a bunch of stuff that didn't show up when I ran HJT, but here're my logs...


COMBOFIX

"Ocha" - 2007-05-10 23:03:04 Service Pack 2
ComboFix 07-05.11.3V - Running from: "C:\Documents and Settings\Ocha\Desktop\"
Command switches used :: "/v winrvc32"


((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}]
@=""

[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting SeDebugPrivilege to Administrators ... successful



(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\winrvc32.dll
C:\WINDOWS\system32\wvuroml.dll
C:\WINDOWS\system32\winrvc32.dll
C:\WINDOWS\system32\pmnoomm.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\{44409~1\system.dll
C:\DOCUME~1\Ocha\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\unsvchosts.lzma
C:\Program Files\Common Files\{44409~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\FNTS~1
C:\qoobox\purity\C\WINDOWS\SYSTEM32\FNTS~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_POOF
-------\cmdService
-------\kprof
-------\poof


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-10 ))))))))))))))))))))))))))))))))))


2007-05-09 22:56 <DIR> d-------- C:\DOCUME~1\Ocha\APPLIC~1\Symantec
2007-05-09 21:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-05-09 18:49 <DIR> d-------- C:\Program Files\Norton 360
2007-05-09 18:44 <DIR> d-------- C:\Program Files\Symantec
2007-05-09 18:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-09 18:41 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-09 03:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-08 21:33 1,493,869 ---hs---- C:\WINDOWS\SYSTEM32\ihkmp.bak2
2007-05-08 21:32 1,493,984 ---hs---- C:\WINDOWS\SYSTEM32\ihkmp.ini2
2007-05-08 20:52 <DIR> d-------- C:\Deckard
2007-05-04 02:07 1,397,965 --ahs---- C:\WINDOWS\SYSTEM32\ihkmp.bak1
2007-05-04 00:19 1,404,852 --ahs---- C:\WINDOWS\SYSTEM32\accdd.ini2
2007-05-01 15:13 86,528 --a------ C:\WINDOWS\SYSTEM32\rifakdn.dll
2007-05-01 15:13 64,000 --a------ C:\WINDOWS\SYSTEM32\tz***ke.dll
2007-04-25 13:18 53,248 --a------ C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll
2007-04-25 13:17 86,528 --a------ C:\WINDOWS\SYSTEM32\zpcxcyc.dll
2007-04-25 13:17 63,488 --a------ C:\WINDOWS\SYSTEM32\cpiicbc.dll
2007-04-14 03:58 <DIR> d-------- C:\Program Files\GUILTY GEAR XX #RELOAD


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-10 02:07:13 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8781.sys
2007-05-10 02:05:00 -------- d-----w C:\DOCUME~1\Ocha\APPLIC~1\WeatherBug
2007-05-04 05:59:38 1,407,118 --sha-w C:\WINDOWS\system32\accdd.bak2
2007-05-04 05:24:29 1,406,912 --sha-w C:\WINDOWS\system32\accdd.bak1
2007-05-03 17:41:30 13,358 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-03 17:37:35 -------- d-----w C:\Program Files\WAV to MP3 Encoder
2007-04-27 01:44:01 -------- d-----w C:\Program Files\mIRC
2007-04-25 19:12:37 -------- d-----w C:\DOCUME~1\Ocha\APPLIC~1\uTorrent
2007-03-29 03:53:36 86,016 ----a-w C:\WINDOWS\system32\ywdlat.dll
2007-03-29 03:53:36 63,488 ----a-w C:\WINDOWS\system32\xgokgxl.dll
2007-03-23 17:48:49 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-21 07:41:55 81,408 ----a-w C:\WINDOWS\system32\qvcjvfj.dll
2007-03-19 15:43:19 81,920 ----a-w C:\WINDOWS\system32\clhrzsb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 20:38:19 81,408 ----a-w C:\WINDOWS\system32\dntopsd.dll
2007-03-14 02:11:43 80,896 ----a-w C:\WINDOWS\system32\phyeppn.dll
2007-03-12 20:39:02 81,408 ----a-w C:\WINDOWS\system32\nwqajmf.dll
2007-03-12 09:11:47 81,408 ----a-w C:\WINDOWS\system32\qeeddch.dll
2007-03-12 07:20:30 -------- d-----w C:\Program Files\Enigma Software Group
2007-03-12 04:54:29 -------- d-----w C:\Program Files\Ultimate Cleaner
2007-03-12 04:24:46 57,344 ----a-w C:\WINDOWS\system32\jgnxjbj.dll
2007-03-12 04:24:44 81,408 ----a-w C:\WINDOWS\system32\trdqsad.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 22:30:36 -------- d-----w C:\Program Files\SpywareBlaster
2007-03-05 04:22:57 707 ----a-w C:\WINDOWS\_DEFAULT.PIF
2007-03-05 04:22:53 0 ----a-w C:\WINDOWS\winuk.dll
2007-03-05 04:22:48 256,192 ----a-w C:\WINDOWS\WINHELP.EXE
2007-03-05 04:22:44 18,944 ----a-w C:\WINDOWS\VMMREG32.DLL
2007-03-05 04:22:37 149,504 ----a-w C:\WINDOWS\UNWISE.EXE
2007-03-05 04:22:33 90,112 ----a-w C:\WINDOWS\unvise32.exe
2007-03-05 04:22:27 25,600 ----a-w C:\WINDOWS\TWUNK_32.EXE
2007-03-05 04:22:25 25,600 ----a-w C:\WINDOWS\TWUNK_32(2).EXE
2007-03-05 04:22:24 49,680 ----a-w C:\WINDOWS\TWUNK_16.EXE
2007-03-05 04:22:24 49,680 ----a-w C:\WINDOWS\TWUNK_16(9).EXE
2007-03-05 04:22:23 49,680 ----a-w C:\WINDOWS\TWUNK_16(8).EXE
2007-03-05 04:22:21 49,680 ----a-w C:\WINDOWS\TWUNK_16(8)(2).EXE
2007-03-05 04:22:19 49,680 ----a-w C:\WINDOWS\TWUNK_16(7).EXE
2007-03-05 04:22:19 49,680 ----a-w C:\WINDOWS\TWUNK_16(6).EXE
2007-03-05 04:22:18 49,680 ----a-w C:\WINDOWS\TWUNK_16(5).EXE
2007-03-05 04:22:17 49,680 ----a-w C:\WINDOWS\TWUNK_16(4).EXE
2007-03-05 04:22:15 49,680 ----a-w C:\WINDOWS\TWUNK_16(4)(2).EXE
2007-03-05 04:22:14 49,680 ----a-w C:\WINDOWS\TWUNK_16(3).EXE
2007-03-05 04:22:13 49,680 ----a-w C:\WINDOWS\TWUNK_16(3)(2).EXE
2007-03-05 04:22:12 49,680 ----a-w C:\WINDOWS\TWUNK_16(2).EXE
2007-03-05 04:22:11 49,680 ----a-w C:\WINDOWS\TWUNK_16(12).EXE
2007-03-05 04:22:10 49,680 ----a-w C:\WINDOWS\TWUNK_16(11).EXE
2007-03-05 04:22:08 49,680 ----a-w C:\WINDOWS\TWUNK_16(10).EXE
2007-03-05 04:22:04 0 ----a-w C:\WINDOWS\sysxr32.dll
2007-03-05 04:21:48 33,792 ----a-w C:\WINDOWS\Q330994.exe
2007-03-05 04:21:41 7,473 ----a-w C:\WINDOWS\plqca.dat
2007-03-05 04:21:38 3,547 ----a-w C:\WINDOWS\oncsc.dat
2007-03-05 04:21:38 0 -c--a-w C:\WINDOWS\ofqd.exe
2007-03-05 04:21:37 33,792 ----a-w C:\WINDOWS\oeuninst.exe
2007-03-05 04:21:34 29,256 ----a-w C:\WINDOWS\n_aqcvyu.dat
2007-03-05 04:21:34 29,256 ----a-w C:\WINDOWS\n_aakuom.dat
2007-03-05 04:21:34 0 -c--a-w C:\WINDOWS\n_xdrfqf.dat
2007-03-05 04:21:33 0 -c--a-w C:\WINDOWS\ntiy.dll
2007-03-05 04:21:32 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2007-03-05 04:21:32 335 ----a-w C:\WINDOWS\nsreg.dat
2007-03-05 04:21:31 33,280 ----a-w C:\WINDOWS\muninst.exe
2007-03-05 04:21:31 0 -c--a-w C:\WINDOWS\mstasks4.exe
2007-03-05 04:21:25 0 -c--a-w C:\WINDOWS\mfqwx.dll
2007-03-05 04:21:24 0 -c--a-w C:\WINDOWS\mfcca.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\javamf.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\javago32.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\ieli.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\hsyua.dll
2007-03-05 04:21:01 98,352 ----a-w C:\WINDOWS\dla.exe
2007-03-05 04:20:55 8,192 ----a-w C:\WINDOWS\d3dx.dat
2007-03-05 04:20:55 0 -c--a-w C:\WINDOWS\crsk32.dll
2007-03-05 04:20:54 0 -c--a-w C:\WINDOWS\crge32.dll
2007-03-05 04:18:59 0 -c--a-w C:\WINDOWS\apidx.dll
2007-03-05 00:15:18 -------- d-----w C:\Program Files\Common Files\qrwf
2007-03-03 23:13:25 81,408 ----a-w C:\WINDOWS\system32\ungpwhe.dll
2007-03-03 23:13:25 57,344 ----a-w C:\WINDOWS\system32\rqaatzc.dll
2007-02-19 21:45:33 155,648 ----a-w C:\WINDOWS\system32\PoporuAgent.exe
2007-02-19 21:45:33 106,496 ----a-w C:\WINDOWS\system32\PoporuAgent.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}=C:\WINDOWS\system32\hggghhi.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-30 08:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-03-17 15:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-04 16:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-09-09 17:35]
"AIM"="C:\Program Files\AIM95\aim.exe" [2002-05-22 11:57]
"Sonic RecordNow!"="" [])

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Sonic RecordNow!"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"="C:\WINDOWS\system32\hggghhi.dll" [x]
"{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"="C:\WINDOWS\system32\pmnoomm.dll" [x]


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggghhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqnkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqrsp

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csvde.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages \0scecli\0scecli\0scecli\0scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rundll
rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
Usnsvc usnsvc\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (D6FYH341-Ocha).job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-10 23:18:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-10 23:22:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-10 23:22



SMITFRAUD RAPPORT

SmitFraudFix v2.179

Scan done at 23:38:12.09, Thu 05/10/2007
Run from C:\Documents and Settings\Ocha\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !
C:\WINDOWS\d3??.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ocha


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ocha\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\Ocha\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ocha\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csvde.exe"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.10.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:59:58 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Ocha\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll (file missing)
O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: .protected
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163648224296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: hggghhi - hggghhi.dll (file missing)
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing)
O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)
O20 - Winlogon Notify: rqrqrsp - rqrqrsp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[tetonbob]

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

This will take some time.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  
  C:\WINDOWS\SYSTEM32\ihkmp.bak2
  C:\WINDOWS\SYSTEM32\ihkmp.ini2
  C:\WINDOWS\SYSTEM32\ihkmp.bak1
  C:\WINDOWS\SYSTEM32\accdd.ini2
  C:\WINDOWS\SYSTEM32\rifakdn.dll
  C:\WINDOWS\SYSTEM32\tz***ke.dll
  C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll
  C:\WINDOWS\SYSTEM32\zpcxcyc.dll
  C:\WINDOWS\SYSTEM32\cpiicbc.dll
  C:\WINDOWS\system32\accdd.bak2
  C:\WINDOWS\system32\accdd.bak1
  C:\WINDOWS\system32\ywdlat.dll
  C:\WINDOWS\system32\xgokgxl.dll
  C:\WINDOWS\system32\qvcjvfj.dll
  C:\WINDOWS\system32\clhrzsb.dll
  C:\WINDOWS\system32\dntopsd.dll
  C:\WINDOWS\system32\phyeppn.dll
  C:\WINDOWS\system32\nwqajmf.dll
  C:\WINDOWS\system32\qeeddch.dll
  C:\Program Files\Enigma Software Group
  C:\Program Files\Ultimate Cleaner
  C:\WINDOWS\system32\jgnxjbj.dll
  C:\WINDOWS\system32\trdqsad.dll
  C:\WINDOWS\winuk.dll
  C:\WINDOWS\mstasks4.exe
  C:\WINDOWS\mfqwx.dll
  C:\WINDOWS\mfcca.dll
  C:\WINDOWS\javamf.dll
  C:\WINDOWS\javago32.dll
  C:\WINDOWS\ieli.dll
  C:\WINDOWS\hsyua.dll
  C:\WINDOWS\crsk32.dll
  C:\WINDOWS\crge32.dll
  C:\WINDOWS\apidx.dll
  C:\Program Files\Common Files\qrwf
  C:\WINDOWS\system32\ungpwhe.dll
  C:\WINDOWS\system32\rqaatzc.dll
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the log from OTMoveIt, located here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

---------------------------------------------------------------------------------------------

Next, please do this:

Download AVG Anti Spyware

Please note, this is a different tool from your AVG Anti-Virus, and will help us further clean your system.

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

• Install AVG Anti Spyware
• Double-click the icon on Desktop to launch AVG
• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• We'll use this later.
  
  ---------------------------------------------------------------------------------------------
  
  Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
  
  ---------------------------------------------------------------------------------------------
  
  Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked
  
  O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll (file missing)
  O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
  O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
  O20 - Winlogon Notify: hggghhi - hggghhi.dll (file missing)
  O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing)
  O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)
  O20 - Winlogon Notify: rqrqrsp - rqrqrsp.dll (file missing)
  
  Close HijackThis now.
  
  ---------------------------------------------------------------------------------------------
  
  Double-click smitfraudfix.exe to start the tool.
  Select option #2 - Clean by typing 2 and press Enter.
  Wait for the tool to complete and disk cleanup to finish.
  You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
  The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.
  
  A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot back into in Safe Mode.
  
  The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  
  ---------------------------------------------------------------------------------------------
  
  Clean out your Temporary Internet files.
  
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------------------------------------------------------------------------------------


Run Deckard's System Scanner (DSS) once again, and post it's log, main.txt

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

OTMoveIt
C:\rapport.txt (log from the tool)
AVG Anti-Spyware log
Panda log
DSS (main.txt)

[Kicks]

Thanks again! My pc is doing better and better! You guys are the best!
the logs...

OTMoveIt
C:\WINDOWS\SYSTEM32\ihkmp.bak2 moved successfully.
C:\WINDOWS\SYSTEM32\ihkmp.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\ihkmp.bak1 moved successfully.
C:\WINDOWS\SYSTEM32\accdd.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\rifakdn.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\rifakdn.dll moved successfully.
C:\WINDOWS\SYSTEM32\tz***ke.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\tz***ke.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll
C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll moved successfully.
C:\WINDOWS\SYSTEM32\zpcxcyc.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\zpcxcyc.dll moved successfully.
C:\WINDOWS\SYSTEM32\cpiicbc.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\cpiicbc.dll moved successfully.
C:\WINDOWS\system32\accdd.bak2 moved successfully.
C:\WINDOWS\system32\accdd.bak1 moved successfully.
C:\WINDOWS\system32\ywdlat.dll unregistered successfully.
C:\WINDOWS\system32\ywdlat.dll moved successfully.
C:\WINDOWS\system32\xgokgxl.dll unregistered successfully.
C:\WINDOWS\system32\xgokgxl.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qvcjvfj.dll
C:\WINDOWS\system32\qvcjvfj.dll NOT unregistered.
C:\WINDOWS\system32\qvcjvfj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\clhrzsb.dll
C:\WINDOWS\system32\clhrzsb.dll NOT unregistered.
C:\WINDOWS\system32\clhrzsb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\dntopsd.dll
C:\WINDOWS\system32\dntopsd.dll NOT unregistered.
C:\WINDOWS\system32\dntopsd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\phyeppn.dll
C:\WINDOWS\system32\phyeppn.dll NOT unregistered.
C:\WINDOWS\system32\phyeppn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nwqajmf.dll
C:\WINDOWS\system32\nwqajmf.dll NOT unregistered.
C:\WINDOWS\system32\nwqajmf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qeeddch.dll
C:\WINDOWS\system32\qeeddch.dll NOT unregistered.
C:\WINDOWS\system32\qeeddch.dll moved successfully.
C:\Program Files\Enigma Software Group moved successfully.
C:\Program Files\Ultimate Cleaner moved successfully.
C:\WINDOWS\system32\jgnxjbj.dll unregistered successfully.
C:\WINDOWS\system32\jgnxjbj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\trdqsad.dll
C:\WINDOWS\system32\trdqsad.dll NOT unregistered.
C:\WINDOWS\system32\trdqsad.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\winuk.dll
C:\WINDOWS\winuk.dll NOT unregistered.
C:\WINDOWS\winuk.dll moved successfully.
C:\WINDOWS\mstasks4.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\mfqwx.dll
C:\WINDOWS\mfqwx.dll NOT unregistered.
C:\WINDOWS\mfqwx.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\mfcca.dll
C:\WINDOWS\mfcca.dll NOT unregistered.
C:\WINDOWS\mfcca.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\javamf.dll
C:\WINDOWS\javamf.dll NOT unregistered.
C:\WINDOWS\javamf.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\javago32.dll
C:\WINDOWS\javago32.dll NOT unregistered.
C:\WINDOWS\javago32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\ieli.dll
C:\WINDOWS\ieli.dll NOT unregistered.
C:\WINDOWS\ieli.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\hsyua.dll
C:\WINDOWS\hsyua.dll NOT unregistered.
C:\WINDOWS\hsyua.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\crsk32.dll
C:\WINDOWS\crsk32.dll NOT unregistered.
C:\WINDOWS\crsk32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\crge32.dll
C:\WINDOWS\crge32.dll NOT unregistered.
C:\WINDOWS\crge32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\apidx.dll
C:\WINDOWS\apidx.dll NOT unregistered.
C:\WINDOWS\apidx.dll moved successfully.
Folder move failed. C:\Program Files\Common Files\qrwf\qrwfh scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Common Files\qrwf\qrwfd\vocabulary scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Common Files\qrwf\qrwfd\class-barrel scheduled to be moved on reboot.
C:\Program Files\Common Files\qrwf\qrwfd moved successfully.
C:\Program Files\Common Files\qrwf moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ungpwhe.dll
C:\WINDOWS\system32\ungpwhe.dll NOT unregistered.
C:\WINDOWS\system32\ungpwhe.dll moved successfully.
C:\WINDOWS\system32\rqaatzc.dll unregistered successfully.
C:\WINDOWS\system32\rqaatzc.dll moved successfully.

Created on 05/12/2007 16:52:41

SMITFraud

SmitFraudFix v2.179

Scan done at 17:11:48.39, Sat 05/12/2007
Run from C:\Documents and Settings\Ocha\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\WINDOWS\d3??.dll Deleted
C:\DOCUME~1\Ocha\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csvde.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


AVG
(umm... the file is like 1600 lines and the attachment option isn't working for me right now)



Incident Status Location

Adware:adware/ncase Not disinfected c:\temp\salm.log
Adware:adware/searchaid Not disinfected c:\windows\system32\sdknh32.exe
Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Ocha\Application Data\Lycos
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/ieplugin Not disinfected Windows Registry
Adware:adware/favoriteman Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/ezula Not disinfected Windows Registry
Adware:Adware/DollarRevenue Not disinfected C:\contacts.pif
Virus:Trj/Agent.EKU Disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\mst62.tmp
Adware:Adware/WinAntivirus2006 Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\rtltyckk.dll
Potentially unwanted tool:Application/UltimateDefender Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\__uia__.exe
Adware:Adware/Yazzle Not disinfected C:\Deckard\System Scanner\backup\WINDOWS\temp\win80A1.tmp.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ocha\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ocha\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Ocha\Desktop\SmitfraudFix\restart.exe
Security Risk:HackTool/Gendel.A Not disinfected C:\gendel32.exe
Adware:Adware/NavHelper Not disinfected C:\Program Files\WAV to MP3 Encoder\NH20040517.4a.EE.exe
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir
Virus:Trj/Agent.EKU Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\winrvc32.dll.vir
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22ACTRESS+FROM+OLD+NAVY+COMMERCIAL%22692.xml:xqmkp
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22DOS-J%2243.xml:fqifl
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22HANZO+FAQ%22758.xml:tzajj
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22I+AM+A+BUNNY%222.xml:whsja
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22LETTER+STENCIL%22357.xml:wrcdu
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22MY+LITTLE+FANTASY+MP3%22&422.xml:prjhy
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22SHOOTER+MAKER%22+HELP391.xml:voqiw
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%2788+M6930.xml:tuieu
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_+SITE%3AWWW.CLUB-HARDBALL.COM+AVA177.xml:iapdi
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_+SITE%3AWWW.CLUB-HARDBALL.COM+BLACK&157.xml:xawiy
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_SEVEN+REASONS+WHY+SCORELAND+IS+%231948.xml:aklnd
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_SEVEN+REASONS+WHY+SCORELAND+IS+%231948.xml:cukkd
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_THE+MAID%27S+STORY+DOWNLOAD+HENTAI871.xml:sdbry
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_TOPLOADER+%22TIME+OF+MY+LIFE%22&882.xml:uilcq
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\KB817778.log:katlu
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\KB822603.log:ftpnq
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\OEWABLog.txt:wuujz
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\TWUNK_16(9).EXE:tudxh


Deckard's System Scanner v20070426.43
Run by Ocha on 2007-05-12 at 21:42:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ocha.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:42:20 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ocha\Desktop\dss.exe
C:\DOCUME~1\Ocha\Desktop\Ocha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 19:45:20 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-12 19:45:13 0 d-------- C:\WINDOWS\LastGood
2007-05-10 23:38:15 996 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-10 23:37:31 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-05-10 23:37:31 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-05-10 23:37:31 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-09 22:56:41 0 d-------- C:\Documents and Settings\Ocha\Application Data\Symantec
2007-05-09 21:06:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-05-09 21:05:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-05-09 21:05:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-05-09 18:49:43 0 d-------- C:\Program Files\Norton 360
2007-05-09 18:44:48 0 d-------- C:\Program Files\Symantec
2007-05-09 18:43:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-05-09 18:41:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-09 04:18:48 0 dr-h----- C:\$VAULT$.AVG
2007-05-09 03:03:07 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-04 16:35:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\AVG7
2007-05-04 16:34:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-04 16:34:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-04 14:34:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-04-14 03:58:25 0 d-------- C:\Program Files\GUILTY GEAR XX #RELOAD


-- Find3M Report ---------------------------------------------------------------

2007-05-12 20:48:48 0 d-------- C:\Program Files\AIM95
2007-05-11 03:11:09 13358 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-09 20:05:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\WeatherBug
2007-05-03 11:37:35 0 d-------- C:\Program Files\WAV to MP3 Encoder
2007-04-26 19:44:01 0 d-------- C:\Program Files\mIRC
2007-04-25 13:12:37 0 d-------- C:\Documents and Settings\Ocha\Application Data\uTorrent
2007-03-23 11:48:49 0 d-------- C:\Program Files\Windows Media Connect 2
2007-03-04 22:22:37 149504 --a------ C:\WINDOWS\UNWISE.EXE
2007-03-04 22:22:33 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-03-04 22:22:05 0 --a------ C:\WINDOWS\test
2007-03-04 22:22:04 0 --a------ C:\WINDOWS\sysxr32.dll
2007-03-04 22:21:41 7473 --a------ C:\WINDOWS\plqca.dat
2007-03-04 22:21:38 3547 --a------ C:\WINDOWS\oncsc.dat
2007-03-04 22:21:38 0 --a----c- C:\WINDOWS\ofqd.exe
2007-03-04 22:21:34 0 --a----c- C:\WINDOWS\n_xdrfqf.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aqcvyu.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aakuom.dat
2007-03-04 22:21:33 0 --a----c- C:\WINDOWS\ntiy.dll
2007-03-04 22:21:32 335 --a------ C:\WINDOWS\nsreg.dat
2007-03-04 22:21:32 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2007-03-04 22:20:55 8192 --a------ C:\WINDOWS\d3dx.dat
2007-03-04 22:19:32 0 --a----c- C:\WINDOWS\b2_t_%22NEKKETSU+KOUHA+KUNIO-KUN
2007-03-03 17:13:06 2 --a------ C:\1145084210
2007-02-19 15:45:33 155648 --a------ C:\WINDOWS\system32\PoporuAgent.exe <Not Verified; (?) ?? ??????; ??? ?? ?? ????>
2007-02-19 15:45:33 106496 --a------ C:\WINDOWS\system32\PoporuAgent.dll <Not Verified; (?) ?? ??????; ??? ?? ?? ????>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Sonic RecordNow!"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""
"{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csvde.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ \0scecli\0scecli\0scecli\0scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bridge"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\Downloaded Program Files\\bridge.dll\",Load"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-12 at 21:43:10 ---------

[tetonbob]

Glad to hear it's getting better....You have more work to do.....so, stick with me until we're done, please.

I really would like to view the AVG log.

Make sure you saved it as a text file....if you did not save it separately as a text file, it should be located here:

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports

Attach it in your next reply, or split it into several posts, but I do want to see it.

-------------------------------------------------------------------------



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=-
"{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"=-

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), at the end of this fix.

**If you receive an error message while trying to run FixWareout, copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder, and run FixWareout again.

----------------------------------------------------------------------------------------------------------

Run OTMoveIt again

• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  c:\temp\salm.log
  c:\windows\system32\sdknh32.exe
  C:\WINDOWS\sysxr32.dll
  c:\windows\inf\biini.inf
  C:\contacts.pif
  C:\gendel32.exe
  C:\Program Files\WAV to MP3 Encoder\NH20040517.4a.EE.exe
  C:\QooBox
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the log from OTMoveIt, located here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

-------------------------------------------------------------------------

Next.....

Run ADS Spy

• Open HijackThis
• Click on the button " Open the Misc Tools section"
• Click the button labelled "Open ADSSpy"
• Make sure "Quick Scan (Windows based folders only)" is unchecked.
• Make sure "Ignore Safe System Info Streams" is checked.
• Click the "Scan" button.
• When it has finished scanning, checkmark/tick all that entries that it found.
• Click the "remove selected" button, then Click "Yes" at the following prompt.
• Click the "Scan" button once again.
• Click the "Save Log" button once this scan is complete. If nothing is found in this second run, no log will be produced.

Please post that log here for review.

-------------------------------------------------------------------------

Next......

Please do this:

Zip up c:\_OTMoveIt\MovedFiles (right click, send to>compressed (zipped) folder) and submit it here:

Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message. You should receive notice right away that the file was successfully submitted.

-------------------------------------------------------------------------

Next....

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

-------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 u1.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u1-windowsi586-p.exe to install the newest version.

• After the install is complete, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  • Downloaded Applets
  • Downloaded Applications
  • Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please run Deckard's System Scanner once again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.

---------------------------------------------------------------------------------------------

So, please return with logs from:

AVG AS (attached, or as many posts as it takes)
FixWareout (C:\Fixwareout\report.txt
OTMoveIt
ADSSpy (if log was produced after second run)
DrWeb (DrWeb.csv)
DSS (main.txt and extra.txt)

[Kicks]

The attachment option is working again so here's the AVG report. I'd've posted this sooner, but I was away from my comp for a while. I really appreciate the help and I dont wanna sappear like i don't appreciate it and taking your help in stride ('cause it's quite the opposite ^_^). I'm working on the next steps right now so they'll be posted in a bit.
Thanks! You guys are heroes!
-K

[Kicks]

Upon submission to Bleeping Computer I had to split the file and rearrange some stuff because of that sites 3mb limit.
ADSSpy produced no log.
I had to rename a few things to .txt so the uploader would allow them.
Thanks!
-k

Deckard's System Scanner v20070426.43
Run by Ocha on 2007-05-16 at 18:56:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
44: 2007-05-17 00:56:24 UTC - RP1440 - Deckard's System Scanner Restore Point
43: 2007-05-17 00:52:11 UTC - RP1439 - Installed Java(TM) SE Runtime Environment 6 Update 1
42: 2007-05-16 04:27:53 UTC - RP1438 - Installed DirectX
41: 2007-05-15 1133 UTC - RP1437 - System Checkpoint
40: 2007-05-12 22:05:45 UTC - RP1436 - System Checkpoint


-- First Restore Point --
1: 2007-04-02 05:23:52 UTC - RP1397 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Ocha.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:56:45 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Ocha\desktop\dss.exe
C:\DOCUME~1\Ocha\Desktop\Ocha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Ocha\Desktop\backups\) ----------------

backup-20070510-233135-113 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-188 O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-434 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-448 O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll (file missing)
backup-20070510-233135-615 O4 - Startup: .protected
backup-20070510-233135-647 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-781 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-824 O4 - Global Startup: .protected
backup-20070510-233135-835 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070510-233135-914 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-925 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-980 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
backup-20070510-233431-247 O4 - Startup: .protected
backup-20070510-233431-489 O4 - Global Startup: .protected
backup-20070512-171040-388 O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
backup-20070512-171040-484 O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
backup-20070512-171040-783 O20 - Winlogon Notify: hggghhi - hggghhi.dll (file missing)
backup-20070512-171040-878 O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll (file missing)
backup-20070512-171041-114 O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing)
backup-20070512-171041-580 O20 - Winlogon Notify: rqrqrsp - rqrqrsp.dll (file missing)
backup-20070512-171041-625 O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-05-16 18:52:00 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (D6FYH341-Ocha).job


-- Files created between 2007-04-16 and 2007-05-16 -----------------------------

2007-05-16 16:59:48 0 d-------- C:\Documents and Settings\Ocha\DoctorWeb
2007-05-16 1603 7147 --a------ C:\dnsbak.reg
2007-05-15 22:04:07 0 d-------- C:\Program Files\Illusion
2007-05-12 19:45:20 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-10 23:38:15 996 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-10 23:37:31 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-05-10 23:37:31 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-09 22:56:41 0 d-------- C:\Documents and Settings\Ocha\Application Data\Symantec
2007-05-09 2144 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-05-09 21:05:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-05-09 21:05:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-05-09 18:49:43 0 d-------- C:\Program Files\Norton 360
2007-05-09 18:44:48 0 d-------- C:\Program Files\Symantec
2007-05-09 18:43:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-05-09 18:41:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-09 04:18:48 0 dr-h----- C:\$VAULT$.AVG
2007-05-09 03:03:07 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-04 16:35:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\AVG7
2007-05-04 16:34:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-04 16:34:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-04 14:34:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7


-- Find3M Report ---------------------------------------------------------------

2007-05-16 18:53:09 0 d-------- C:\Program Files\Java
2007-05-16 16:30:10 0 d-------- C:\Program Files\WAV to MP3 Encoder
2007-05-16 02:13:11 13358 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-15 21:05:52 0 d-------- C:\Documents and Settings\Ocha\Application Data\uTorrent
2007-05-12 20:48:48 0 d-------- C:\Program Files\AIM95
2007-05-10 18:34:20 0 d-------- C:\Program Files\GUILTY GEAR XX #RELOAD
2007-05-09 20:05:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\WeatherBug
2007-04-26 19:44:01 0 d-------- C:\Program Files\mIRC
2007-03-23 11:48:49 0 d-------- C:\Program Files\Windows Media Connect 2
2007-03-04 22:22:37 149504 --a------ C:\WINDOWS\UNWISE.EXE
2007-03-04 22:22:33 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-03-04 22:22:05 0 --a------ C:\WINDOWS\test
2007-03-04 22:21:41 7473 --a------ C:\WINDOWS\plqca.dat
2007-03-04 22:21:38 3547 --a------ C:\WINDOWS\oncsc.dat
2007-03-04 22:21:38 0 --a----c- C:\WINDOWS\ofqd.exe
2007-03-04 22:21:34 0 --a----c- C:\WINDOWS\n_xdrfqf.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aqcvyu.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aakuom.dat
2007-03-04 22:21:33 0 --a----c- C:\WINDOWS\ntiy.dll
2007-03-04 22:21:32 335 --a------ C:\WINDOWS\nsreg.dat
2007-03-04 22:21:32 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2007-03-04 22:20:55 8192 --a------ C:\WINDOWS\d3dx.dat
2007-03-04 22:19:32 0 --a----c- C:\WINDOWS\b2_t_%22NEKKETSU+KOUHA+KUNIO-KUN
2007-03-03 17:13:06 2 --a------ C:\1145084210
2007-02-19 15:45:33 155648 --a------ C:\WINDOWS\system32\PoporuAgent.exe <Not Verified; (?) ?? ??????; ??? ?? ?? ????>
2007-02-19 15:45:33 106496 --a------ C:\WINDOWS\system32\PoporuAgent.dll <Not Verified; (?) ?? ??????; ??? ?? ?? ????>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Sonic RecordNow!"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ \0scecli\0scecli\0scecli\0scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bridge"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\Downloaded Program Files\\bridge.dll\",Load"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-16 at 18:57:27 ---------

[tetonbob]

Prefer if you post the logs, rather than attach them, unless requested. Easier for me to read. Thanks.

Please go to: VirusTotal

• At the top of the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  
  C:\WINDOWS\NCUNINST.EXE
  
  
• Then click the "Send" button at the top of the VirusTotal page.
• This will scan the file. Please be patient.
• Then repeat as above for the following files in BOLD:
  
  C:\WINDOWS\plqca.dat
  C:\WINDOWS\oncsc.dat
  C:\WINDOWS\n_aqcvyu.dat
  C:\WINDOWS\n_aakuom.dat
  C:\WINDOWS\system32\PoporuAgent.exe
  C:\WINDOWS\system32\PoporuAgent.dll
• Once scanned, copy and paste the results in your next reply.

Also, see if you can help identify those same files, by checking their properties.

Right click on those files and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.


---------------------------------------------------------------------------------------------

Any more popups?

[Kicks]

Complete scanning result of "NCUNINST.EXE_", received in VirusTotal at 05.17.2007, 08:19:53 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.17.2007 no virus found
AntiVir 7.4.0.23 05.16.2007 no virus found
Authentium 4.93.8 05.16.2007 no virus found
Avast 4.7.997.0 05.16.2007 no virus found
AVG 7.5.0.467 05.16.2007 no virus found
BitDefender 7.2 05.17.2007 no virus found
CAT-QuickHeal 9.00 05.16.2007 no virus found
ClamAV devel-20070416 05.16.2007 no virus found
DrWeb 4.33 05.17.2007 no virus found
eSafe 7.0.15.0 05.16.2007 no virus found
eTrust-Vet 30.7.3638 05.17.2007 no virus found
Ewido 4.0 05.16.2007 no virus found
FileAdvisor 1 05.17.2007 Not analyzed yet
Fortinet 2.85.0.0 05.17.2007 no virus found
F-Prot 4.3.2.48 05.16.2007 no virus found
F-Secure 6.70.13030.0 05.17.2007 no virus found
Ikarus T3.1.1.7 05.17.2007 no virus found
Kaspersky 4.0.2.24 05.17.2007 no virus found
McAfee 5032 05.16.2007 no virus found
Microsoft 1.2503 05.17.2007 no virus found
NOD32v2 2272 05.17.2007 no virus found
Norman 5.80.02 05.16.2007 no virus found
Panda 9.0.0.4 05.17.2007 no virus found
Prevx1 V2 05.17.2007 no virus found
Sophos 4.17.0 05.16.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.17.2007 no virus found
TheHacker 6.1.6.115 05.15.2007 no virus found
VBA32 3.12.0 05.16.2007 no virus found
VirusBuster 4.3.7:9 05.16.2007 no virus found
Webwasher-Gateway 6.0.1 05.17.2007 no virus found

Aditional Information
File size: 45056 bytes
MD5: eb98cab122336ae48f0dcb464e6ac98c
SHA1: 9975917ab250f8f3e65908f7b2a986a472045988
Bit9 info: http://fileadvisor.bit9.com/services...0dcb464e6ac98c

File Version: 1.0.0.1591
Description: Northern Codeworks Uninstaller
Copyright © 2001
Comment: Visit our web site at www.northcode.com


C:\WINDOWS\plqca.dat
0 bytes size received / Se ha recibido un archivo vacio
(no info via properties)

C:\WINDOWS\oncsc.dat
0 bytes size received / Se ha recibido un archivo vacio
(no info via properties)

C:\WINDOWS\n_aqcvyu.dat
0 bytes size received / Se ha recibido un archivo vacio
(no info via properties)

Complete scanning result of "n_aakuom.dat", received in VirusTotal at 05.17.2007, 08:40:24 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.17.2007 no virus found
AntiVir 7.4.0.23 05.16.2007 TR/Dldr.Agent.BQ
Authentium 4.93.8 05.16.2007 no virus found
Avast 4.7.997.0 05.16.2007 Win32:Trojano-994
AVG 7.5.0.467 05.16.2007 Downloader.Agent.9.BF
BitDefender 7.2 05.17.2007 no virus found
CAT-QuickHeal 9.00 05.16.2007 no virus found
ClamAV devel-20070416 05.16.2007 Trojan.Downloader.Agent-96
DrWeb 4.33 05.17.2007 no virus found
eSafe 7.0.15.0 05.16.2007 no virus found
eTrust-Vet 30.7.3638 05.17.2007 no virus found
Ewido 4.0 05.16.2007 no virus found
FileAdvisor 1 05.17.2007 no virus found
Fortinet 2.85.0.0 05.17.2007 no virus found
F-Prot 4.3.2.48 05.16.2007 no virus found
F-Secure 6.70.13030.0 05.17.2007 no virus found
Ikarus T3.1.1.7 05.17.2007 no virus found
Kaspersky 4.0.2.24 05.17.2007 no virus found
McAfee 5032 05.16.2007 no virus found
Microsoft 1.2503 05.17.2007 no virus found
NOD32v2 2272 05.17.2007 no virus found
Norman 5.80.02 05.16.2007 no virus found
Panda 9.0.0.4 05.17.2007 no virus found
Prevx1 V2 05.17.2007 no virus found
Sophos 4.17.0 05.16.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.17.2007 no virus found
TheHacker 6.1.6.115 05.15.2007 no virus found
VBA32 3.12.0 05.16.2007 no virus found
VirusBuster 4.3.7:9 05.16.2007 no virus found
Webwasher-Gateway 6.0.1 05.17.2007 Trojan.Dldr.Agent.BQ

Aditional Information
File size: 29256 bytes
MD5: 90706b9b95c53a63e0bbc17d32f05ac2
SHA1: c366473baf4db55b34ef6617ebf2f045f61f22d7
(no info via properties)

Complete scanning result of "PoporuAgent.exe", received in VirusTotal at 05.17.2007, 09:02:11 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.17.2007 no virus found
AntiVir 7.4.0.23 05.17.2007 no virus found
Authentium 4.93.8 05.16.2007 no virus found
Avast 4.7.997.0 05.16.2007 no virus found
AVG 7.5.0.467 05.16.2007 no virus found
BitDefender 7.2 05.17.2007 no virus found
CAT-QuickHeal 9.00 05.16.2007 no virus found
ClamAV devel-20070416 05.16.2007 no virus found
DrWeb 4.33 05.17.2007 no virus found
eSafe 7.0.15.0 05.16.2007 no virus found
eTrust-Vet 30.7.3639 05.17.2007 no virus found
Ewido 4.0 05.16.2007 no virus found
FileAdvisor 1 05.17.2007 no virus found
Fortinet 2.85.0.0 05.17.2007 no virus found
F-Prot 4.3.2.48 05.16.2007 no virus found
F-Secure 6.70.13030.0 05.17.2007 no virus found
Ikarus T3.1.1.7 05.17.2007 no virus found
Kaspersky 4.0.2.24 05.17.2007 no virus found
McAfee 5032 05.16.2007 no virus found
Microsoft 1.2503 05.17.2007 no virus found
NOD32v2 2272 05.17.2007 no virus found
Norman 5.80.02 05.16.2007 no virus found
Panda 9.0.0.4 05.17.2007 no virus found
Prevx1 V2 05.17.2007 no virus found
Sophos 4.17.0 05.16.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.17.2007 no virus found
TheHacker 6.1.6.115 05.15.2007 no virus found
VBA32 3.12.0 05.16.2007 no virus found
VirusBuster 4.3.7:9 05.16.2007 no virus found
Webwasher-Gateway 6.0.1 05.17.2007 no virus found

Aditional Information
File size: 155648 bytes
MD5: 1e8e89f302b07dfbb6ebd76008864f16
SHA1: 9b99aa81fc8bfc2b79dea96dec94129c9f64388e

Version: 1.0.0.15
Description: 포포루 게임 설치 프로그램
Copyright: (주) 메가 엔터프라이즈
(Poporu is a korean program for playing certain fighting arcade games against other players online)

Complete scanning result of "PoporuAgent.dll", received in VirusTotal at 05.17.2007, 09:12:14 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.17.2007 no virus found
AntiVir 7.4.0.23 05.17.2007 no virus found
Authentium 4.93.8 05.16.2007 no virus found
Avast 4.7.997.0 05.16.2007 no virus found
AVG 7.5.0.467 05.16.2007 no virus found
BitDefender 7.2 05.17.2007 no virus found
CAT-QuickHeal 9.00 05.16.2007 no virus found
ClamAV devel-20070416 05.16.2007 no virus found
DrWeb 4.33 05.17.2007 no virus found
eSafe 7.0.15.0 05.16.2007 no virus found
eTrust-Vet 30.7.3639 05.17.2007 no virus found
Ewido 4.0 05.16.2007 no virus found
FileAdvisor 1 05.17.2007 no virus found
Fortinet 2.85.0.0 05.17.2007 no virus found
F-Prot 4.3.2.48 05.16.2007 no virus found
F-Secure 6.70.13030.0 05.17.2007 no virus found
Ikarus T3.1.1.7 05.17.2007 no virus found
Kaspersky 4.0.2.24 05.17.2007 no virus found
McAfee 5032 05.16.2007 no virus found
Microsoft 1.2503 05.17.2007 no virus found
NOD32v2 2272 05.17.2007 no virus found
Norman 5.80.02 05.16.2007 no virus found
Panda 9.0.0.4 05.17.2007 Suspicious file
Prevx1 V2 05.17.2007 no virus found
Sophos 4.17.0 05.16.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.17.2007 no virus found
TheHacker 6.1.6.115 05.15.2007 no virus found
VBA32 3.12.0 05.16.2007 no virus found
VirusBuster 4.3.7:9 05.16.2007 no virus found
Webwasher-Gateway 6.0.1 05.17.2007 no virus found

Aditional Information
File size: 106496 bytes
MD5: cc82626cda6544d6b6d09285404e3e74
SHA1: 86c1bdcedc308353a2dfe51728b826668ac87f0c

Version: 1.0.0.15
Description: 포포루 게임 설치 프로그램
Copyright: (주) 메가 엔터프라이즈

Why... Yes, thank you! The popups stopped a few posts back.

[tetonbob]

Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\n_aakuom.dat

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

[Kicks]

Sent .cab file!
-k

[tetonbob]

Hello, Kicks -

The cab file is empty.

Can you please boot into safe mode, and have SFP pack the file in there?

Let's grab another file while we're at it....

Run Suspicious File Packer

Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\n_aqcvyu.dat
C:\WINDOWS\n_aakuom.dat

Allow SFP to pack the files. This will generate a CAB archive on your desktop.

Restart in normal mode.

Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
and include a link to this topic in the message.