Smitfraud-C.CoreService/Virtumonde plus Pop-ups

Cheeseman82 · 06-08-2007, 10:45 PM

When I run Spybot it detects Smitfraud-C.CoreService and also Virtumonde but can never rid it self completely of either. Smithfraud has a registry key which I can not be rid of though I did get rid of two Smithfraud files in safe mode. Virtumonde keeps finding files such as efcyyaa.dll and jkkjh.dll but I can not delete them even in safe mode. This is all set off by the fact that after going at least a full year without dealing with pop-ups, they starting appearing very frequently. Not constantly, but enough "pop up" that it's incredibly annoying. I hope all this helps. Thanks in advance. I have followed the 5 advance steps and here is what I've come up with:

Deckard's System Scanner v20070603.47
Run by Al on 2007-06-09 at 00:28:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).

-- Last 3 Restore Point(s) --
3: 2007-03-02 09:40:49 UTC - RP4 - Spybot-S&D Spyware removal
2: 2007-03-02 08:08:33 UTC - RP3 - Removed Picture Package
1: 2007-03-02 08:06:06 UTC - RP2 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Al.exe) --------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:29:26 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\csifcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Al\Desktop\dss.exe
C:\HIJACK~1\Al.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mpreg.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {298055D4-B816-4B31-B5BF-F172CB3F802F} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\efcyyaa.dll
O2 - BHO: (no name) - {4047280F-8E46-48B9-9DCA-63386F83852E} - C:\WINDOWS\system32\vturp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: 0 - {63BE3A2A-3B87-4FDF-8AAA-628EDD1A37CA} - C:\Program Files\Online Services\labunufix.dll (file missing)
O2 - BHO: (no name) - {7D6E7DBB-2381-4CDB-B6ED-22E37D78CF23} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {8B464CFF-03C6-4269-B1B3-985BA8255D5A} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {B7234532-3EAE-40FC-A636-616F71C6FBBE} - C:\Program Files\Internet Explorer\hopeted.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\ktjaxvkq.dll
O2 - BHO: (no name) - {EC30F156-DA40-437F-B4D8-351B40FBA5A6} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\wjeokphq.dll",realset
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O20 - Winlogon Notify: efcdaab - efcdaab.dll (file missing)
O20 - Winlogon Notify: efcyyaa - C:\WINDOWS\SYSTEM32\efcyyaa.dll
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: hggfggf - hggfggf.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)
O20 - Winlogon Notify: khffddd - khffddd.dll (file missing)
O20 - Winlogon Notify: mljihff - mljihff.dll (file missing)
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing)
O20 - Winlogon Notify: opnmmlk - opnmmlk.dll (file missing)
O20 - Winlogon Notify: qomlmkh - qomlmkh.dll (file missing)
O20 - Winlogon Notify: qommlmj - qommlmj.dll (file missing)
O20 - Winlogon Notify: rqrqonn - rqrqonn.dll (file missing)
O20 - Winlogon Notify: ssqromn - ssqromn.dll (file missing)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing)
O20 - Winlogon Notify: tuvtspq - tuvtspq.dll (file missing)
O20 - Winlogon Notify: vturp - C:\WINDOWS\system32\vturp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyyvwt - xxyyvwt.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FileCabinet Solution Print Service (FCPrintService) - Unknown owner - C:\WINDOWS\csifcsvc.exe
O23 - Service: HID Output Service (HODSrv) - Unknown owner - C:\WINDOWS\system32\hpsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\cjnr4r4jdwqjhbvp.exe (file missing)

-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

backup-20070608-072044-141 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
backup-20070608-072044-276 R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
backup-20070608-072044-451 O3 - Toolbar: mSpace Toolbar - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - C:\Program Files\Myspace Toolbar\mspace.dll (file missing)
backup-20070608-072044-736 R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
backup-20070608-072047-929 O9 - Extra button: mSpace Toolbar - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - C:\Program Files\Myspace Toolbar\mspace.dll (file missing)
backup-20070608-072048-281 O9 - Extra 'Tools' menuitem: mSpace Toolbar - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - C:\Program Files\Myspace Toolbar\mspace.dll (file missing)
backup-20070608-072253-387 O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
backup-20070608-072253-593 O23 - Service: HID Output Service (HODSrv) - Unknown owner - C:\WINDOWS\system32\hpsvc.exe (file missing)
backup-20070608-072253-754 O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\cjnr4r4jdwqjhbvp.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>

S3 ENTECH - c:\windows\system32\drivers\entech.sys (file missing)
S3 npkcrypt - c:\program files\gravity\ro2\npkcrypt.sys (file missing)
S3 PciTest (WinMTA PCI Service) - c:\windows\system32\drivers\pcitest.sys <Not Verified; Intel Corporation; Intel® Modular Test Architecture>
S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt92>
S3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 WTime - c:\windows\system32\timedrv26.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 FCPrintService (FileCabinet Solution Print Service) - c:\windows\csifcsvc.exe

S2 HODSrv (HID Output Service) - "c:\windows\system32\hpsvc.exe" (file missing)
S2 Time (Time Service) - c:\windows\system32\cjnr4r4jdwqjhbvp.exe (file missing)
S4 Net Agent - c:\windows\dls0523pmw.exe (file missing)

-- Scheduled Tasks -------------------------------------------------------------

2007-06-08 21:02:00 358 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-06-06 22:07:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-05-09 and 2007-06-09 -----------------------------

2007-06-09 00:20:47 58420 --a------ C:\WINDOWS\system32\ktjaxvkq.dll
2007-06-08 23:57:07 1836427 ---hs---- C:\WINDOWS\system32\prutv.bak1
2007-06-08 23:56:45 263220 ---hs---- C:\WINDOWS\system32\vturp.dll
2007-06-08 23:36:54 0 d-------- C:\WINDOWS\network diagnostic
2007-06-08 07:33:45 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-06-08 07:24:25 0 d-------- C:\HijackThis
2007-06-08 06:38:46 131124 --a------ C:\WINDOWS\system32\wjeokphq.dll
2007-06-08 00:31:20 1840863 ---hs---- C:\WINDOWS\system32\hjkkj.bak2
2007-06-07 19:43:54 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-06-07 19:43:54 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-06-07 19:43:54 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-06-07 19:43:54 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-06-07 19:43:54 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-06-07 19:43:54 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-06-07 19:43:54 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-06-07 19:43:54 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-06-07 19:43:54 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-06-07 19:43:54 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-06-07 19:43:54 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-06-07 19:43:54 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-06-07 19:43:54 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-06-07 19:43:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-06-07 19:43:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-06-07 19:43:54 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-06-07 19:43:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-06-07 19:43:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-06-07 19:43:53 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-06-07 00:32:07 55316 --a------ C:\WINDOWS\system32\byrcfvcp.dll
2007-06-07 00:29:50 1836461 ---hs---- C:\WINDOWS\system32\hjkkj.bak1
2007-06-06 01:28:49 1612798 ---hs---- C:\WINDOWS\system32\jjjlm.bak1
2007-06-06 00:19:53 0 d-------- C:\Documents and Settings\Al\Application Data\Grisoft
2007-06-05 23:16:05 1612949 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-06-05 03:45:29 0 d-------- C:\Documents and Settings\Al\Application Data\AVG7
2007-06-05 03:44:50 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-06-05 03:44:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-06-05 03:44:19 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-06-04 23:24:30 131124 --a------ C:\WINDOWS\system32\vtxphlul.dll
2007-06-04 06:12:20 3264 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-04 00:51:09 0 d-------- C:\Documents and Settings\Sal Crocker\Application Data\Real
2007-06-03 23:44:31 131124 --a------ C:\WINDOWS\system32\futmviis.dll
2007-06-03 03:44:25 0 d-------- C:\ijji
2007-06-02 03:16:07 72192 --a------ C:\WINDOWS\system32\zlib.dll <Not Verified; ; ZLib.DLL>
2007-06-02 03:16:06 169017 --a------ C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
2007-06-02 03:14:09 34816 --a------ C:\WINDOWS\rau001978.exe
2007-06-02 03:13:07 0 d-------- C:\WINDOWS\system32\TQ0
2007-06-02 03:13:07 0 d-------- C:\WINDOWS\system32\T7
2007-06-02 03:13:07 0 d-------- C:\WINDOWS\system32\T6
2007-06-02 03:13:07 0 d-------- C:\WINDOWS\system32\T4
2007-06-02 03:13:07 0 d-------- C:\WINDOWS\system32\T3
2007-06-02 03:13:07 0 d-------- C:\WINDOWS\system32\pog
2007-06-02 03:12:45 0 d-------- C:\WINDOWS\system32\T1QaSQ
2007-05-30 05:47:35 0 d-------- C:\Documents and Settings\Al\Application Data\DivX
2007-05-26 04:26:04 50745 --a------ C:\WINDOWS\system32\tifkatde.dll
2007-05-24 04:24:14 132660 --a------ C:\WINDOWS\system32\mvnfpwyv.dll
2007-05-11 00:37:15 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-11 00:37:15 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-11 00:37:15 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-11 00:37:15 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>

-- Find3M Report ---------------------------------------------------------------

2007-06-08 09:00:20 0 d-------- C:\Program Files\Winamp
2007-06-08 08:59:56 0 d-------- C:\Program Files\WinAce
2007-06-08 08:53:57 0 d-------- C:\Program Files\iTunes
2007-06-08 08:53:06 0 d-------- C:\Program Files\eMachines Bay Reader
2007-06-08 08:50:45 0 d-------- C:\Program Files\ALPlaybackPack
2007-06-08 08:50:45 0 d-------- C:\Program Files\AIM6
2007-06-08 08:49:05 0 d-------- C:\Program Files\AC3Filter
2007-06-08 02:18:46 0 d-------- C:\Program Files\mIRC
2007-06-08 01:30:11 0 d-------- C:\Program Files\SpywareBlaster
2007-06-06 23:58:48 0 d-------- C:\Program Files\World of Warcraft
2007-06-06 23:22:58 25306 --a------ C:\WINDOWS\mozver.dat
2007-06-04 23:24:27 1622736 --ahs---- C:\WINDOWS\system32\cbeeg.bak2
2007-06-03 23:23:38 1617756 --ahs---- C:\WINDOWS\system32\cbeeg.bak1
2007-06-02 03:22:48 0 d-------- C:\Program Files\StepMania
2007-06-02 03:22:41 0 d-------- C:\Program Files\QuickTime
2007-06-02 03:22:35 0 d-------- C:\Program Files\HP
2007-06-02 03:22:34 0 d-------- C:\Program Files\CompuServe 7.0
2007-06-02 03:22:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-02 03:22:32 0 d-------- C:\Program Files\Common Files\csshare
2007-06-02 03:22:30 0 d-------- C:\Program Files\Ares
2007-05-30 05:45:34 0 d-------- C:\Program Files\DivX
2007-05-09 15:25:41 0 d-------- C:\Program Files\Common Files\AOL
2007-05-07 00:50:16 0 d-------- C:\Documents and Settings\Al\Application Data\Real
2007-05-07 00:46:50 0 d-------- C:\Program Files\Common Files\xing shared
2007-05-07 00:46:19 0 d-------- C:\Program Files\Common Files\Real
2007-05-06 23:41:43 0 d-------- C:\Documents and Settings\Al\Application Data\AOL
2007-04-22 20:15:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-04-22 20:02:34 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-04-22 20:02:34 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-04-22 20:01:47 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-13 18:42:02 26714 -----n--- C:\WINDOWS\system32\efcyyaa.dll
2007-04-06 14:35:47 31844 --a------ C:\WINDOWS\system32\mljgg.exe
2007-03-30 22:06:34 11320 --a------ C:\WINDOWS\system32\awtsq.exe
2007-03-29 18:40:28 18580 --a------ C:\WINDOWS\system32\vtutq.exe

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{298055D4-B816-4B31-B5BF-F172CB3F802F} C:\WINDOWS\system32\sstqq.dll [x]
{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} C:\WINDOWS\system32\efcyyaa.dll
{4047280F-8E46-48B9-9DCA-63386F83852E} C:\WINDOWS\system32\vturp.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{63BE3A2A-3B87-4FDF-8AAA-628EDD1A37CA} C:\Program Files\Online Services\labunufix.dll [x]
{7D6E7DBB-2381-4CDB-B6ED-22E37D78CF23} C:\WINDOWS\system32\mljjj.dll [x]
{8B464CFF-03C6-4269-B1B3-985BA8255D5A} C:\WINDOWS\system32\geebc.dll [x]
{B7234532-3EAE-40FC-A636-616F71C6FBBE} C:\Program Files\Internet Explorer\hopeted.dll [x]
{E12BFF69-38A7-406e-A8EF-2738107A7831} C:\WINDOWS\system32\ktjaxvkq.dll
{EC30F156-DA40-437F-B4D8-351B40FBA5A6} C:\WINDOWS\system32\jkkjh.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunKistEM"="C:\\Program Files\\eMachines Bay Reader\\shwiconem.exe"
"CoolSwitch"="C:\\WINDOWS\\System32\\taskswitch.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"ApachInc"="rundll32.exe \"C:\\WINDOWS\\system32\\wjeokphq.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{E000E1C3-0A6A-1033-0603-041025200001}"="\"C:\\Program Files\\Common Files\\{E000E1C3-0A6A-1033-0603-041025200001}\\Update.exe\" mc-110-12-0000488"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdaab
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyyaa
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfggf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffddd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihff
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmlk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlmkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommlmj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqonn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqromn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtspq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvwt

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Time

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-06-09 at 00:30:34 ---------

Also, here is what Panda Activescan found:

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\efcyyaa.dll
Adware:adware/virtualbouncer Not disinfected c:\windows\system32\INNERADINSTALL.LOG
Adware:adware/portalscan Not disinfected c:\windows\bundles\bs5-vwqouc.exe
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Al\Application Data\tvmcwrd.dll
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.com.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[www.winantiviruspro.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Profiles\default\8i2bdhk7.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Profiles\default\8i2bdhk7.slt\cookies.txt[.maxserving.com/]
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Al\Application Data\Mozilla\Profiles\default\8i2bdhk7.slt\cookies.txt[rightmedia.net/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Al\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df4-58539930.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Al\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df4-58539930.zip[Matrix.class]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Al\Cookies\al@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Al\Cookies\al@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Al\Cookies\al@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Al\Cookies\al@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Al\Cookies\al@btg.btgrab[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Al\Cookies\al@entrepreneur[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Al\Cookies\al@go[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Al\Cookies\al@offeroptimizer[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Al\Cookies\al@target[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Family\Cookies\family@64.62.232[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Family\Cookies\family@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Family\Cookies\family@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Family\Cookies\family@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Family\Cookies\family@dist.belnk[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Family\Cookies\family@go[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Family\Cookies\family@kount[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Family\Cookies\family@offeroptimizer[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Family\Cookies\family@rightmedia[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Guest\Cookies\guest@c3.gostats[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Guest\Cookies\guest@did-it[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Guest\Cookies\guest@go[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Guest\Cookies\guest@rightmedia[2].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Guest\Cookies\guest@spywarestormer[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Guest\Cookies\guest@www.affiliatefuel[1].txt
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\03V3ISLP\moves.nudepublics[1].htm
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\68AXNHCS\prompt[1].php
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\KLGPMVC9\prompt[1].php
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\UNYJMXUJ\big-****.tinytits4u[1].htm
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ZQN5X9ZV\prompt[1].php
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ZQN5X9ZV\unlvgodjlyrics[1].htm
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4QTAFQ07\drsmart7[1].zip
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Sal Crocker\Application Data\Mozilla\Firefox\Profiles\43huyf91.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Sal Crocker\Cookies\sal crocker@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Sal Crocker\Cookies\sal crocker@azjmp[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Sal Crocker\Cookies\sal crocker@ct.360i[1].txt
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
Adware:Adware/NewAds Not disinfected C:\WINDOWS\hostsmgr.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\rau001978.exe
Virus:Trj/Clicker.ACO Disinfected C:\WINDOWS\system32\auideiaa.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtsq.exe
Potentially unwanted tool:Application/WebRecorder Not disinfected C:\WINDOWS\system32\btv_1006.exe[btv.exe]
Adware:Adware/BroadcastPC Not disinfected C:\WINDOWS\system32\btv_1006.exe[btvclean.exe]
Adware:Adware/BroadcastPC Not disinfected C:\WINDOWS\system32\btv_1006.exe[breg_inst.exe]
Adware:Adware/BroadcastPC Not disinfected C:\WINDOWS\system32\btv_1006.exe[breg_inst.exe][breg.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddcdbcc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\futmviis.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mljgg.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mvnfpwyv.dll
Virus:Trj/Clicker.ACO Disinfected C:\WINDOWS\system32\oiqtfklq.exe
Virus:Trj/Deldir.A Disinfected C:\WINDOWS\system32\oobe\emachines\Preinstall.cmd
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\tifkatde.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtutq.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll_tobedeleted

sUBs · 06-09-2007, 12:23 AM

1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Cheeseman82 · 06-09-2007, 01:15 AM

Done and done. Here is the ComboFix log followed by the fresh HijackThis log.

ComboFix 07-06-09.1 - C:\Documents and Settings\Al\Desktop\ComboFix.exe
"Al" - 2007-06-09 2:45:51 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\futmviis.dll
C:\WINDOWS\system32\mvnfpwyv.dll
C:\WINDOWS\system32\tifkatde.dll
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\system32\vtxphlul.dll
C:\WINDOWS\system32\wjeokphq.dll
C:\WINDOWS\system32\siivmtuf.ini
C:\WINDOWS\system32\vywpfnvm.ini
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\prutv.ini
C:\WINDOWS\system32\lulhpxtv.ini
C:\WINDOWS\system32\qhpkoejw.ini
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.tmp
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak2
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\jjjlm.bak1
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\prutv.ini
C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\efcyyaa.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Al\APPLIC~1.\macromedia\Flash Player\#SharedObjects\CCUSPGT5\www.broadcaster.com
C:\DOCUME~1\Al\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Al\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\core
-------\Net Agent

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))

2007-06-09 02:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 00:27 <DIR> d-------- C:\Deckard
2007-06-09 00:20 58,420 --a------ C:\WINDOWS\system32\ktjaxvkq.dll
2007-06-08 23:36 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-08 07:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-08 07:24 <DIR> d-------- C:\HijackThis
2007-06-07 19:43 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-06-07 00:32 55,316 --a------ C:\WINDOWS\system32\byrcfvcp.dll
2007-06-06 01:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-06 00:19 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-04 06:12 3,264 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-04 00:51 <DIR> d-------- C:\DOCUME~1\SALCRO~1\APPLIC~1\Real
2007-06-03 03:44 <DIR> d-------- C:\ijji
2007-06-02 03:16 72,192 --a------ C:\WINDOWS\system32\zlib.dll
2007-06-02 03:16 169,017 --a------ C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
2007-06-02 03:13 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-02 03:13 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-02 03:13 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-02 03:12 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-02 03:12 <DIR> d-------- C:\TEMP\x2b
2007-05-30 05:47 <DIR> d-------- C:\DOCUME~1\Al\APPLIC~1\DivX
2007-05-30 05:44 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-30 05:44 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-30 05:44 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-05-11 13:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 13:00:20 -------- d-----w C:\Program Files\Winamp
2007-06-08 12:59:56 -------- d-----w C:\Program Files\WinAce
2007-06-08 12:53:57 -------- d-----w C:\Program Files\iTunes
2007-06-08 12:53:06 -------- d-----w C:\Program Files\eMachines Bay Reader
2007-06-08 12:50:45 -------- d-----w C:\Program Files\ALPlaybackPack
2007-06-08 12:50:45 -------- d-----w C:\Program Files\AIM6
2007-06-08 12:49:05 -------- d-----w C:\Program Files\AC3Filter
2007-06-08 06:18:46 -------- d-----w C:\Program Files\mIRC
2007-06-08 05:30:11 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-07 03:58:48 -------- d-----w C:\Program Files\World of Warcraft
2007-06-07 03:22:58 25,306 ----a-w C:\WINDOWS\mozver.dat
2007-06-02 07:22:48 -------- d-----w C:\Program Files\StepMania
2007-06-02 07:22:41 -------- d-----w C:\Program Files\QuickTime
2007-06-02 07:22:35 -------- d-----w C:\Program Files\HP
2007-06-02 07:22:34 -------- d-----w C:\Program Files\CompuServe 7.0
2007-06-02 07:22:33 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-02 07:22:32 -------- d-----w C:\Program Files\Common Files\csshare
2007-06-02 07:22:30 -------- d-----w C:\Program Files\Ares
2007-05-30 09:45:34 -------- d-----w C:\Program Files\DivX
2007-05-09 19:25:41 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-07 04:50:16 -------- d-----w C:\DOCUME~1\Al\APPLIC~1\Real
2007-05-07 04:46:50 -------- d-----w C:\Program Files\Common Files\xing shared
2007-05-07 04:46:19 -------- d-----w C:\Program Files\Common Files\Real
2007-05-07 03:41:43 -------- d-----w C:\DOCUME~1\Al\APPLIC~1\AOL
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:25 36,624 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:24 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-06 18:35:47 31,844 ----a-w C:\WINDOWS\system32\mljgg.exe
2007-03-31 02:06:34 11,320 ----a-w C:\WINDOWS\system32\awtsq.exe
2007-03-29 22:40:28 18,580 ----a-w C:\WINDOWS\system32\vtutq.exe
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-02-15 18:50:00 22,682 --sha-w C:\WINDOWS\system32\ddcdbcc.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{298055D4-B816-4B31-B5BF-F172CB3F802F}=C:\WINDOWS\system32\sstqq.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{63BE3A2A-3B87-4FDF-8AAA-628EDD1A37CA}=C:\Program Files\Online Services\labunufix.dll []
{7D6E7DBB-2381-4CDB-B6ED-22E37D78CF23}=C:\WINDOWS\system32\mljjj.dll []
{8B464CFF-03C6-4269-B1B3-985BA8255D5A}=C:\WINDOWS\system32\geebc.dll []
{B7234532-3EAE-40FC-A636-616F71C6FBBE}=C:\Program Files\Internet Explorer\hopeted.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\ktjaxvkq.dll [2007-06-09 00:20]
{EC30F156-DA40-437F-B4D8-351B40FBA5A6}=C:\WINDOWS\system32\jkkjh.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-12 08:18]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 14:41]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-07 00:44]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-05 03:44]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 08:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 11:01]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdaab]
efcdaab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfggf]
hggfggf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjh]
C:\WINDOWS\system32\jkkjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffddd]
khffddd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihff]
mljihff.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj]
C:\WINDOWS\system32\mljjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmlk]
opnmmlk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlmkh]
qomlmkh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommlmj]
qommlmj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqonn]
rqrqonn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqromn]
ssqromn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq]
C:\WINDOWS\system32\sstqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtspq]
tuvtspq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvwt]
xxyyvwt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Time]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-07 02:07:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 05:02:04 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 03:05:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 3:08:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 03:07

--- E O F ---

-----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:10:19 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\csifcsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {298055D4-B816-4B31-B5BF-F172CB3F802F} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: 0 - {63BE3A2A-3B87-4FDF-8AAA-628EDD1A37CA} - C:\Program Files\Online Services\labunufix.dll (file missing)
O2 - BHO: (no name) - {7D6E7DBB-2381-4CDB-B6ED-22E37D78CF23} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {8B464CFF-03C6-4269-B1B3-985BA8255D5A} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {B7234532-3EAE-40FC-A636-616F71C6FBBE} - C:\Program Files\Internet Explorer\hopeted.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\ktjaxvkq.dll
O2 - BHO: (no name) - {EC30F156-DA40-437F-B4D8-351B40FBA5A6} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O20 - Winlogon Notify: efcdaab - efcdaab.dll (file missing)
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: hggfggf - hggfggf.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)
O20 - Winlogon Notify: khffddd - khffddd.dll (file missing)
O20 - Winlogon Notify: mljihff - mljihff.dll (file missing)
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing)
O20 - Winlogon Notify: opnmmlk - opnmmlk.dll (file missing)
O20 - Winlogon Notify: qomlmkh - qomlmkh.dll (file missing)
O20 - Winlogon Notify: qommlmj - qommlmj.dll (file missing)
O20 - Winlogon Notify: rqrqonn - rqrqonn.dll (file missing)
O20 - Winlogon Notify: ssqromn - ssqromn.dll (file missing)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing)
O20 - Winlogon Notify: tuvtspq - tuvtspq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyyvwt - xxyyvwt.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FileCabinet Solution Print Service (FCPrintService) - Unknown owner - C:\WINDOWS\csifcsvc.exe
O23 - Service: HID Output Service (HODSrv) - Unknown owner - C:\WINDOWS\system32\hpsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\cjnr4r4jdwqjhbvp.exe (file missing)

sUBs · 06-09-2007, 01:23 AM

Go to Control Panel > Add/Remove Programs.
Check if you have this entry - MyCleanerPC
If it's there, uninstall it & then reboot

After you have done that let me know if this folder, C:\ijji was created by you.

Cheeseman82 · 06-09-2007, 01:29 AM

I checked and MyCleanerPC was not installed. Also, that folder is from an online game I play called Gunz. It's just the name of the website.

sUBs · 06-09-2007, 01:36 AM

Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\mljgg.exe
C:\WINDOWS\system32\vtutq.exe
C:\WINDOWS\system32\ddcdbcc.dll
C:\WINDOWS\system32\ktjaxvkq.dll
C:\WINDOWS\system32\byrcfvcp.dll

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

-----------

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {298055D4-B816-4B31-B5BF-F172CB3F802F} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: 0 - {63BE3A2A-3B87-4FDF-8AAA-628EDD1A37CA} - C:\Program Files\Online Services\labunufix.dll (file missing)
O2 - BHO: (no name) - {7D6E7DBB-2381-4CDB-B6ED-22E37D78CF23} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {8B464CFF-03C6-4269-B1B3-985BA8255D5A} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {B7234532-3EAE-40FC-A636-616F71C6FBBE} - C:\Program Files\Internet Explorer\hopeted.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\ktjaxvkq.dll
O2 - BHO: (no name) - {EC30F156-DA40-437F-B4D8-351B40FBA5A6} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: efcdaab - efcdaab.dll (file missing)
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: hggfggf - hggfggf.dll (file missing)
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)
O20 - Winlogon Notify: khffddd - khffddd.dll (file missing)
O20 - Winlogon Notify: mljihff - mljihff.dll (file missing)
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing)
O20 - Winlogon Notify: opnmmlk - opnmmlk.dll (file missing)
O20 - Winlogon Notify: qomlmkh - qomlmkh.dll (file missing)
O20 - Winlogon Notify: qommlmj - qommlmj.dll (file missing)
O20 - Winlogon Notify: rqrqonn - rqrqonn.dll (file missing)
O20 - Winlogon Notify: ssqromn - ssqromn.dll (file missing)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing)
O20 - Winlogon Notify: tuvtspq - tuvtspq.dll (file missing)
O20 - Winlogon Notify: xxyyvwt - xxyyvwt.dll (file missing)

---------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\mljgg.exe
C:\WINDOWS\system32\vtutq.exe
C:\WINDOWS\system32\ddcdbcc.dll
C:\WINDOWS\system32\ktjaxvkq.dll
C:\WINDOWS\system32\byrcfvcp.dll
C:\WINDOWS\system32\mcpcuninstaller1_25.EXE

Folder::
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T1QaSQ
C:\TEMP\x2b

Drivers::
HODSrv
Time

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdaab]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfggf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjh]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffddd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihff]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmlk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlmkh]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommlmj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqonn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqromn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtspq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvwt]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Time]

Save this as ComboFix-Do.txt

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log

---------------

Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. We only require a report from it.
It does not provide an option to clean/disinfect.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------

In your next post, please include fresh logs from:

Fresh Hijackthis log taken just before replying

Online scan

ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

sUBs · 06-09-2007, 01:36 AM

This is to be performed after you have posted the required logs.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u1 - http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Cheeseman82 · 06-09-2007, 03:57 AM

My computer is doing better now (No more pop-ups). Thanks a ton fine sir. Below are the requested logs in the order you asked for them above.

Logfile of HijackThis v1.99.1
Scan saved at 5:56:18 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\csifcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\lexpps.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FileCabinet Solution Print Service (FCPrintService) - Unknown owner - C:\WINDOWS\csifcsvc.exe
O23 - Service: HID Output Service (HODSrv) - Unknown owner - C:\WINDOWS\system32\hpsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\cjnr4r4jdwqjhbvp.exe (file missing)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 09, 2007 5:51:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/06/2007
Kaspersky Anti-Virus database records: 341561
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 121628
Number of viruses found: 24
Number of infected objects: 49
Number of suspicious objects: 10
Duration of the scan process: 01:36:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\cert8.db Object is locked skipped
C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\history.dat Object is locked skipped
C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\key3.db Object is locked skipped
C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\parent.lock Object is locked skipped
C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Al\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df4-58539930.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Al\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df4-58539930.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Al\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Al\Desktop\Unused Desktop Shortcuts\requested-files[2007-06-09_03_38].cab/C:/WINDOWS/system32/ddcdbcc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\Documents and Settings\Al\Desktop\Unused Desktop Shortcuts\requested-files[2007-06-09_03_38].cab/C:/WINDOWS/system32/ktjaxvkq.dll Infected: Trojan.Win32.BHO.bd skipped
C:\Documents and Settings\Al\Desktop\Unused Desktop Shortcuts\requested-files[2007-06-09_03_38].cab/C:/WINDOWS/system32/byrcfvcp.dll Infected: Trojan.Win32.BHO.o skipped
C:\Documents and Settings\Al\Desktop\Unused Desktop Shortcuts\requested-files[2007-06-09_03_38].cab CAB: infected - 3 skipped
C:\Documents and Settings\Al\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Al\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Al\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Al\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Al\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Al\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vegpc55.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Al\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Al\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Al\ntuser.dat Object is locked skipped
C:\Documents and Settings\Al\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer3.zip/install.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip/offun.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu1000106.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Guest\Local Settings\Temp\II3D.tmp/data0002 Infected: not-a-virus:AdWare.Win32.BetterInternet skipped
C:\Documents and Settings\Guest\Local Settings\Temp\II3D.tmp/data0003/data0001 Infected: not-a-virus:AdWare.Win32.MDH.a skipped
C:\Documents and Settings\Guest\Local Settings\Temp\II3D.tmp/data0003 Infected: not-a-virus:AdWare.Win32.MDH.a skipped
C:\Documents and Settings\Guest\Local Settings\Temp\II3D.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\HijackThis\backups\backup-20070609-034429-975.dll Infected: Trojan.Win32.BHO.bd skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\ProcManager.exe Infected: not-a-virus:RiskTool.Win32.PsKill.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\byrcfvcp.dll.vir Infected: Trojan.Win32.BHO.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcdbcc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efcyyaa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.it skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\futmviis.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ktjaxvkq.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mljgg.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mvnfpwyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tifkatde.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vturp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtxphlul.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wjeokphq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\bundles\icDW1.exe/data0002 Infected: Trojan.Win32.QuickBrowser.a skipped
C:\WINDOWS\bundles\icDW1.exe/data0003 Infected: Trojan.Win32.QuickBrowser.c skipped
C:\WINDOWS\bundles\icDW1.exe NSIS: infected - 2 skipped
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe/data0003/data0001 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe/data0004 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe NSIS: infected - 5 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\hostsmgr.exe QuickBatch: infected - 1 skipped
C:\WINDOWS\hostsmgr.exe PECompact: infected - 1 skipped
C:\WINDOWS\hostsmgr.exe PecBundle: infected - 1 skipped
C:\WINDOWS\hostsmgr.exe PE_Patch.PECompact: infected - 1 skipped
C:\WINDOWS\manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\manager.exe QuickBatch: infected - 1 skipped
C:\WINDOWS\manager.exe PECompact: infected - 1 skipped
C:\WINDOWS\manager.exe PecBundle: infected - 1 skipped
C:\WINDOWS\manager.exe PE_Patch.PECompact: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\btv_1006.exe/data0002 Infected: Trojan-Downloader.Win32.RVP.e skipped
C:\WINDOWS\system32\btv_1006.exe/data0003/data0002 Infected: Trojan.Win32.Small.an skipped
C:\WINDOWS\system32\btv_1006.exe/data0003 Infected: Trojan.Win32.Small.an skipped
C:\WINDOWS\system32\btv_1006.exe NSIS: infected - 3 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dior4f42961756.exe Infected: Backdoor.Win32.HacDef.fv skipped
C:\WINDOWS\system32\greg.exe Infected: Backdoor.Win32.HacDef.fv skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

ComboFix 07-06-09.1 - C:\Documents and Settings\Al\Desktop\Unused Desktop Shortcuts\ComboFix.exe
"Al" - 2007-06-09 3:48:14 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Al\Desktop\Unused Desktop Shortcuts\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\TEMP\x2b
C:\TEMP\x2b\tmpZTF.log
C:\WINDOWS\system32\byrcfvcp.dll
C:\WINDOWS\system32\ddcdbcc.dll
C:\WINDOWS\system32\ktjaxvkq.dll
C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
C:\WINDOWS\system32\mljgg.exe
C:\WINDOWS\system32\T1QaSQ
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T7\icm.exe
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\vtutq.exe

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))

2007-06-09 02:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 00:27 <DIR> d-------- C:\Deckard
2007-06-08 23:36 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-08 07:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-08 07:24 <DIR> d-------- C:\HijackThis
2007-06-07 19:43 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-06-06 01:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-06 00:19 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-04 06:12 3,264 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-04 00:51 <DIR> d-------- C:\DOCUME~1\SALCRO~1\APPLIC~1\Real
2007-06-03 03:44 <DIR> d-------- C:\ijji
2007-06-02 03:16 72,192 --a------ C:\WINDOWS\system32\zlib.dll
2007-05-30 05:47 <DIR> d-------- C:\DOCUME~1\Al\APPLIC~1\DivX
2007-05-30 05:44 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-30 05:44 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-30 05:44 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-05-11 13:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 13:00:20 -------- d-----w C:\Program Files\Winamp
2007-06-08 12:59:56 -------- d-----w C:\Program Files\WinAce
2007-06-08 12:53:57 -------- d-----w C:\Program Files\iTunes
2007-06-08 12:53:06 -------- d-----w C:\Program Files\eMachines Bay Reader
2007-06-08 12:50:45 -------- d-----w C:\Program Files\ALPlaybackPack
2007-06-08 12:50:45 -------- d-----w C:\Program Files\AIM6
2007-06-08 12:49:05 -------- d-----w C:\Program Files\AC3Filter
2007-06-08 06:18:46 -------- d-----w C:\Program Files\mIRC
2007-06-08 05:30:11 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-07 03:58:48 -------- d-----w C:\Program Files\World of Warcraft
2007-06-07 03:22:58 25,306 ----a-w C:\WINDOWS\mozver.dat
2007-06-02 07:22:48 -------- d-----w C:\Program Files\StepMania
2007-06-02 07:22:41 -------- d-----w C:\Program Files\QuickTime
2007-06-02 07:22:35 -------- d-----w C:\Program Files\HP
2007-06-02 07:22:34 -------- d-----w C:\Program Files\CompuServe 7.0
2007-06-02 07:22:33 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-02 07:22:32 -------- d-----w C:\Program Files\Common Files\csshare
2007-06-02 07:22:30 -------- d-----w C:\Program Files\Ares
2007-05-30 09:45:34 -------- d-----w C:\Program Files\DivX
2007-05-09 19:25:41 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-07 04:50:16 -------- d-----w C:\DOCUME~1\Al\APPLIC~1\Real
2007-05-07 04:46:50 -------- d-----w C:\Program Files\Common Files\xing shared
2007-05-07 04:46:19 -------- d-----w C:\Program Files\Common Files\Real
2007-05-07 03:41:43 -------- d-----w C:\DOCUME~1\Al\APPLIC~1\AOL
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:25 36,624 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:24 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-31 02:06:34 11,320 ----a-w C:\WINDOWS\system32\awtsq.exe
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-12 08:18]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 14:41]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-07 00:44]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-05 03:44]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 08:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 11:01]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-07 02:07:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 05:02:04 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 03:52:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-09 3:53:45
C:\ComboFix-quarantined-files.txt ... 2007-06-09 03:53
C:\ComboFix2.txt ... 2007-06-09 03:08

--- E O F ---

Cheeseman82 · 06-09-2007, 04:01 AM

Also, I used the SPF and submitted it as you asked.

sUBs · 06-09-2007, 03:21 PM

Looks good. Just some loose ends to take careof

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Documents and Settings\Al\Desktop\Unused Desktop Shortcuts\requested-files[2007-06-09_03_38].cab
C:\WINDOWS\hostsmgr.exe
C:\WINDOWS\manager.exe
C:\WINDOWS\system32\btv_1006.exe
C:\WINDOWS\system32\dior4f42961756.exe
C:\WINDOWS\system32\greg.exe
C:\WINDOWS\system32\awtsq.exe

Folder::
C:\Documents and Settings\Guest\Local Settings\Temp
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\HijackThis\backups
C:\WINDOWS\bundles

Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Time]

Save this as ComboFix-Do.txt

Drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log & a hijackthis log.

Cheeseman82 · 06-09-2007, 10:30 PM

The ComboFix log was too many characters to post so I added it as an attachment. Hopefully that is fine. Sorry for any inconvenience.

Logfile of HijackThis v1.99.1
Scan saved at 12:20:38 AM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\csifcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\lexpps.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FileCabinet Solution Print Service (FCPrintService) - Unknown owner - C:\WINDOWS\csifcsvc.exe
O23 - Service: HID Output Service (HODSrv) - Unknown owner - C:\WINDOWS\system32\hpsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

sUBs · 06-09-2007, 10:48 PM

Of the stuff Kaspersky found,

C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start → Run → type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

Cheeseman82 · 06-09-2007, 11:23 PM

All done and my computer is working very fine now. Thank you again.

06-09-2007, 12:23 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups 1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Question - what have you done for the community today?

06-09-2007, 01:15 AM	#3 (permalink)
Cheeseman82 Registered User Join Date: Jun 2007 Posts: 7 OS: XP	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups Done and done. Here is the ComboFix log followed by the fresh HijackThis log. ComboFix 07-06-09.1 - C:\Documents and Settings\Al\Desktop\ComboFix.exe "Al" - 2007-06-09 2:45:51 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\futmviis.dll C:\WINDOWS\system32\mvnfpwyv.dll C:\WINDOWS\system32\tifkatde.dll C:\WINDOWS\system32\vturp.dll C:\WINDOWS\system32\vtxphlul.dll C:\WINDOWS\system32\wjeokphq.dll C:\WINDOWS\system32\siivmtuf.ini C:\WINDOWS\system32\vywpfnvm.ini C:\WINDOWS\system32\prutv.bak1 C:\WINDOWS\system32\prutv.ini C:\WINDOWS\system32\lulhpxtv.ini C:\WINDOWS\system32\qhpkoejw.ini C:\WINDOWS\system32\cbeeg.bak1 C:\WINDOWS\system32\cbeeg.bak2 C:\WINDOWS\system32\cbeeg.ini C:\WINDOWS\system32\cbeeg.tmp C:\WINDOWS\system32\hjkkj.bak1 C:\WINDOWS\system32\hjkkj.bak2 C:\WINDOWS\system32\hjkkj.ini C:\WINDOWS\system32\jjjlm.bak1 C:\WINDOWS\system32\jjjlm.ini C:\WINDOWS\system32\prutv.bak1 C:\WINDOWS\system32\prutv.ini C:\WINDOWS\system32\qqtss.bak1 C:\WINDOWS\system32\qqtss.ini C:\WINDOWS\system32\efcyyaa.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Al\APPLIC~1.\macromedia\Flash Player\#SharedObjects\CCUSPGT5\www.broadcaster.com C:\DOCUME~1\Al\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\DOCUME~1\Al\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Temp\0b9 C:\Temp\0b9\tmpTF.log C:\Temp\tn3 C:\WINDOWS\cs_cache.ini C:\WINDOWS\rau001978.exe C:\WINDOWS\system32\pog C:\WINDOWS\system32\T3 C:\WINDOWS\system32\T4 ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CORE -------\LEGACY_NET_AGENT -------\core -------\Net Agent ((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 ))))))))))))))))))))))))))))))) 2007-06-09 02:42 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-09 00:27 <DIR> d-------- C:\Deckard 2007-06-09 00:20 58,420 --a------ C:\WINDOWS\system32\ktjaxvkq.dll 2007-06-08 23:36 <DIR> d-------- C:\WINDOWS\network diagnostic 2007-06-08 07:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-06-08 07:24 <DIR> d-------- C:\HijackThis 2007-06-07 19:43 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS 2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec 2007-06-07 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink 2007-06-07 00:32 55,316 --a------ C:\WINDOWS\system32\byrcfvcp.dll 2007-06-06 01:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-06-06 00:19 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-04 06:12 3,264 --a------ C:\WINDOWS\system32\tmp.reg 2007-06-04 00:51 <DIR> d-------- C:\DOCUME~1\SALCRO~1\APPLIC~1\Real 2007-06-03 03:44 <DIR> d-------- C:\ijji 2007-06-02 03:16 72,192 --a------ C:\WINDOWS\system32\zlib.dll 2007-06-02 03:16 169,017 --a------ C:\WINDOWS\system32\mcpcuninstaller1_25.EXE 2007-06-02 03:13 <DIR> d-------- C:\WINDOWS\system32\TQ0 2007-06-02 03:13 <DIR> d-------- C:\WINDOWS\system32\T7 2007-06-02 03:13 <DIR> d-------- C:\WINDOWS\system32\T6 2007-06-02 03:12 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ 2007-06-02 03:12 <DIR> d-------- C:\TEMP\x2b 2007-05-30 05:47 <DIR> d-------- C:\DOCUME~1\Al\APPLIC~1\DivX 2007-05-30 05:44 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-05-30 05:44 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-05-30 05:44 129,784 --a------ C:\WINDOWS\system32\pxafs.dll 2007-05-11 13:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-05-11 00:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-05-11 00:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-05-11 00:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-05-11 00:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-08 13:00:20 -------- d-----w C:\Program Files\Winamp 2007-06-08 12:59:56 -------- d-----w C:\Program Files\WinAce 2007-06-08 12:53:57 -------- d-----w C:\Program Files\iTunes 2007-06-08 12:53:06 -------- d-----w C:\Program Files\eMachines Bay Reader 2007-06-08 12:50:45 -------- d-----w C:\Program Files\ALPlaybackPack 2007-06-08 12:50:45 -------- d-----w C:\Program Files\AIM6 2007-06-08 12:49:05 -------- d-----w C:\Program Files\AC3Filter 2007-06-08 06:18:46 -------- d-----w C:\Program Files\mIRC 2007-06-08 05:30:11 -------- d-----w C:\Program Files\SpywareBlaster 2007-06-07 03:58:48 -------- d-----w C:\Program Files\World of Warcraft 2007-06-07 03:22:58 25,306 ----a-w C:\WINDOWS\mozver.dat 2007-06-02 07:22:48 -------- d-----w C:\Program Files\StepMania 2007-06-02 07:22:41 -------- d-----w C:\Program Files\QuickTime 2007-06-02 07:22:35 -------- d-----w C:\Program Files\HP 2007-06-02 07:22:34 -------- d-----w C:\Program Files\CompuServe 7.0 2007-06-02 07:22:33 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-06-02 07:22:32 -------- d-----w C:\Program Files\Common Files\csshare 2007-06-02 07:22:30 -------- d-----w C:\Program Files\Ares 2007-05-30 09:45:34 -------- d-----w C:\Program Files\DivX 2007-05-09 19:25:41 -------- d-----w C:\Program Files\Common Files\AOL 2007-05-07 04:50:16 -------- d-----w C:\DOCUME~1\Al\APPLIC~1\Real 2007-05-07 04:46:50 -------- d-----w C:\Program Files\Common Files\xing shared 2007-05-07 04:46:19 -------- d-----w C:\Program Files\Common Files\Real 2007-05-07 03:41:43 -------- d-----w C:\DOCUME~1\Al\APPLIC~1\AOL 2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-04-23 00:15:25 36,624 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-04-23 00:15:24 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe 2007-04-23 00:15:24 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe 2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-06 18:35:47 31,844 ----a-w C:\WINDOWS\system32\mljgg.exe 2007-03-31 02:06:34 11,320 ----a-w C:\WINDOWS\system32\awtsq.exe 2007-03-29 22:40:28 18,580 ----a-w C:\WINDOWS\system32\vtutq.exe 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-02-15 18:50:00 22,682 --sha-w C:\WINDOWS\system32\ddcdbcc.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39] {298055D4-B816-4B31-B5BF-F172CB3F802F}=C:\WINDOWS\system32\sstqq.dll [] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {63BE3A2A-3B87-4FDF-8AAA-628EDD1A37CA}=C:\Program Files\Online Services\labunufix.dll [] {7D6E7DBB-2381-4CDB-B6ED-22E37D78CF23}=C:\WINDOWS\system32\mljjj.dll [] {8B464CFF-03C6-4269-B1B3-985BA8255D5A}=C:\WINDOWS\system32\geebc.dll [] {B7234532-3EAE-40FC-A636-616F71C6FBBE}=C:\Program Files\Internet Explorer\hopeted.dll [] {E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\ktjaxvkq.dll [2007-06-09 00:20] {EC30F156-DA40-437F-B4D8-351B40FBA5A6}=C:\WINDOWS\system32\jkkjh.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-12 08:18] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 14:41] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-07 00:44] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-05 03:44] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 08:30] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 11:01] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdaab] efcdaab.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc] C:\WINDOWS\system32\geebc.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfggf] hggfggf.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjh] C:\WINDOWS\system32\jkkjh.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffddd] khffddd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihff] mljihff.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj] C:\WINDOWS\system32\mljjj.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmlk] opnmmlk.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlmkh] qomlmkh.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommlmj] qommlmj.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqonn] rqrqonn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqromn] ssqromn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq] C:\WINDOWS\system32\sstqq.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtspq] tuvtspq.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvwt] xxyyvwt.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Time] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs Contents of the 'Scheduled Tasks' folder 2007-06-07 02:07:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-06-09 05:02:04 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-09 03:05:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Completion time: 2007-06-09 3:08:13 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-09 03:07 --- E O F --- -----------------------------------------------------------------------------------------------** Logfile of HijackThis v1.99.1 Scan saved at 3:10:19 AM, on 6/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\csifcsvc.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\cmd.exe C:\ComboFix\vfind.cfexe C:\Program Files\Mozilla Firefox\firefox.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {298055D4-B816-4B31-B5BF-F172CB3F802F} - C:\WINDOWS\system32\sstqq.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: 0 - {63BE3A2A-3B87-4FDF-8AAA-628EDD1A37CA} - C:\Program Files\Online Services\labunufix.dll (file missing) O2 - BHO: (no name) - {7D6E7DBB-2381-4CDB-B6ED-22E37D78CF23} - C:\WINDOWS\system32\mljjj.dll (file missing) O2 - BHO: (no name) - {8B464CFF-03C6-4269-B1B3-985BA8255D5A} - C:\WINDOWS\system32\geebc.dll (file missing) O2 - BHO: (no name) - {B7234532-3EAE-40FC-A636-616F71C6FBBE} - C:\Program Files\Internet Explorer\hopeted.dll (file missing) O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\ktjaxvkq.dll O2 - BHO: (no name) - {EC30F156-DA40-437F-B4D8-351B40FBA5A6} - C:\WINDOWS\system32\jkkjh.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab O20 - Winlogon Notify: efcdaab - efcdaab.dll (file missing) O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing) O20 - Winlogon Notify: hggfggf - hggfggf.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing) O20 - Winlogon Notify: khffddd - khffddd.dll (file missing) O20 - Winlogon Notify: mljihff - mljihff.dll (file missing) O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing) O20 - Winlogon Notify: opnmmlk - opnmmlk.dll (file missing) O20 - Winlogon Notify: qomlmkh - qomlmkh.dll (file missing) O20 - Winlogon Notify: qommlmj - qommlmj.dll (file missing) O20 - Winlogon Notify: rqrqonn - rqrqonn.dll (file missing) O20 - Winlogon Notify: ssqromn - ssqromn.dll (file missing) O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing) O20 - Winlogon Notify: tuvtspq - tuvtspq.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: xxyyvwt - xxyyvwt.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: FileCabinet Solution Print Service (FCPrintService) - Unknown owner - C:\WINDOWS\csifcsvc.exe O23 - Service: HID Output Service (HODSrv) - Unknown owner - C:\WINDOWS\system32\hpsvc.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\cjnr4r4jdwqjhbvp.exe (file missing) Last edited by Cheeseman82; 06-09-2007 at 01:16 AM.

06-09-2007, 01:23 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups Go to Control Panel > Add/Remove Programs. Check if you have this entry - MyCleanerPC If it's there, uninstall it & then reboot After you have done that let me know if this folder, C:\ijji was created by you. __________________ Question - what have you done for the community today?

06-09-2007, 01:29 AM	#5 (permalink)
Cheeseman82 Registered User Join Date: Jun 2007 Posts: 7 OS: XP	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups I checked and MyCleanerPC was not installed. Also, that folder is from an online game I play called Gunz. It's just the name of the website.

06-09-2007, 01:36 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of filepaths into the Suspicious File Packer window: C:\WINDOWS\system32\mljgg.exe C:\WINDOWS\system32\vtutq.exe C:\WINDOWS\system32\ddcdbcc.dll C:\WINDOWS\system32\ktjaxvkq.dll C:\WINDOWS\system32\byrcfvcp.dll Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4 Please include a link to this topic in the message. ----------- Do a HijackThis scan & place a check next to these items and select "Fix checked": R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: (no name) - {298055D4-B816-4B31-B5BF-F172CB3F802F} - C:\WINDOWS\system32\sstqq.dll (file missing) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: 0 - {63BE3A2A-3B87-4FDF-8AAA-628EDD1A37CA} - C:\Program Files\Online Services\labunufix.dll (file missing) O2 - BHO: (no name) - {7D6E7DBB-2381-4CDB-B6ED-22E37D78CF23} - C:\WINDOWS\system32\mljjj.dll (file missing) O2 - BHO: (no name) - {8B464CFF-03C6-4269-B1B3-985BA8255D5A} - C:\WINDOWS\system32\geebc.dll (file missing) O2 - BHO: (no name) - {B7234532-3EAE-40FC-A636-616F71C6FBBE} - C:\Program Files\Internet Explorer\hopeted.dll (file missing) O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\ktjaxvkq.dll O2 - BHO: (no name) - {EC30F156-DA40-437F-B4D8-351B40FBA5A6} - C:\WINDOWS\system32\jkkjh.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O20 - Winlogon Notify: efcdaab - efcdaab.dll (file missing) O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing) O20 - Winlogon Notify: hggfggf - hggfggf.dll (file missing) O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing) O20 - Winlogon Notify: khffddd - khffddd.dll (file missing) O20 - Winlogon Notify: mljihff - mljihff.dll (file missing) O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing) O20 - Winlogon Notify: opnmmlk - opnmmlk.dll (file missing) O20 - Winlogon Notify: qomlmkh - qomlmkh.dll (file missing) O20 - Winlogon Notify: qommlmj - qommlmj.dll (file missing) O20 - Winlogon Notify: rqrqonn - rqrqonn.dll (file missing) O20 - Winlogon Notify: ssqromn - ssqromn.dll (file missing) O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing) O20 - Winlogon Notify: tuvtspq - tuvtspq.dll (file missing) O20 - Winlogon Notify: xxyyvwt - xxyyvwt.dll (file missing) --------------- Open notepad and copy/paste the text in the quotebox below into it: Code: File:: C:\WINDOWS\system32\mljgg.exe C:\WINDOWS\system32\vtutq.exe C:\WINDOWS\system32\ddcdbcc.dll C:\WINDOWS\system32\ktjaxvkq.dll C:\WINDOWS\system32\byrcfvcp.dll C:\WINDOWS\system32\mcpcuninstaller1_25.EXE Folder:: C:\WINDOWS\system32\TQ0 C:\WINDOWS\system32\T7 C:\WINDOWS\system32\T6 C:\WINDOWS\system32\T1QaSQ C:\TEMP\x2b Drivers:: HODSrv Time Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdaab] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfggf] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjh] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffddd] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihff] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmlk] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlmkh] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommlmj] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqonn] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqromn] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtspq] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvwt] [-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Time] Save this as ComboFix-Do.txt Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe Then post the resultant log --------------- Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. We only require a report from it. It does not provide an option to clean/disinfect. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------- In your next post, please include fresh logs from: Fresh Hijackthis log taken just before replying Online scan ComboFix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?

06-09-2007, 01:36 AM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups This is to be performed after you have posted the required logs. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u1 - http://java.sun.com/javase/downloads/index.jsp Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "*Accept* License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version. __________________ Question - what have you done for the community today?

06-09-2007, 04:01 AM	#9 (permalink)
Cheeseman82 Registered User Join Date: Jun 2007 Posts: 7 OS: XP	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups Also, I used the SPF and submitted it as you asked.

06-09-2007, 03:21 PM	#10 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups Looks good. Just some loose ends to take careof Open notepad and copy/paste the text in the quotebox below into it: Code: File:: C:\Documents and Settings\Al\Desktop\Unused Desktop Shortcuts\requested-files[2007-06-09_03_38].cab C:\WINDOWS\hostsmgr.exe C:\WINDOWS\manager.exe C:\WINDOWS\system32\btv_1006.exe C:\WINDOWS\system32\dior4f42961756.exe C:\WINDOWS\system32\greg.exe C:\WINDOWS\system32\awtsq.exe Folder:: C:\Documents and Settings\Guest\Local Settings\Temp C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery C:\HijackThis\backups C:\WINDOWS\bundles Registry:: [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Time] Save this as ComboFix-Do.txt Drag ComboFix-Do.txt into ComboFix.exe Then post the resultant log & a hijackthis log. __________________ Question - what have you done for the community today?

06-09-2007, 10:48 PM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while ---------------------- Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start → Run → type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html Microsoft Windows Update → http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows. http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: http://www.winpatrol.com/features.html To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

06-09-2007, 11:23 PM	#13 (permalink)
Cheeseman82 Registered User Join Date: Jun 2007 Posts: 7 OS: XP	Re: Smitfraud-C.CoreService/Virtumonde plus Pop-ups All done and my computer is working very fine now. Thank you again.