System idle process high CPU usage, error protector popup,

[leshma]

Hi,
i have this problem for some time... Xp is running slower, it shows high cpu usage by System Idle Process (over 70%)... also have trouble with popup witch leads to Error Protector home page... Had some problem with Troyan Virto but i used Symantec FixVirto or something and it shows clean report...Here's my log...and tnx in advance for ur effort

Deckard's System Scanner v20070905.67
Run by ManUtd on 2007-10-11 19:17:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
25: 2007-10-11 17:17:20 UTC - RP288 - Deckard's System Scanner Restore Point
24: 2007-10-11 12:01:39 UTC - RP287 - System Checkpoint
23: 2007-10-10 11:59:35 UTC - RP286 - System Checkpoint
22: 2007-10-08 21:19:39 UTC - RP285 - System Checkpoint
21: 2007-10-07 19:57:20 UTC - RP284 - System Checkpoint


-- First Restore Point --
1: 2007-09-29 15:53:15 UTC - RP264 - Removed Counter-Strike 1.6


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).
System Drive C: has 0.41 GiB (less than 15%) free.


-- HijackThis (run as ManUtd.exe) ----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-11 19:22:41
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\SPOOLSV.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINNT\system32\wscntfy.exe
C:\Documents and Settings\ManUtd\Desktop\dss.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.b92.net/sport/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\ntos.exe,
O2 - BHO: VirtualCamera IEMenu Class - {0246A1A7-820A-469A-85A7-7B7F01EB808C} - C:\Program Files\VirtualCamera\VirtualCameraMenu.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {3CB70CC2-303F-4A6C-824D-013AE8CFDB6B} - (no file)
O2 - BHO: (no name) - {702ACB2E-336B-4FF9-82B6-FEECF7594160} - C:\WINNT\system32\jkklm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINNT\system32\stlxefkt.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [SearchIndexer] rundll32.exe "C:\WINNT\system32\wmbobplx.dll",sitypnow
O4 - HKEY_LOCAL_MACHINE\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra 'Tools' menuitem: (no name) - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINNT\wc98pp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: Macromedia Licensing Service - Unknown owner - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - "C:\Program Files\Eset\nod32krn.exe"


-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 VCAM (Webcam Simulator) - c:\winnt\system32\drivers\vcam.sys <Not Verified; Webcam Simulator; Webcam Simulator>
R2 VirtualCam (VirtualCamera) - c:\winnt\system32\drivers\virtualcam.sys <Not Verified; MorningSound Co., Ltd.; MorningSound VirtualCamera>
R3 actser - c:\winnt\system32\drivers\actser.sys <Not Verified; Siemens AG; Actser Filter Driver>
R3 vsbus (Virtual Serial Bus Enumerator) - c:\winnt\system32\drivers\vsb.sys

S3 DSDrv4 - c:\program files\dscaler\dsdrv4.sys
S3 HWIONT - c:\documents and settings\manutd\my documents\kabl\hwiont.sys (file missing)
S3 susbser (Siemens Mobile Phone) - c:\winnt\system32\drivers\susbser.sys <Not Verified; Siemens AG; Siemens AG USB Modem/Serial Device Driver>
S3 TVICHW32 - c:\winnt\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 vserial (ELTIMA Virtual Serial Ports Driver) - c:\winnt\system32\drivers\vserial.sys
S4 Parallel (Parallel class driver) - c:\winnt\system32\drivers\parallel.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_101A147B&REV_10\4&1A671D0C&0&00F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_101A147B&REV_10\4&1A671D0C&0&00F0
Service: RTL8023xp


-- Files created between 2007-09-11 and 2007-10-11 -----------------------------

2007-10-11 18:10:58 84032 --a------ C:\WINNT\system32\wmbobplx.dll
2007-10-09 13:13:26 0 d--hs---- C:\FOUND.002
2007-10-08 14:03:04 0 d-------- C:\My Recordings
2007-10-08 13:56:49 0 d-------- C:\Program Files\FREE Hi-Q Recorder
2007-10-08 13:39:37 339968 --a------ C:\WINNT\system32\MP3EncX.dll <Not Verified; NUGROOVZ; MP3EncoderX Control>
2007-10-07 18:01:37 383866 ---hs---- C:\WINNT\system32\mlkkj.bak2
2007-10-05 20:35:23 76352 --a------ C:\WINNT\system32\stlxefkt.dll
2007-10-05 20:32:12 87104 --a------ C:\WINNT\system32\fkfdteuo.dll
2007-10-05 18:31:34 0 d--hs---- C:\FOUND.001
2007-10-05 10:33:38 393 ---hs---- C:\WINNT\system32\mlkkj.ini2
2007-10-02 19:09:00 0 d--hs---- C:\FOUND.000
2007-09-30 14:48:19 0 dr-h----- C:\Documents and Settings\ManUtd\Recent
2007-09-29 21:16:40 84032 --a------ C:\WINNT\system32\lcsttmwt.dll
2007-09-29 17:49:25 316000 --a------ C:\WINNT\system32\jkklm.dll
2007-09-23 13:30:32 0 d-------- C:\Program Files\DScaler
2007-09-23 12:23:07 69632 --a------ C:\WINNT\PCTV.dll <Not Verified; Pinnacle Systems; Pinnacle Systems UnInstall.DLL>
2007-09-23 12:23:05 1089536 --a------ C:\WINNT\system32\gear81sd.DLL <Not Verified; AccuSoft Corporation; AccuSoft ImageGear>
2007-09-23 12:22:53 81920 --a------ C:\WINNT\system32\vdrmux.dll <Not Verified; Pinnacle Systems; Pinnacle Systems vdrmux>
2007-09-23 12:22:53 46592 --a------ C:\WINNT\system32\vdrcodec.dll <Not Verified; Pinnacle Systems; Studio 600>
2007-09-23 12:22:53 62976 --a------ C:\WINNT\system32\pclepixl.dll <Not Verified; Pinnacle Systems; Microsoft Windows 95>
2007-09-23 12:22:53 32768 --a------ C:\WINNT\system32\PCLEGetGuid.dll <Not Verified; Pinnacle Systems; Guid_dll>
2007-09-23 12:22:53 138752 --a------ C:\WINNT\system32\MASE32.DLL
2007-09-23 12:22:53 57856 --a------ C:\WINNT\system32\MASD32.DLL
2007-09-23 12:22:53 136192 --a------ C:\WINNT\system32\MAMC32.DLL <Not Verified; ; MAMC32 Dynamic Link Library>
2007-09-23 12:22:53 196096 --a------ C:\WINNT\system32\MACD32.DLL <Not Verified; ; MACD32 Dynamic Link Library>
2007-09-23 12:22:53 27648 --a------ C:\WINNT\system32\MA32.DLL
2007-09-23 12:22:46 27648 --a------ C:\WINNT\system32\IR50_LCS.DLL <Not Verified; Intel Corporation.; Intel Indeo® video 5.0 LC>
2007-09-23 12:22:41 32768 --a------ C:\WINNT\system32\pctvuser.dll <Not Verified; Pinnacle Systems; Pinnacle Studio PCTV>
2007-09-23 12:22:41 45056 --a------ C:\WINNT\system32\pclepim1.dll <Not Verified; Pinnacle Systems; Microsoft Windows>
2007-09-23 12:22:41 66048 --a------ C:\WINNT\system32\MIROXL32.DLL <Not Verified; Pinnacle Systems; Microsoft Windows 95/98>
2007-09-23 12:22:41 39392 --a------ C:\WINNT\system32\drivers\pctvnt.sys <Not Verified; Pinnacle Systems; Pinnacle Studio PCTV>
2007-09-23 12:22:40 0 d-------- C:\WINNT\PCTV.DRV
2007-09-23 12:22:39 0 d-------- C:\Program Files\Pinnacle
2007-09-23 12:22:32 47313 --a------ C:\WINNT\system32\PCTVCAP.DLL <Not Verified; Pinnacle Systems; Pinnacle Studio PCTV>
2007-09-23 12:22:31 29408 --a------ C:\WINNT\system32\Mcipctv.dll
2007-09-23 12:22:31 36864 --a------ C:\WINNT\system32\io_pctv.dll <Not Verified; Pinnacle Systems GmbH; Pinnacle Studio PCTV>
2007-09-23 12:22:31 42384 --a------ C:\WINNT\system32\drivers\pctvw2k.sys <Not Verified; Pinnacle Systems; Pinnacle Studio PCTV>
2007-09-23 12:22:31 2145 --a------ C:\WINNT\system32\drivers\PCTVAud.sys <Not Verified; Pinnacle Systems; Pinnacle Studio PCTV>
2007-09-23 12:22:31 306688 --a------ C:\WINNT\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-09-19 12:36:58 0 d-------- C:\Programi
2007-09-15 23:38:01 0 d-------- C:\Program Files\Valve


-- Find3M Report ---------------------------------------------------------------

2007-09-10 19:51:22 1868 --a------ C:\WINNT\system32\tmp.reg
2007-09-10 18:57:18 0 d-------- C:\Program Files\CCleaner
2007-09-06 15:42:54 0 d-------- C:\Program Files\Guitar Calculator Pro
2007-09-06 15:42:44 73216 --a------ C:\WINNT\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-08-25 1500 0 d-------- C:\Program Files\VPHoldem
2007-08-22 19:59:28 0 d-------- C:\Program Files\PokerStars


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CB70CC2-303F-4A6C-824D-013AE8CFDB6B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{702ACB2E-336B-4FF9-82B6-FEECF7594160}]
09/29/2007 17:53 316000 --a------ C:\WINNT\system32\jkklm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]
10/05/2007 20:35 76352 --a------ C:\WINNT\system32\stlxefkt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchIndexer"="C:\WINNT\system32\wmbobplx.dll" [10/11/2007 18:11]
"KernelFaultCheck"="C:\WINNT\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [08/03/2004 22:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [03/12/2007 13:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\ManUtd\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 19:16:50]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 04:44:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINNT\system32\userinit.exe,C:\WINNT\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINNT\\system32\\jkklm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e62335f2-d480-11db-95a9-000f21d03a10}]
AutoRun\command- C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- G:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7696906-8618-11db-9510-00508d4a5117}]
AutoRun\command- C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- Recycled\ctfmon.exe




-- End of Deckard's System Scanner: finished at 2007-10-11 19:24:49 ------------

[leshma]

Sorry...vundo problem not virto...my fault...i used fixvundo by symantec to resolve this problem....

[sUBs]

1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop







2. Go to → Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[leshma]

Tnx for ur time sUBs...I appreciate it

Logfile of HijackThis v1.99.1
Scan saved at 18:55:55, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.b92.net/sport/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: VirtualCamera IEMenu Class - {0246A1A7-820A-469A-85A7-7B7F01EB808C} - C:\Program Files\VirtualCamera\VirtualCameraMenu.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {102629F9-F9F2-428C-9E2E-F5E435EB8594} - (no file)
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://www.driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe


ComboFix 07-10-16.1 - ManUtd 2007-10-16 18:41:23.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT 2:00]
Running from: C:\Documents and Settings\ManUtd\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\Common Files\{35784~1
C:\Program Files\Common Files\{45784~1
C:\WINNT\cookies.ini
C:\WINNT\rs.txt
C:\WINNT\system32\fkfdteuo.dll
C:\WINNT\system32\gquhrenp.dll
C:\WINNT\system32\jkklm.dll
C:\WINNT\system32\lbhbsxyv.dll
C:\WINNT\system32\lcsttmwt.dll
C:\WINNT\system32\mlkkj.bak2
C:\WINNT\system32\mlkkj.bak2
C:\WINNT\system32\mlkkj.ini
C:\WINNT\system32\mlkkj.ini
C:\WINNT\system32\mlkkj.ini2
C:\WINNT\system32\mlkkj.ini2
C:\WINNT\system32\ouetdfkf.ini
C:\WINNT\system32\pnerhuqg.ini
C:\WINNT\system32\stlxefkt.dll
C:\WINNT\system32\twmttscl.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-16 18:32 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-13 14:57 <DIR> d--hs---- C:\FOUND.003
2007-10-13 00:45 <DIR> d-------- C:\Documents and Settings\ManUtd\Application Data\mIRC
2007-10-13 00:44 <DIR> d-------- C:\Program Files\mIRC
2007-10-12 12:22 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2007-10-11 19:16 <DIR> d-------- C:\Deckard
2007-10-09 13:13 <DIR> d--hs---- C:\FOUND.002
2007-10-08 14:03 <DIR> d-------- C:\My Recordings
2007-10-08 13:56 <DIR> d-------- C:\Program Files\FREE Hi-Q Recorder
2007-10-08 13:39 339,968 --a------ C:\WINNT\system32\MP3EncX.dll
2007-10-05 18:31 <DIR> d--hs---- C:\FOUND.001
2007-10-02 19:09 <DIR> d--hs---- C:\FOUND.000
2007-09-23 13:30 <DIR> d-------- C:\Program Files\DScaler
2007-09-23 12:23 1,089,536 --a------ C:\WINNT\system32\gear81sd.DLL
2007-09-23 12:23 69,632 --a------ C:\WINNT\PCTV.dll
2007-09-23 12:22 <DIR> d-------- C:\Program Files\Pinnacle
2007-09-21 20:46 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-09-19 12:36 <DIR> d-------- C:\Programi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 21:38 --------- d-----w C:\Program Files\Valve
2007-09-10 16:57 --------- d-----w C:\Program Files\CCleaner
2007-09-06 13:42 73,216 ----a-w C:\WINNT\ST6UNST.EXE
2007-09-06 13:42 249,856 ------w C:\WINNT\Setup1.exe
2007-09-06 13:42 --------- d-----w C:\Program Files\Guitar Calculator Pro
2007-08-25 13:06 --------- d-----w C:\Program Files\VPHoldem
2007-08-22 17:59 --------- d-----w C:\Program Files\PokerStars
2006-12-07 15:47 271 --sh--w C:\Program Files\desktop.ini
2006-12-07 15:47 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{102629F9-F9F2-428C-9E2E-F5E435EB8594}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-03 22:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\ManUtd\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R2 ROB_A;Pinnacle WDM PCTV Audio Capture;C:\WINNT\system32\DRIVERS\rob_a.sys
R2 ROB_V;Pinnacle WDM PCTV Video Capture;C:\WINNT\system32\drivers\rob_v.sys
R2 VCAM;Webcam Simulator;C:\WINNT\system32\DRIVERS\vcam.sys
R3 actser;actser;C:\WINNT\system32\drivers\actser.sys
R3 vsbus;Virtual Serial Bus Enumerator;C:\WINNT\system32\DRIVERS\vsb.sys
S3 HWIONT;HWIONT;\??\C:\Documents and Settings\ManUtd\My Documents\kabl\HWIONT.sys
S3 susbser;Siemens Mobile Phone;C:\WINNT\system32\DRIVERS\susbser.sys
S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINNT\system32\DRIVERS\vserial.sys
S4 Wuafrtmg;Wuafrtmg;C:\WINNT\system32\drivers\tcpip6.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e62335f2-d480-11db-95a9-000f21d03a10}]
AutoRun\command - C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command - G:\Recycled\ctfmon.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 18:47:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 18:49:11 - machine was rebooted
.
--- E O F ---

[sUBs]

Is drive G a flash drive ?

[leshma]

Yes, G is flash drive... C and D are hard drives, E CD drive, F dvd drive...

[sUBs]

Stick your flash drive into the machine when we do this .....


Please download Flash_Disinfector.exe and save to your desktop.

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.


------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
O2 - BHO: (no name) - {102629F9-F9F2-428C-9E2E-F5E435EB8594} - (no file)


------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[leshma]

i also notice that sometimes i get a low disk space warning but when i open the box theres nothing, so i click cancel and theres again my free space...

heres log file from kaspersy

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Program Files\ESET\infected\OWLXV0AA.NQF"
"C:\Program Files\ESET\infected\4MQTLJCA.NQF"
"C:\Program Files\ESET\infected\OYBMXCBA.NQF"
"C:\Program Files\ESET\infected\QC4PPODA.NQF"
"C:\Program Files\ESET\infected\HK0QB2DA.NQF"
"C:\Program Files\ESET\infected\0URJTDAA.NQF"
"C:\Program Files\ESET\infected\ZMDGP0CA.NQF"
"C:\Program Files\ESET\infected\4UISZ0DA.NQF"
"C:\Program Files\ESET\infected\BZVONTDA.NQF"
"C:\Program Files\ESET\infected\OSE4ACAA.NQF"
"C:\Program Files\ESET\infected\WNPQNWCA.NQF"
"C:\Program Files\ESET\infected\C5D40MDA.NQF"
"C:\Program Files\ESET\infected\HBDLZ0AA.NQF"
"C:\Program Files\ESET\infected\YJU2I5DA.NQF"
"C:\Program Files\ESET\infected\Q5VFK5DA.NQF"
"D:\stari\My Documents\My Webs\harky\images\ClickMe.zip"
"C:\Dounload\webmailhack\Setup.exe"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (
"C:\Program Files\FlashGet\SmitfraudFix"
"C:\Downloads\SmitfraudFix"
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[leshma]

It says:

Deleted succesfully!

[sUBs]

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
4. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
5. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html
   
   
   
6. IE-SPYAD
   IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[leshma]

Ok, i will do my best to keep my PC clean...
Thank you for your time.
Cheers