[SOLVED] virus- lop

[headhunter234]

hi

over the past week or so i have been gettin regular popups in internet explorer to various sites advertiseing vouchers and diffrent anti spyware software. Also grey boxes asking if my computer has been runnin slower lately an suggesting that i have viruses and spyware installed an trying to make me download diffrent applications. (to which i havent).

this all started when i unistalled virgin medias pc guard and switched back to avg. avg pops up fairly often sayin that i have files infected and they are "virus found lop" under numerous files and names.

more recently last day or so i have had a new threat come up in the form of "trogen horse generic10.bfo" mostly in the file c:\windows\system32\ikkli.dll and sometimes in c:\windows\system32\uifdnhkj.dll.

and 1 more thing not sure if connected, i get a windows error box popup saying that "buffer overrun detected in c:\windows\explorer and needs to be terminated" then all my windows close temporary then reopen again. this isnt as common as the other problems maybe once or twice a day.

thanks for any help in advance

headhunter


--requested logs

panda active scan

tried the scan twice an both time it closed the windows on a file directly in c: not sure of the file didnt get chance to make note. but if was about 30000 files into the disk. also this scan found 30 spyware problems b4 it closes.


Deckard's System Scanner v20071014.68
Run by leon on 2008-03-17 19:45:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-03-17 19:45:02 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-17 19:46:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\leon\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: {e91f60db-18ee-d3db-95e4-d4f94d7952a3} - {3a2597d4-9f4d-4e59-bd3d-ee81bd06f19e} - C:\WINDOWS\system32\jpqmcwcg.dll (file missing)
O2 - BHO: (no name) - {40E99D07-3FCC-4E44-880A-C9A15F504CEB} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {838591B7-3E5F-47AA-B21B-6A2AC2FFF373} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {B1EEF3DA-3CCC-4F9D-BA73-9019F6DFCE15} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {C02D673D-BB2A-4B6B-AB5E-8F61E12941E7} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {FBD29C3C-C642-4843-A627-6E54A947B511} - C:\WINDOWS\system32\khfcyvv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [BMc7bc9350] Rundll32.exe "C:\WINDOWS\system32\hlxbxltn.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/comm...eUploader4.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - Winlogon Notify: khfcyvv - C:\WINDOWS\system32\khfcyvv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe


--
End of file - 5510 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-02-17 and 2008-03-17 -----------------------------

2008-03-17 19:39:44 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-03-17 19:39:44 0 d-------- C:\Program Files\SpywareBlaster
2008-03-17 16:38:58 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-17 16:38:55 0 d-------- C:\WINDOWS\LastGood
2008-03-16 20:33:07 212 --a------ C:\delete.bat
2008-03-16 20:15:28 211049 --ahs---- C:\WINDOWS\system32\ilkkj.ini2
2008-03-16 11:27:20 95296 --a------ C:\WINDOWS\system32\uifdnhkj.dll
2008-03-16 11:26:36 220572 --ahs---- C:\WINDOWS\system32\npqss.ini2
2008-03-15 14:33:38 98368 --a------ C:\WINDOWS\system32\bgvmtuvu.dll
2008-03-15 14:32:58 198134 --ahs---- C:\WINDOWS\system32\mpqss.ini2
2008-03-13 19:02:25 53248 --a------ C:\WINDOWS\amcap.exe <Not Verified; Microsoft Corporation; DirectX 8.0 Sample>
2008-03-13 19:01:11 40960 --a------ C:\WINDOWS\system32\rsnpstd2.dll <Not Verified; ; ResourceDLL>
2008-03-13 19:01:06 0 d-------- C:\Program Files\Common Files\snpstd2
2008-03-12 22:16:39 0 d-------- C:\Program Files\Lavasoft
2008-03-12 22:16:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 22:16:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 22:12:18 0 dr-h----- C:\Documents and Settings\leon\Recent
2008-03-12 17:29:25 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-12 17:29:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-12 17:24:16 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-03-12 17:20:12 0 dr-h----- C:\$VAULT$.AVG
2008-03-12 1716 0 d-------- C:\Documents and Settings\leon\Application Data\AVG7
2008-03-12 17:05:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-12 17:05:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-12 17:05:37 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-10 18:20:47 0 d-------- C:\Documents and Settings\leon\Application Data\vlc
2008-03-10 18:18:58 0 d-------- C:\Program Files\VideoLAN
2008-03-10 17:52:10 231040 --ahs---- C:\WINDOWS\system32\qtstv.ini2
2008-03-10 17:47:05 42496 --a------ C:\WINDOWS\system32\khfcyvv.dll
2008-03-06 17:13:25 0 d-------- C:\Documents and Settings\leon\Application Data\ATI
2008-03-06 17:08:15 520192 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-03-06 17:07:52 0 d-------- C:\Program Files\ATI Technologies
2008-03-05 21:13:00 0 d-------- C:\ATI
2008-03-05 20:07:53 0 d-------- C:\Program Files\Common Files\EasyInfo
2008-03-05 19:40:36 0 d-------- C:\Documents and Settings\leon\Application Data\My Battle for Middle-earth(tm) II Files
2008-03-05 18:11:10 0 d-------- C:\Program Files\Electronic Arts
2008-03-04 20:41:17 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-04 20:39:10 0 d-------- C:\WINDOWS\Profiles
2008-03-04 20:39:07 0 d-------- C:\WINDOWS\system32\Adobe
2008-03-04 20:39:07 0 d-------- C:\Documents and Settings\leon\Application Data\InterTrust
2008-03-04 20:38:53 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-03-04 20:20:26 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-03 17:14:42 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 13:32:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-01 13:32:19 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-01 11:33:00 0 d-------- C:\Program Files\Ares
2008-02-28 20:56:07 0 d-------- C:\Program Files\PowerISO
2008-02-28 20:43:26 0 d-------- C:\WINDOWS\Sun
2008-02-28 20:43:26 0 d-------- C:\Documents and Settings\leon\Application Data\Sun
2008-02-28 20:42:23 0 d-------- C:\Program Files\Java
2008-02-28 20:41:47 0 d-------- C:\Program Files\Common Files\Java
2008-02-28 20:33:02 0 d---s---- C:\Documents and Settings\leon\UserData
2008-02-28 20:16:42 0 d-------- C:\WINDOWS\RegisteredPackages
2008-02-28 20:15:45 0 d-------- C:\Program Files\Winamp
2008-02-28 20:15:45 0 d-------- C:\Documents and Settings\leon\Application Data\Winamp
2008-02-28 20:09:55 0 d-------- C:\WINDOWS\pss
2008-02-28 20:05:18 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-02-28 20:05:04 4127488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys <Not Verified; Realtek Semiconductor Corp.; Windows (R) WDM driver for Realtek AC'97 Audio(HRTF data Copyright 1994 by MIT Media Lab)>
2008-02-28 20:04:37 0 d-------- C:\Program Files\Realtek AC97
2008-02-28 20:04:36 10528768 --a------ C:\WINDOWS\system32\RTLCPL.exe <Not Verified; Realtek Semiconductor Corp.; Realtek Audio Sound Effect Manager>
2008-02-28 20:04:34 147456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll <Not Verified; ; RtlCPAPI Module>
2008-02-28 20:04:34 577536 --a------ C:\WINDOWS\soundman.exe <Not Verified; Realtek Semiconductor Corp.; Realtek Sound Manager>
2008-02-28 20:04:32 315392 --a------ C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-02-28 20:04:32 217088 --a------ C:\WINDOWS\Alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing driver Tool>
2008-02-28 18:38:58 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-28 18:17:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-02-28 17:54:54 0 d-------- C:\Program Files\Messenger Plus! Live
2008-02-28 17:49:27 0 d-------- C:\Documents and Settings\leon\Contacts
2008-02-28 17:49:04 0 d-------- C:\Program Files\MSXML 4.0
2008-02-28 17:47:51 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-02-28 17:43:05 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-28 17:42:47 0 d-------- C:\Program Files\Windows Live
2008-02-28 17:42:33 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-28 17:30:04 0 d-------- C:\WINDOWS\system32\PreInstall
2008-02-28 17:21:07 0 d--h----- C:\WINDOWS\$hf_mig$
2008-02-27 23:23:08 0 d-------- C:\Documents and Settings\leon\Application Data\Adobe
2008-02-27 23:12:36 0 d--h----- C:\WINDOWS\PIF
2008-02-27 23:10:20 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-02-27 23:04:50 0 d-------- C:\Documents and Settings\leon\Application Data\Virgin Broadband
2008-02-27 23:04:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2008-02-27 23:04:24 0 d-------- C:\Documents and Settings\leon\Application Data\Macromedia
2008-02-27 23:02:07 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-02-27 22:49:06 0 d-------- C:\Documents and Settings\leon\Application Data\Help
2008-02-27 22:47:26 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-02-27 22:41:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-27 22:40:13 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-27 22:37:51 865472 --a------ C:\WINDOWS\system32\ati3d1ag.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon DirectX Universal Driver>
2008-02-27 22:13:01 0 d-------- C:\Documents and Settings\leon\Application Data\Identities
2008-02-27 22:12:54 0 d--h----- C:\Documents and Settings\leon\Templates
2008-02-27 22:12:54 0 dr------- C:\Documents and Settings\leon\Start Menu
2008-02-27 22:12:54 0 dr-h----- C:\Documents and Settings\leon\SendTo
2008-02-27 22:12:54 0 d--h----- C:\Documents and Settings\leon\PrintHood
2008-02-27 22:12:54 3407872 --ah----- C:\Documents and Settings\leon\NTUSER.DAT
2008-02-27 22:12:54 0 d--h----- C:\Documents and Settings\leon\NetHood
2008-02-27 22:12:54 0 dr------- C:\Documents and Settings\leon\My Documents
2008-02-27 22:12:54 0 d--h----- C:\Documents and Settings\leon\Local Settings
2008-02-27 22:12:54 0 dr------- C:\Documents and Settings\leon\Favorites
2008-02-27 22:12:54 0 d-------- C:\Documents and Settings\leon\Desktop
2008-02-27 22:12:54 0 d---s---- C:\Documents and Settings\leon\Cookies
2008-02-27 22:12:54 0 dr-h----- C:\Documents and Settings\leon\Application Data
2008-02-27 22:05:44 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-02-27 22:05:43 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-02-27 22:05:43 0 d-------- C:\WINDOWS\Prefetch
2008-02-27 22:05:42 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-02-27 22:05:42 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-02-27 22:05:42 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-02-27 22:05:42 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-02-27 22:05:42 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-02-27 22:05:34 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-02-27 22:05:34 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-02-27 22:05:34 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-02-27 22:05:34 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-02-27 22:05:34 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-02-27 22:01:44 0 d-------- C:\WINDOWS\system32\xircom
2008-02-27 22:01:44 0 d-------- C:\Program Files\microsoft frontpage
2008-02-27 22:01:25 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-02-27 22:01:19 0 -rahs---- C:\MSDOS.SYS
2008-02-27 22:01:19 0 -rahs---- C:\IO.SYS
2008-02-27 22:01:19 0 --a------ C:\CONFIG.SYS
2008-02-27 22:01:19 0 --a------ C:\AUTOEXEC.BAT
2008-02-27 22:00:11 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-02-27 21:59:59 0 dr------- C:\WINDOWS\Offline Web Pages
2008-02-27 21:59:59 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-02-27 21:59:47 0 d--h----- C:\Program Files\WindowsUpdate
2008-02-27 21:59:27 0 d-------- C:\WINDOWS\system32\DirectX
2008-02-27 21:58:57 0 d---s---- C:\WINDOWS\Tasks
2008-02-27 21:58:56 0 d-------- C:\Program Files\Common Files\MSSoap
2008-02-27 21:58:53 0 d-------- C:\WINDOWS\srchasst
2008-02-27 21:58:52 0 d-------- C:\WINDOWS\system32\Macromed
2008-02-27 21:58:44 0 d-------- C:\Program Files\Movie Maker
2008-02-27 21:58:36 0 d-------- C:\WINDOWS\system32\Restore
2008-02-27 21:57:47 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-27 21:57:32 0 d-------- C:\WINDOWS\Registration
2008-02-27 21:57:25 0 d-------- C:\Program Files\Online Services
2008-02-27 21:57:16 0 d-------- C:\Program Files\Messenger
2008-02-27 21:57:13 0 d-------- C:\Program Files\MSN Gaming Zone
2008-02-27 21:56:39 0 d-------- C:\Program Files\Windows NT
2008-02-27 21:56:37 0 d-------- C:\WINDOWS\system32\MsDtc
2008-02-27 21:56:35 0 d-------- C:\WINDOWS\system32\Com
2008-02-27 21:48:06 0 d--hs---- C:\WINDOWS\Installer
2008-02-27 21:48:06 0 d-------- C:\Program Files\Common Files\ODBC
2008-02-27 21:48:03 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-02-27 21:48:02 0 dr------- C:\Program Files
2008-02-27 21:48:02 0 d-------- C:\Program Files\Common Files
2008-02-27 21:47:37 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-02-27 21:47:37 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-02-27 21:47:37 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-02-27 21:47:37 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-02-27 21:47:37 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-02-27 21:47:37 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-02-27 21:47:37 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-02-27 21:47:37 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-02-27 21:47:37 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-02-27 21:47:37 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-02-27 21:47:37 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-02-27 21:47:37 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-02-27 21:47:37 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-02-27 21:47:37 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-02-27 21:47:37 0 dr------- C:\Documents and Settings\All Users\Documents
2008-02-27 21:47:37 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-02-27 21:47:23 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-02-27 21:47:23 0 d-------- C:\WINDOWS\system32\CatRoot
2008-02-27 21:47:18 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-02-27 21:47:18 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-02-27 21:47:17 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-02-27 21:47:17 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-02-27 21:46:56 0 d-------- C:\Documents and Settings
2008-02-27 21:46:55 0 d--hs---- C:\System Volume Information
2008-02-27 21:41:55 0 d-------- C:\WINDOWS
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\WinSxS
2008-02-27 21:41:55 0 dr------- C:\WINDOWS\Web
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\twain_32
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\wins
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\wbem
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\usmt
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\spool
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\ShellExt
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\Setup
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\ras
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\oobe
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\npp
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\mui
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\inetsrv
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\IME
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\icsxml
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\ias
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\export
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\drivers
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-02-27 21:41:55 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\dhcp
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\config
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\3076
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\2052
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\1054
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\1042
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\1041
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\1037
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\1033
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\1031
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\1028
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system32\1025
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\system
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\security
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Resources
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\repair
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Provisioning
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\PeerNet
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\pchealth
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\mui
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\msapps
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\msagent
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Media
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\java
2008-02-27 21:41:55 0 d--h----- C:\WINDOWS\inf
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\ime
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Help
2008-02-27 21:41:55 0 dr--s---- C:\WINDOWS\Fonts
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\ehome
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Driver Cache
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Debug
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Cursors
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Connection Wizard
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\Config
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\AppPatch
2008-02-27 21:41:55 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-02-27 21:47:37 62 --ahs---- C:\Documents and Settings\leon\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3a2597d4-9f4d-4e59-bd3d-ee81bd06f19e}]
C:\WINDOWS\system32\jpqmcwcg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40E99D07-3FCC-4E44-880A-C9A15F504CEB}]
C:\WINDOWS\system32\ssqpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{838591B7-3E5F-47AA-B21B-6A2AC2FFF373}]
C:\WINDOWS\system32\ssqpn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1EEF3DA-3CCC-4F9D-BA73-9019F6DFCE15}]
C:\WINDOWS\system32\jkkli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C02D673D-BB2A-4B6B-AB5E-8F61E12941E7}]
C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBD29C3C-C642-4843-A627-6E54A947B511}]
10/03/2008 17:47 42496 --a------ C:\WINDOWS\system32\khfcyvv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/03/2008 17:05]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [05/01/2004 18:34]
"BMc7bc9350"="C:\WINDOWS\system32\hlxbxltn.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [28/02/2008 20:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBD29C3C-C642-4843-A627-6E54A947B511}"= C:\WINDOWS\system32\khfcyvv.dll [10/03/2008 17:47 42496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcyvv]
khfcyvv.dll 10/03/2008 17:47 42496 C:\WINDOWS\system32\khfcyvv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkli.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Inicio rápido de Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Inicio rápido de Adobe Reader.lnk
backup=C:\WINDOWS\pss\Inicio rápido de Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\-FreedomNeedsReboot]
"C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc7bc9350]
Rundll32.exe "C:\WINDOWS\system32\eikoummr.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
"C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c48fa0cc]
rundll32.exe "C:\WINDOWS\system32\gpmxishv.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"dvpapi"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"Brother XP spl Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"ATI Smart"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51d617b7-e578-11dc-a30c-806d6172696f}]
AutoRun\command- E:\Autorun\Install.exe

*Newly Created Service* - RKPAVPROC



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8025 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-17 19:48:05 ------------

[jwbirdsong]

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Please visit the webpage HERE for instructions for downloading and running ComboFix.
Post the

• log from ComboFix
• C:\vundofix.txt

in a reply to this thread after you have done that.

Feel free to ask if oyu have any questions/concerns before hand.

[headhunter234]

hey

first of cheers for takein up the task of helping out.


log from combo fix.

---ComboFix 08-03-18.1 - leon 2008-03-19 17:32:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.899 [GMT 0:00]
Running from: C:\Documents and Settings\leon\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMc7bc9350.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\accdd.ini
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\bgvmtuvu.dll
C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\fviswtri.dll
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\khfcyvv.dll
C:\WINDOWS\system32\libomwhi.dll
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-19 16:56 . 2008-03-19 17:22 <DIR> d-------- C:\VundoFix Backups
2008-03-17 22:24 . 2008-03-17 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 19:44 . 2008-03-17 19:44 <DIR> d-------- C:\Deckard
2008-03-17 19:39 . 2008-03-17 19:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-17 19:39 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-03-17 19:39 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-17 19:31 . 2008-03-17 19:33 1,073,742,336 --a------ C:\480.tmp
2008-03-17 17:45 . 2008-03-17 17:47 1,073,742,336 --a------ C:\329.tmp
2008-03-17 17:06 . 2008-03-17 17:18 839,360,512 --a------ C:\1D4.tmp
2008-03-17 16:39 . 2008-03-17 19:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-17 16:39 . 2008-03-17 19:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-17 16:39 . 2008-03-17 19:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-17 16:38 . 2008-03-17 19:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-16 20:33 . 2008-03-16 20:39 212 --a------ C:\delete.bat
2008-03-16 20:31 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-03-15 18:56 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-13 19:02 . 2002-07-03 11:44 53,248 --a------ C:\WINDOWS\amcap.exe
2008-03-13 19:01 . 2008-03-13 19:01 <DIR> d-------- C:\Program Files\Common Files\snpstd2
2008-03-13 19:01 . 2004-03-22 21:31 302,720 --a------ C:\WINDOWS\system32\drivers\snpstd2.sys
2008-03-13 19:01 . 2004-02-16 13:59 61,440 --a------ C:\WINDOWS\system32\csnpstd2.dll
2008-03-13 19:01 . 2003-10-24 11:21 53,248 --a------ C:\WINDOWS\system32\dsnpstd2.dll
2008-03-13 19:01 . 2004-01-05 18:34 40,960 --a------ C:\WINDOWS\vsnpstd2.exe
2008-03-13 19:01 . 2004-02-24 20:56 40,960 --a------ C:\WINDOWS\system32\rsnpstd2.dll
2008-03-13 19:01 . 2004-02-17 10:56 36,864 --a------ C:\WINDOWS\system32\vsnpstd2.dll
2008-03-13 19:01 . 2004-02-17 10:56 36,864 --a------ C:\WINDOWS\system32\dsnpstd2.ax
2008-03-13 19:01 . 2004-02-23 15:17 20,480 --a------ C:\WINDOWS\usnpstd2.exe
2008-03-13 19:01 . 2003-01-17 17:34 15,541 --a------ C:\WINDOWS\snpstd2.ini
2008-03-13 19:01 . 2003-01-17 17:35 13,023 --a------ C:\WINDOWS\snpstd2.src
2008-03-12 22:16 . 2008-03-12 22:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-12 22:16 . 2008-03-12 22:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 22:16 . 2008-03-12 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 17:29 . 2008-03-17 19:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-12 17:29 . 2008-03-12 17:29 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-12 17:29 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-12 17:24 . 2008-03-12 18:31 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-12 17:06 . 2008-03-13 18:21 <DIR> d-------- C:\Documents and Settings\leon\Application Data\AVG7
2008-03-12 17:05 . 2008-03-12 17:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-12 17:05 . 2008-03-12 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-12 17:05 . 2008-03-19 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-12 17:05 . 2008-03-12 17:05 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-12 17:05 . 2008-03-12 17:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-12 16:53 . 2008-03-12 17:00 1,320,224 --ahs---- C:\WINDOWS\system32\vhsixmpg.ini
2008-03-11 16:46 . 2008-03-11 20:56 1,315,180 --ahs---- C:\WINDOWS\system32\nvqpshpi.ini
2008-03-10 18:20 . 2008-03-10 18:20 <DIR> d-------- C:\Documents and Settings\leon\Application Data\vlc
2008-03-10 18:18 . 2008-03-10 18:18 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-08 09:53 . 2008-03-08 09:53 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-08 09:53 . 2008-03-08 09:53 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-03-08 09:53 . 2008-03-08 09:53 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-03-08 09:53 . 2008-03-08 09:53 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-08 09:50 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-08 09:50 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-06 17:13 . 2008-03-06 17:13 <DIR> d-------- C:\Documents and Settings\leon\Application Data\ATI
2008-03-06 17:08 . 2006-05-03 11:57 520,192 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-03-06 17:07 . 2008-03-06 17:08 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-05 21:56 . 2008-03-16 15:08 143 --a------ C:\WINDOWS\WININIT.INI
2008-03-05 20:07 . 2008-03-06 17:11 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2008-03-05 19:40 . 2008-03-10 19:45 <DIR> d-------- C:\Documents and Settings\leon\Application Data\My Battle for Middle-earth(tm) II Files
2008-03-05 18:11 . 2008-03-05 18:11 <DIR> d-------- C:\Program Files\Electronic Arts
2008-03-04 20:39 . 2008-03-04 20:39 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-04 20:39 . 2008-03-04 20:39 <DIR> d-------- C:\WINDOWS\Profiles
2008-03-04 20:39 . 2008-03-04 20:39 <DIR> d-------- C:\Documents and Settings\leon\Application Data\InterTrust
2008-03-04 20:38 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-04 20:20 . 2008-03-04 20:20 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-03 17:14 . 2008-03-05 19:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 13:32 . 2008-03-04 20:40 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-01 11:33 . 2008-03-04 20:57 <DIR> d-------- C:\Program Files\Ares
2008-02-29 17:42 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-29 17:42 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-29 17:42 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-29 17:41 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-28 20:56 . 2008-03-19 17:23 <DIR> d-------- C:\Program Files\PowerISO
2008-02-28 20:43 . 2008-02-28 20:43 <DIR> d-------- C:\WINDOWS\Sun
2008-02-28 20:42 . 2008-02-28 20:42 <DIR> d-------- C:\Program Files\Java
2008-02-28 20:42 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-28 20:41 . 2008-02-28 20:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-28 20:33 . 2008-02-28 20:33 <DIR> d---s---- C:\Documents and Settings\leon\UserData
2008-02-28 20:15 . 2008-02-28 20:17 <DIR> d-------- C:\Program Files\Winamp
2008-02-28 20:15 . 2008-02-28 20:17 <DIR> d-------- C:\Documents and Settings\leon\Application Data\Winamp
2008-02-28 20:05 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-02-28 20:05 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-02-28 20:04 . 2008-02-28 20:04 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-28 20:04 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\alsndmgr.cpl
2008-02-28 20:04 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2008-02-28 20:04 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
2008-02-28 20:04 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-02-28 20:04 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-02-28 20:04 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2008-02-28 20:04 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
2008-02-28 18:38 . 2008-02-28 18:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-28 18:17 . 2008-02-28 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-02-28 17:54 . 2008-02-28 17:54 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-02-28 17:49 . 2008-02-28 17:49 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-28 17:49 . 2008-02-29 17:49 <DIR> d-------- C:\Documents and Settings\leon\Contacts
2008-02-28 17:47 . 2008-02-28 17:47 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-28 17:43 . 2008-02-28 17:46 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-28 17:42 . 2008-02-28 17:47 <DIR> d-------- C:\Program Files\Windows Live
2008-02-28 17:42 . 2008-02-28 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-28 17:30 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-28 17:21 . 2008-02-28 18:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-27 23:12 . 2008-02-27 23:12 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3a2597d4-9f4d-4e59-bd3d-ee81bd06f19e}]
C:\WINDOWS\system32\jpqmcwcg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40E99D07-3FCC-4E44-880A-C9A15F504CEB}]
C:\WINDOWS\system32\ssqpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{838591B7-3E5F-47AA-B21B-6A2AC2FFF373}]
C:\WINDOWS\system32\ssqpn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1EEF3DA-3CCC-4F9D-BA73-9019F6DFCE15}]
C:\WINDOWS\system32\jkkli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C02D673D-BB2A-4B6B-AB5E-8F61E12941E7}]
C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-12 17:05 579072]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-01-05 18:34 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-12 17:05 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcyvv]
khfcyvv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Inicio rápido de Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Inicio rápido de Adobe Reader.lnk
backup=C:\WINDOWS\pss\Inicio rápido de Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\-FreedomNeedsReboot]
C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2008-02-20 14:33 963072 C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 16:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc7bc9350]
C:\WINDOWS\system32\eikoummr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c48fa0cc]
C:\WINDOWS\system32\gpmxishv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2008-02-28 20:04 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 07:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 22:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"dvpapi"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"Brother XP spl Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"ATI Smart"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-03-22 21:31]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\AUTORUN.EXE

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 17:38:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-19 17:40:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-19 17:40:00
.
2008-03-12 21:07:55 --- E O F ---

c:vondofix.txt

-----

VundoFix V7.0.3

Scan started at 16:56:26 19/03/2008

Listing files found while scanning....

C:\Program Files\PowerISO\PWRISOSH.DLL

Beginning removal...

Attempting to delete C:\Program Files\PowerISO\PWRISOSH.DLL
C:\Program Files\PowerISO\PWRISOSH.DLL Has been deleted!

Performing Repairs to the registry.
Done!

just note a few programs autostarted when combofix rebooted the comp dunno if this affects anything.

cheers.

[jwbirdsong]

Open a new notepad 'page' and copy/paste the text in the codebox below to it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/231116-virus-lop.html

Suspect::[34]
C:\WINDOWS\system32\ChCfg.exe

File::
C:\480.tmp
C:\329.tmp
C:\1D4.tmp
C:\WINDOWS\system32\vhsixmpg.ini
C:\WINDOWS\system32\nvqpshpi.ini
Folder::
C:\VundoFix Backups
Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3a2597d4-9f4d-4e59-bd3d-ee81bd06f19e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40E99D07-3FCC-4E44-880A-C9A15F504CEB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{838591B7-3E5F-47AA-B21B-6A2AC2FFF373}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1EEF3DA-3CCC-4F9D-BA73-9019F6DFCE15}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C02D673D-BB2A-4B6B-AB5E-8F61E12941E7}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcyvv]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.

Additonally, ComboFix will generate the following files on your desktop

• A zipped file on your desktop called Submit [Date Time].zip
• And another file named - CF-Submit.htm

ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.
If CF-Submit.htm is detected, ComboFix will generate this message box:



Clicking OK will cause the machine's browser to load CF-Submit.htm



Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.

• Click on the file to Select it.
• Submit the file by clicking "OK"

. Once the file has been submitted, please DELETE both files on your desktop.

Post the following reports/logs into your next reply:

• C:\Combofix.txt
• FSecure scan from below (run after ComboFix has finished its work.)

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on the Start Scanning button at bottom of page.
• Accept the License Agreement and the ActiveX install.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.

[headhunter234]

jus like say thanks so far alrdy noticed a big improvement in the running of my system. anyhow heres the logs u requested.

combo.

---
ComboFix 08-03-18.1 - leon 2008-03-20 17:54:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.910 [GMT 0:00]
Running from: C:\Documents and Settings\leon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\leon\Desktop\CFScript
* Created a new restore point

FILE ::
C:\1D4.tmp
C:\329.tmp
C:\480.tmp
C:\WINDOWS\system32\nvqpshpi.ini
C:\WINDOWS\system32\vhsixmpg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1D4.tmp
C:\329.tmp
C:\480.tmp
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\PWRISOSH.DLL.bad
C:\WINDOWS\system32\nvqpshpi.ini
C:\WINDOWS\system32\vhsixmpg.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-19 22:02 . 2008-03-19 22:02 <DIR> d-------- C:\Documents and Settings\leon\Application Data\.BitTornado
2008-03-19 22:00 . 2008-03-19 22:00 <DIR> d-------- C:\Program Files\BitTornado
2008-03-17 22:24 . 2008-03-17 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 19:44 . 2008-03-17 19:44 <DIR> d-------- C:\Deckard
2008-03-17 19:39 . 2008-03-17 19:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-17 19:39 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-03-17 19:39 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-17 16:39 . 2008-03-17 19:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-17 16:39 . 2008-03-17 19:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-17 16:39 . 2008-03-17 19:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-17 16:38 . 2008-03-17 19:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-16 20:33 . 2008-03-16 20:39 212 --a------ C:\delete.bat
2008-03-16 20:31 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-03-15 18:56 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-13 19:02 . 2002-07-03 11:44 53,248 --a------ C:\WINDOWS\amcap.exe
2008-03-13 19:01 . 2008-03-13 19:01 <DIR> d-------- C:\Program Files\Common Files\snpstd2
2008-03-13 19:01 . 2004-03-22 21:31 302,720 --a------ C:\WINDOWS\system32\drivers\snpstd2.sys
2008-03-13 19:01 . 2004-02-16 13:59 61,440 --a------ C:\WINDOWS\system32\csnpstd2.dll
2008-03-13 19:01 . 2003-10-24 11:21 53,248 --a------ C:\WINDOWS\system32\dsnpstd2.dll
2008-03-13 19:01 . 2004-01-05 18:34 40,960 --a------ C:\WINDOWS\vsnpstd2.exe
2008-03-13 19:01 . 2004-02-24 20:56 40,960 --a------ C:\WINDOWS\system32\rsnpstd2.dll
2008-03-13 19:01 . 2004-02-17 10:56 36,864 --a------ C:\WINDOWS\system32\vsnpstd2.dll
2008-03-13 19:01 . 2004-02-17 10:56 36,864 --a------ C:\WINDOWS\system32\dsnpstd2.ax
2008-03-13 19:01 . 2004-02-23 15:17 20,480 --a------ C:\WINDOWS\usnpstd2.exe
2008-03-13 19:01 . 2003-01-17 17:34 15,541 --a------ C:\WINDOWS\snpstd2.ini
2008-03-13 19:01 . 2003-01-17 17:35 13,023 --a------ C:\WINDOWS\snpstd2.src
2008-03-12 22:16 . 2008-03-12 22:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-12 22:16 . 2008-03-12 22:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 22:16 . 2008-03-12 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 17:29 . 2008-03-17 19:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-12 17:29 . 2008-03-12 17:29 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-12 17:29 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-12 17:24 . 2008-03-12 18:31 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-12 17:06 . 2008-03-13 18:21 <DIR> d-------- C:\Documents and Settings\leon\Application Data\AVG7
2008-03-12 17:05 . 2008-03-12 17:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-12 17:05 . 2008-03-12 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-12 17:05 . 2008-03-19 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-12 17:05 . 2008-03-12 17:05 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-12 17:05 . 2008-03-12 17:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-10 18:20 . 2008-03-10 18:20 <DIR> d-------- C:\Documents and Settings\leon\Application Data\vlc
2008-03-10 18:18 . 2008-03-10 18:18 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-08 09:53 . 2008-03-08 09:53 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-08 09:53 . 2008-03-08 09:53 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-03-08 09:53 . 2008-03-08 09:53 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-03-08 09:53 . 2008-03-08 09:53 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-08 09:50 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-08 09:50 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-06 17:13 . 2008-03-06 17:13 <DIR> d-------- C:\Documents and Settings\leon\Application Data\ATI
2008-03-06 17:08 . 2006-05-03 11:57 520,192 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-03-06 17:07 . 2008-03-06 17:08 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-05 21:56 . 2008-03-16 15:08 143 --a------ C:\WINDOWS\WININIT.INI
2008-03-05 20:07 . 2008-03-06 17:11 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2008-03-05 19:40 . 2008-03-10 19:45 <DIR> d-------- C:\Documents and Settings\leon\Application Data\My Battle for Middle-earth(tm) II Files
2008-03-05 18:11 . 2008-03-05 18:11 <DIR> d-------- C:\Program Files\Electronic Arts
2008-03-04 20:39 . 2008-03-04 20:39 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-04 20:39 . 2008-03-04 20:39 <DIR> d-------- C:\WINDOWS\Profiles
2008-03-04 20:39 . 2008-03-04 20:39 <DIR> d-------- C:\Documents and Settings\leon\Application Data\InterTrust
2008-03-04 20:38 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-04 20:20 . 2008-03-04 20:20 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-03 17:14 . 2008-03-05 19:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 13:32 . 2008-03-04 20:40 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-01 11:33 . 2008-03-04 20:57 <DIR> d-------- C:\Program Files\Ares
2008-02-29 17:42 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-29 17:42 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-29 17:42 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-29 17:41 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-28 20:56 . 2008-03-19 17:23 <DIR> d-------- C:\Program Files\PowerISO
2008-02-28 20:43 . 2008-02-28 20:43 <DIR> d-------- C:\WINDOWS\Sun
2008-02-28 20:42 . 2008-02-28 20:42 <DIR> d-------- C:\Program Files\Java
2008-02-28 20:42 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-28 20:41 . 2008-02-28 20:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-28 20:33 . 2008-02-28 20:33 <DIR> d---s---- C:\Documents and Settings\leon\UserData
2008-02-28 20:15 . 2008-02-28 20:17 <DIR> d-------- C:\Program Files\Winamp
2008-02-28 20:15 . 2008-02-28 20:17 <DIR> d-------- C:\Documents and Settings\leon\Application Data\Winamp
2008-02-28 20:05 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-02-28 20:05 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-02-28 20:04 . 2008-02-28 20:04 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-28 20:04 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\alsndmgr.cpl
2008-02-28 20:04 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2008-02-28 20:04 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
2008-02-28 20:04 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-02-28 20:04 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-02-28 20:04 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2008-02-28 20:04 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
2008-02-28 18:38 . 2008-02-28 18:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-28 18:17 . 2008-02-28 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-02-28 17:54 . 2008-02-28 17:54 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-02-28 17:49 . 2008-02-28 17:49 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-28 17:49 . 2008-02-29 17:49 <DIR> d-------- C:\Documents and Settings\leon\Contacts
2008-02-28 17:47 . 2008-02-28 17:47 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-28 17:43 . 2008-02-28 17:46 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-28 17:42 . 2008-02-28 17:47 <DIR> d-------- C:\Program Files\Windows Live
2008-02-28 17:42 . 2008-02-28 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-28 17:30 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-28 17:21 . 2008-02-28 18:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-27 23:12 . 2008-02-27 23:12 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-27 23:04 . 2008-03-12 17:25 <DIR> d-------- C:\Documents and Settings\leon\Application Data\Virgin Broadband
2008-02-27 23:04 . 2008-03-12 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2008-02-27 23:01 . 2004-06-11 07:31 135,168 -ra------ C:\WINDOWS\UNDPX2A.exe
2008-02-27 23:01 . 2004-06-11 07:34 53,693 -ra------ C:\WINDOWS\UNDPX2A.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 22:02 --------- d-----w C:\Documents and Settings\leon\Application Data\.BitTornado
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-12 17:05 579072]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-01-05 18:34 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-12 17:05 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Inicio rápido de Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Inicio rápido de Adobe Reader.lnk
backup=C:\WINDOWS\pss\Inicio rápido de Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\-FreedomNeedsReboot]
C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2008-02-20 14:33 963072 C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 16:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc7bc9350]
C:\WINDOWS\system32\eikoummr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c48fa0cc]
C:\WINDOWS\system32\gpmxishv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2008-02-28 20:04 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 07:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 22:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"dvpapi"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"Brother XP spl Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"ATI Smart"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=

R3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-03-22 21:31]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 17:56:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-20 17:56:51
ComboFix-quarantined-files.txt 2008-03-20 17:56:37
ComboFix2.txt 2008-03-19 17:40:09
.
2008-03-12 21:07:55 --- E O F ---


and the f secure log

-----

Scanning Report
Thursday, March 20, 2008 18:29:09 - 21:10:12
Computer name: HOME-F4EF9F6DF3
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 1 malware found
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32269
System: 2729
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
D:\PAGEFILE.SYS

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-03-20
F-Secure AVP: 7.0.171, 2008-03-20
F-Secure Pegasus: 1.20.0, 2008-02-20
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

[jwbirdsong]

Every things looks GREAT.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 u4.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??

[headhunter234]

thanks for the help very much appreciated.

[jwbirdsong]

Quote:

thanks for the help very much appreciated.

It's why were here.