Popups!!!!!!

fabz01 · May 23, 2008

Hi,
i am getting popups nonstop. i have been the registry editor and HKEY(S)
and deleted those not needed, although i am still getting popups? please help
thank you.

TheBruce1 · May 26, 2008

Please follow our 5 Step process outlined here:

http://www.techsupportforum.com/sec...read-before-posting-malware-removal-help.html

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

fabz01 · May 28, 2008

Deckard's System Scanner v20071014.68
Run by fady1 on 2008-05-28 21:58:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
57: 2008-05-28 11:58:34 UTC - RP899 - Deckard's System Scanner Restore Point
56: 2008-05-28 10:53:02 UTC - RP898 - Removed WinZip 11.2
55: 2008-05-28 00:26:35 UTC - RP897 - Installed WinZip 11.2
54: 2008-05-28 00:25:51 UTC - RP896 - Removed WinZip 11.1
53: 2008-05-27 17:02:05 UTC - RP895 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-04-10 17:01:16 UTC - RP843 - Software Distribution Service 3.0

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-28 22:02:51
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\SYSTEM32\WgaTray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SYSTEM32\igfxtray.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\wbem\wmiprvse.exe
C:\Documents and Settings\fady1\Local Settings\Temporary Internet Files\Content.IE5\KNEDIZQH\dss[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7885E057-9998-43D0-9957-713DDF285D90} - C:\WINDOWS\SYSTEM32\gebcd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {F3918A5A-0BF3-44A0-9103-0D1C49D2313E} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\Extra list.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Amencash] C:\DOCUME~1\fady1\APPLIC~1\MEETPR~1\Livedataonline.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O9 - Extra button: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Risk\Images\stg_drm.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) - http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Risk\Images\armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: awtqp - C:\WINDOWS\system32\awtqp.dll (file missing)
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll (file missing)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: gebcd - C:\WINDOWS\SYSTEM32\gebcd.dll
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll (file missing)
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll (file missing)
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll (file missing)
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll (file missing)
O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll (file missing)
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll (file missing)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\SYSTEM32\ssqpp.dll
O20 - Winlogon Notify: ssttq - C:\WINDOWS\system32\ssttq.dll (file missing)
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll (file missing)
O20 - Winlogon Notify: yayxxyv - C:\WINDOWS\system32\yayxxyv.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jxujupsj.exe /service
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 13347 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 nvport (NVIDIA PORT IO Control Driver) - c:\windows\system32\drivers\nvport.sys (file missing)
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 ldiskl - c:\docume~1\fady1\locals~1\temp\ldiskl.sys (file missing)
S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys (file missing)
S3 U81xbus (LGE U8XXX driver (WDM)) - c:\windows\system32\drivers\u81xbus.sys <Not Verified; MCCI; LG Electronics U8110>
S3 U81xmdfl (LGE U8XXX USB WMC Modem Filter) - c:\windows\system32\drivers\u81xmdfl.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem Filter Driver>
S3 U81xmdm (LGE U8XXX USB WMC Modem Driver) - c:\windows\system32\drivers\u81xmdm.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem>
S3 U81xmgmt (LGE U8XXX USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\u81xmgmt.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Device Management>
S3 U81xobex (LGE U8XXX USB WMC OBEX Interface) - c:\windows\system32\drivers\u81xobex.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC OBEX Interface>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 DomainService - c:\windows\system32\jxujupsj.exe /service (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 22:00:06 260 --ah----- C:\WINDOWS\Tasks\83C9A78D847E5F05.job
2008-05-26 20:24:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 21:44:20 0 d------c- C:\ie-spyad_zo
2008-05-28 21:32:39 0 d-------- C:\Program Files\ExpressZIP
2008-05-28 04:53:17 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-28 04:53:01 0 d-------- C:\Program Files\SpywareBlaster
2008-05-27 23:40:34 0 d-------- C:\Program Files\meet proxy regs
2008-05-27 18:17:13 0 d-------- C:\Program Files\Panda Security
2008-05-23 21:25:56 0 d-------- C:\WINDOWS\LastGood
2008-05-12 20:06:30 96645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-12 20:06:30 87941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-12 20:02:52 6227232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-12 20:02:51 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-12 20:02:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 20:02:38 120608 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-12 19:21:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-12 19:19:48 0 d-------- C:\Documents and Settings\fady1\Application Data\U3

-- Find3M Report ---------------------------------------------------------------

2008-05-27 23:42:48 0 d-------- C:\Documents and Settings\fady1\Application Data\meet proxy regs
2008-05-13 11:19:30 0 d-------- C:\Program Files\Starware353
2008-05-13 11:19:19 0 d-------- C:\Program Files\SideFind
2008-05-13 11:19:17 0 d-------- C:\Program Files\Circle Developement
2008-05-12 20:44:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-12 20:30:37 0 d-------- C:\Program Files\Qvsd
2008-05-01 01:33:00 0 d-------- C:\Documents and Settings\fady1\Application Data\Adobe
2008-04-27 14:30:49 0 d-------- C:\Documents and Settings\fady1\Application Data\Real
2008-04-16 02:20:25 0 d-------- C:\Program Files\LimeWire
2008-04-07 22:46:40 0 d-------- C:\Program Files\iTunes
2008-04-07 22:46:22 0 d-------- C:\Program Files\iPod
2008-04-07 22:41:49 0 d-------- C:\Program Files\QuickTime
2008-04-06 11:54:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-02 23:33:27 0 d-------- C:\Documents and Settings\fady1\Application Data\GetRightToGo
2008-04-02 22:10:52 0 d-------- C:\Documents and Settings\fady1\Application Data\iWin
2008-04-02 22:07:31 0 d-------- C:\Documents and Settings\fady1\Application Data\SpinTop
2008-03-31 19:13:08 0 d-------- C:\Program Files\MSN Messenger
2008-03-31 19:13:02 0 d-------- C:\Program Files\Messenger Plus! Live
2008-03-12 18:26:46 520 --a----c- C:\Program Files\cmd.txt

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7885E057-9998-43D0-9957-713DDF285D90}]
07/01/2007 02:35 PM 233303 --a------ C:\WINDOWS\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3918A5A-0BF3-44A0-9103-0D1C49D2313E}]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 09:06 AM C:\WINDOWS\AGRSMMSG.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/20/2004 03:55 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/20/2004 03:51 PM]
"SchedulingAgent"="mstinit.exe" [08/04/2004 12:56 AM C:\WINDOWS\SYSTEM32\mstinit.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/20/2006 08:22 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 01:03 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [09/15/2006 06:09 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [12/18/2007 12:43 AM]
"Love default global mess"="C:\Documents and Settings\All Users\Application Data\great coal love default\Extra list.exe" [05/27/2008 11:42 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 10:34 AM]
"Amencash"="C:\DOCUME~1\fady1\APPLIC~1\MEETPR~1\Livedataonline.exe" [05/27/2008 11:40 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqp]
C:\WINDOWS\system32\awtqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb]
C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcya]
C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
C:\WINDOWS\system32\gebcd.dll 07/01/2007 02:35 PM 233303 C:\WINDOWS\SYSTEM32\gebcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebx]
C:\WINDOWS\system32\geebx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhg]
C:\WINDOWS\system32\jkhhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg]
C:\WINDOWS\system32\mljgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj]
C:\WINDOWS\system32\mljjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
C:\WINDOWS\system32\mllmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhf]
C:\WINDOWS\system32\pmkhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhg]
C:\WINDOWS\system32\pmkhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjh]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj]
C:\WINDOWS\system32\pmnlj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]
C:\WINDOWS\system32\ssqpp.dll 08/25/2007 08:11 PM 218703 C:\WINDOWS\SYSTEM32\ssqpp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttq]
C:\WINDOWS\system32\ssttq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstu]
C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutu]
C:\WINDOWS\system32\vtutu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxyv]
yayxxyv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87e8d908-2004-11dd-96b4-00110919351a}]
AutoRun\command- K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87e8d909-2004-11dd-96b4-00110919351a}]
Auto\command- Cn911.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

*Newly Created Service* - RKPAVPROC

-- End of Deckard's System Scanner: finished at 2008-05-28 22:04:57 ------------

TheBruce1 · May 28, 2008

Hello again

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present.

=========

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

==========

You are running DSS.exe(Deckard System Scanner)from a temporary directory. It needs to be in a permanent folder. Please move
dss[1].exe to your desktop.

===========

P2P

P2P - I see you have P2P software LimeWire 4.16.6 installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are Here,
Here and Here.

==========

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Messenger Plus! Live & Sponsor<---Known to install malware. You can re-install Messenger Plus! Live, but decline the Sponsors programme

============

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with all the required logs

=========

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

===========

Download fl.zip
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.

=============

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=============
Logs Required
Report.txt
C:\Combofix.txt
C:\findlop.txt
Hijackthis Log

fabz01 · May 29, 2008

SDFix: Version 1.186
Run by fady1 on Thu 05/29/2008 at 07:47 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\PART0100.DAT - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 20:03:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:6a95017e
"s2"=dword:50033a95
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:e9,88,98,54,65,50,fc,44,6c,1c,4e,99,bc,ab,9f,83,2f,44,4a,a6,05,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:b1,9d,c0,8c,e3,d5,66,78,5e,42,20,a8,63,99,b5,4c,08,39,16,bb,14,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,f4,28,e6,f3,75,5b,3e,9e,14,67,61,c8,08,24,48,af,9a,..
"khjeh"=hex:9f,bc,c0,f2,7c,be,37,c0,77,7c,27,d6,56,95,da,19,cc,86,d6,2d,f1,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:3a,13,a9,63,e9,7d,ca,a3,5d,68,ba,9b,da,f3,26,3d,76,03,a0,c4,38,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:e9,88,98,54,65,50,fc,44,6c,1c,4e,99,bc,ab,9f,83,2f,44,4a,a6,05,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:b1,9d,c0,8c,e3,d5,66,78,5e,42,20,a8,63,99,b5,4c,08,39,16,bb,14,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,f4,28,e6,f3,75,5b,3e,9e,14,67,61,c8,08,24,48,af,9a,..
"khjeh"=hex:9f,bc,c0,f2,7c,be,37,c0,77,7c,27,d6,56,95,da,19,cc,86,d6,2d,f1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:3a,13,a9,63,e9,7d,ca,a3,5d,68,ba,9b,da,f3,26,3d,76,03,a0,c4,38,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\jxujupsj.exe"="C:\\WINDOWS\\system32\\jxu"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*

isabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 24 Apr 1999 93,890 ..SH. --- "C:\COMMAND.COM"
Sat 24 Apr 1999 53,248 A..H. --- "C:\Program Files\Accessories\mspcx32.dll"
Fri 6 Apr 2007 10,752 A..H. --- "C:\Program Files\MSN Messenger\WINHTTP.dll"
Sun 10 Jun 2007 906,293 A.SH. --- "C:\WINDOWS\SYSTEM32\aycdd.tmp"
Wed 9 May 2007 596,479 A.SH. --- "C:\WINDOWS\SYSTEM32\aycdd.bak1"
Tue 26 Jun 2007 1,178,054 A.SH. --- "C:\WINDOWS\SYSTEM32\aycdd.bak2"
Sat 21 Jul 2007 946,097 A.SH. --- "C:\WINDOWS\SYSTEM32\bccdd.bak1"
Mon 27 Aug 2007 701,481 A.SH. --- "C:\WINDOWS\SYSTEM32\cbeeg.bak1"
Wed 11 Jul 2007 992,523 A.SH. --- "C:\WINDOWS\SYSTEM32\cccdd.tmp"
Wed 11 Jul 2007 991,524 A.SH. --- "C:\WINDOWS\SYSTEM32\cccdd.bak1"
Thu 12 Apr 2007 488,183 A.SH. --- "C:\WINDOWS\SYSTEM32\dcbeg.bak1"
Fri 20 Apr 2007 518,542 A.SH. --- "C:\WINDOWS\SYSTEM32\dcbeg.bak2"
Tue 21 Aug 2007 692,077 A.SH. --- "C:\WINDOWS\SYSTEM32\fhkmp.bak1"
Mon 6 Aug 2007 773,768 A.SH. --- "C:\WINDOWS\SYSTEM32\ggjlm.bak1"
Thu 23 Aug 2007 692,274 A.SH. --- "C:\WINDOWS\SYSTEM32\ghhkj.bak1"
Tue 14 Aug 2007 681,076 A.SH. --- "C:\WINDOWS\SYSTEM32\ghkmp.bak1"
Sat 28 Apr 2007 579,668 A.SH. --- "C:\WINDOWS\SYSTEM32\hjkmp.bak1"
Tue 8 May 2007 627,591 A.SH. --- "C:\WINDOWS\SYSTEM32\hjkmp.bak2"
Mon 6 Aug 2007 178,286 A.SH. --- "C:\WINDOWS\SYSTEM32\iamrgtsk.tmp"
Fri 13 Jul 2007 1,085,326 A.SH. --- "C:\WINDOWS\SYSTEM32\jjjlm.bak1"
Thu 19 Jul 2007 945,180 A.SH. --- "C:\WINDOWS\SYSTEM32\jlnmp.bak1"
Tue 31 Jul 2007 777,611 A.SH. --- "C:\WINDOWS\SYSTEM32\kmllm.bak1"
Wed 15 Aug 2007 681,279 ..SH. --- "C:\WINDOWS\SYSTEM32\ppqss.bak1"
Fri 17 Aug 2007 681,279 ..SH. --- "C:\WINDOWS\SYSTEM32\pqtwa.bak1"
Sun 19 Aug 2007 689,809 ..SH. --- "C:\WINDOWS\SYSTEM32\qttss.bak1"
Wed 18 Jul 2007 947,091 ..SH. --- "C:\WINDOWS\SYSTEM32\utstv.bak1"
Sat 7 Jul 2007 990,488 ..SH. --- "C:\WINDOWS\SYSTEM32\ututv.bak1"
Mon 2 Jul 2007 946,634 ..SH. --- "C:\WINDOWS\SYSTEM32\utvwa.tmp"
Sun 15 Jul 2007 1,083,413 ..SH. --- "C:\WINDOWS\SYSTEM32\vybeg.bak1"
Wed 27 Jun 2007 1,144,317 ..SH. --- "C:\WINDOWS\SYSTEM32\xbeeg.bak1"
Thu 12 Jul 2007 1,028,608 A.SH. --- "C:\WINDOWS\SYSTEM32\yycdd.tmp"
Wed 11 Jul 2007 991,524 ..SH. --- "C:\WINDOWS\SYSTEM32\yycdd.bak2"
Mon 12 Sep 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 28 Aug 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Wed 11 Jul 2007 616,448 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\4wm31q14.TMP"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\fady1\Application Data\U3\temp\Launchpad Removal.exe"
Mon 12 Sep 2005 4,348 ...H. --- "C:\Documents and Settings\fady1\My Documents\My Music\License Backup\drmv1key.bak"
Wed 16 Aug 2006 20 A..H. --- "C:\Documents and Settings\fady1\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 18 Jul 2006 488 A.SH. --- "C:\Documents and Settings\fady1\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

======

ComboFix 08-05-28.4 - fady1 2008-05-29 23:33:14.1 - NTFSx86
Running from: C:\Documents and Settings\fady1\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Starware353
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes_foreign_feed.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes_foreign_feed.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\starware_toolbar_icon.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware353\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware353\contexts\travel.xml
C:\Documents and Settings\fady1\Application Data\macromedia\Flash Player\#SharedObjects\Z2K632EU\iforex.com
C:\Documents and Settings\fady1\Application Data\macromedia\Flash Player\#SharedObjects\Z2K632EU\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\fady1\Application Data\macromedia\Flash Player\#SharedObjects\Z2K632EU\www.broadcaster.com
C:\Documents and Settings\fady1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\fady1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\fady1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\fady1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\fady1\Application Data\SystemDoctor 2006 Free
C:\Documents and Settings\fady1\Application Data\SystemDoctor 2006 Free\Logs\update.log
C:\Program Files\SideFind
C:\Program Files\Starware353
C:\Program Files\Starware353\brand.bmp
C:\Program Files\Starware353\icons\star_16.ico
C:\Program Files\Starware353\Starware353Config.xml
C:\Program Files\winupdates
C:\Program Files\winupdates\a.zip
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\amretedn.ini
C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\SYSTEM32\aycdd.bak1
C:\WINDOWS\SYSTEM32\aycdd.bak2
C:\WINDOWS\SYSTEM32\aycdd.ini
C:\WINDOWS\SYSTEM32\aycdd.ini2
C:\WINDOWS\SYSTEM32\aycdd.tmp
C:\WINDOWS\SYSTEM32\bccdd.bak1
C:\WINDOWS\SYSTEM32\bccdd.ini
C:\WINDOWS\system32\bcktjccw.ini
C:\WINDOWS\system32\bxvbshej.ini
C:\WINDOWS\SYSTEM32\cbeeg.bak1
C:\WINDOWS\SYSTEM32\cbeeg.ini
C:\WINDOWS\SYSTEM32\cccdd.bak1
C:\WINDOWS\SYSTEM32\cccdd.tmp
C:\WINDOWS\system32\crunaacv.ini
C:\WINDOWS\SYSTEM32\dcbeg.bak1
C:\WINDOWS\SYSTEM32\dcbeg.bak2
C:\WINDOWS\SYSTEM32\dcbeg.ini
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\dlwbibkd.ini
C:\WINDOWS\SYSTEM32\fhkmp.bak1
C:\WINDOWS\SYSTEM32\fhkmp.ini
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\SYSTEM32\ggjlm.bak1
C:\WINDOWS\SYSTEM32\ggjlm.ini
C:\WINDOWS\SYSTEM32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\SYSTEM32\ghkmp.bak1
C:\WINDOWS\SYSTEM32\ghkmp.ini
C:\WINDOWS\system32\hdswhphi.ini
C:\WINDOWS\SYSTEM32\hjkmp.bak1
C:\WINDOWS\SYSTEM32\hjkmp.bak2
C:\WINDOWS\SYSTEM32\hjkmp.ini
C:\WINDOWS\system32\hxxxhgxu.ini
C:\WINDOWS\SYSTEM32\jjjlm.bak1
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\SYSTEM32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\kibvnqpv.ini
C:\WINDOWS\SYSTEM32\kmllm.bak1
C:\WINDOWS\SYSTEM32\kmllm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mssdphtk.ini
C:\WINDOWS\system32\ndqkplon.ini
C:\WINDOWS\system32\nigjoqvl.ini
C:\WINDOWS\system32\nkudjplt.ini
C:\WINDOWS\system32\npanpnpi.ini
C:\WINDOWS\system32\nskjghof.ini
C:\WINDOWS\system32\nsmvuktn.ini
C:\WINDOWS\system32\ocqclits.ini
C:\WINDOWS\system32\omdogfqk.ini
C:\WINDOWS\system32\oriwsheo.ini
C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pnjmlrjp.ini
C:\WINDOWS\SYSTEM32\ppqss.bak1
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\SYSTEM32\pqtwa.bak1
C:\WINDOWS\SYSTEM32\pqtwa.ini
C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\system32\rsdhigkp.ini
C:\WINDOWS\system32\savdippx.ini
C:\WINDOWS\system32\slcdgueh.ini
C:\WINDOWS\SYSTEM32\svvwa.ini
C:\WINDOWS\system32\ugeagtby.ini
C:\WINDOWS\system32\uhnsgjoa.ini
C:\WINDOWS\system32\usxeafqe.ini
C:\WINDOWS\SYSTEM32\utstv.bak1
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\SYSTEM32\ututv.bak1
C:\WINDOWS\SYSTEM32\ututv.ini
C:\WINDOWS\system32\vjfjidcm.ini
C:\WINDOWS\SYSTEM32\vybeg.bak1
C:\WINDOWS\SYSTEM32\vybeg.ini
C:\WINDOWS\SYSTEM32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\ymolmdrx.ini
C:\WINDOWS\system32\yowtuvqn.ini
C:\WINDOWS\system32\ytmfhomq.ini
C:\WINDOWS\SYSTEM32\yycdd.bak2
C:\WINDOWS\SYSTEM32\yycdd.ini2
C:\WINDOWS\SYSTEM32\yycdd.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Service_DomainService

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 19:39 . 2008-05-29 19:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-29 19:32 . 2008-05-29 20:20 <DIR> d----c--- C:\SDFix
2008-05-28 21:58 . 2008-05-28 21:58 <DIR> d----c--- C:\Deckard
2008-05-28 21:44 . 2008-05-28 21:44 <DIR> d----c--- C:\ie-spyad_zo
2008-05-28 21:35 . 2008-05-28 21:35 6,144 --ahs---- C:\WINDOWS\SYSTEM32\access.ctl
2008-05-28 21:32 . 2008-05-28 21:35 <DIR> d-------- C:\Program Files\ExpressZIP
2008-05-28 04:53 . 2008-05-28 21:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-28 04:53 . 2008-05-28 21:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 23:40 . 2008-05-27 23:40 <DIR> d-------- C:\Program Files\meet proxy regs
2008-05-27 18:17 . 2008-05-27 18:17 <DIR> d-------- C:\Program Files\Panda Security
2008-05-12 20:14 . 2008-05-29 23:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-12 20:14 . 2008-05-12 20:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 20:06 . 2008-05-29 19:03 96,966 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2008-05-12 20:06 . 2008-05-29 19:03 88,262 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2008-05-12 20:02 . 2008-05-12 20:02 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-12 20:02 . 2008-05-29 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 20:02 . 2008-05-29 23:47 6,449,440 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-05-12 20:02 . 2008-05-29 23:46 133,920 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-05-12 20:02 . 2008-05-29 23:45 87,404 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-05-12 20:02 . 2008-05-29 23:45 13,556 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-05-12 19:21 . 2008-05-12 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-12 19:19 . 2008-05-12 20:49 <DIR> d-------- C:\Documents and Settings\fady1\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 09:31 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-29 09:04 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 10:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-27 13:42 --------- d-----w C:\Documents and Settings\fady1\Application Data\meet proxy regs
2008-05-27 13:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\great coal love default
2008-05-12 11:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\knob glue cdrom jugs
2008-05-12 10:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-05-12 10:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-12 10:30 --------- d-----w C:\Program Files\Qvsd
2008-05-12 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-15 16:20 --------- d-----w C:\Program Files\LimeWire
2008-04-07 12:46 --------- d-----w C:\Program Files\iTunes
2008-04-07 12:46 --------- d-----w C:\Program Files\iPod
2008-04-07 12:41 --------- d-----w C:\Program Files\QuickTime
2008-04-02 13:33 --------- d-----w C:\Documents and Settings\fady1\Application Data\GetRightToGo
2008-04-02 12:10 --------- d-----w C:\Documents and Settings\fady1\Application Data\iWin
2008-04-02 12:07 --------- d-----w C:\Documents and Settings\fady1\Application Data\SpinTop
2008-03-31 09:13 --------- d-----w C:\Program Files\MSN Messenger
2008-03-12 08:26 520 -c--a-w C:\Program Files\cmd.txt
2007-01-02 05:00 338 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb1942.dat
2006-09-26 16:01 33,336 -c--a-w C:\Documents and Settings\fady1\Application Data\GDIPFONTCACHEV1.DAT
2006-08-25 03:45 13,046 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb5436.dat
2006-08-25 03:45 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb4604.dat
2006-08-24 05:02 177,152 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb4827.dat
2006-08-24 05:02 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb3902.dat
2006-08-18 15:12 15,617 -c--a-w C:\Program Files\debug.log
2006-08-05 03:16 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb1538.dat
2006-08-05 03:16 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb153.dat
2006-07-18 08:08 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb2391.dat
2006-05-23 11:49 627 -c--a-w C:\Program Files\My Sharing Folders.lnk
2006-04-11 13:38 198 -c--a-w C:\Program Files\SB_usb_log.txt
2005-08-12 22:41 266 --sh--w C:\Program Files\desktop.ini
2005-08-12 22:41 11,079 -c-ha-w C:\Program Files\folder.htt
2005-08-12 22:36 1,010 -c--a-w C:\Program Files\FRUNLOG.TXT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7885E057-9998-43D0-9957-713DDF285D90}]
2007-07-01 14:35 233303 --a------ C:\WINDOWS\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3918A5A-0BF3-44A0-9103-0D1C49D2313E}]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]
"Amencash"="C:\DOCUME~1\fady1\APPLIC~1\MEETPR~1\Livedataonline.exe" [2008-05-27 23:40 432640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
"SchedulingAgent"="mstinit.exe" [2004-08-04 00:56 12288 C:\WINDOWS\SYSTEM32\mstinit.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-20 20:22 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-15 06:09 157592]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Love default global mess"="C:\Documents and Settings\All Users\Application Data\great coal love default\Extra list.exe" [2008-05-29 23:47 1733632]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqp]
C:\WINDOWS\system32\awtqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb]
C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcya]
C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
C:\WINDOWS\system32\gebcd.dll 2007-07-01 14:35 233303 C:\WINDOWS\SYSTEM32\gebcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebx]
C:\WINDOWS\system32\geebx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhg]
C:\WINDOWS\system32\jkhhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg]
C:\WINDOWS\system32\mljgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj]
C:\WINDOWS\system32\mljjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
C:\WINDOWS\system32\mllmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhf]
C:\WINDOWS\system32\pmkhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhg]
C:\WINDOWS\system32\pmkhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjh]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj]
C:\WINDOWS\system32\pmnlj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]
C:\WINDOWS\system32\ssqpp.dll 2007-08-25 20:11 218703 C:\WINDOWS\SYSTEM32\ssqpp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttq]
C:\WINDOWS\system32\ssttq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstu]
C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutu]
C:\WINDOWS\system32\vtutu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxyv]
yayxxyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"VIDC.i263"= i263_32.drv
"VIDC.i420"= i263_32.drv
"msacm.imc"= imc32.acm
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 ldiskl;ldiskl;C:\DOCUME~1\fady1\LOCALS~1\Temp\ldiskl.sys []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87e8d908-2004-11dd-96b4-00110919351a}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87e8d909-2004-11dd-96b4-00110919351a}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 14:00:01 C:\WINDOWS\Tasks\83C9A78D847E5F05.job"
- c:\docume~1\fady1\applic~1\meetpr~1\Mathownsdefy.exe
"2008-05-26 10:24:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 23:46:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-30 0:05:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 14:05:07

Pre-Run: 14,347,505,664 bytes free
Post-Run: 15,994,265,600 bytes free

342 --- E O F --- 2008-05-28 19:22:36

========

Volume in drive C has no label.
Volume Serial Number is 34A5-1FE6

Directory of C:\Documents and Settings\All Users\Application Data

01/03/2007 03:21 PM <DIR> Adobe
03/12/2008 01:55 PM <DIR> Apple
03/12/2008 02:07 PM <DIR> Apple Computer
05/15/2006 06:58 PM <DIR> CyberLink
05/11/2007 10:17 PM <DIR> Google
05/27/2008 11:42 PM <DIR> great coal love default
08/19/2007 05:38 PM <DIR> Internet debug mess great
05/29/2008 11:18 PM <DIR> Kaspersky Lab
05/12/2008 07:21 PM <DIR> Kaspersky Lab Setup Files
05/12/2008 09:04 PM <DIR> knob glue cdrom jugs
05/12/2008 07:49 PM <DIR> McAfee.com
01/14/2008 10:54 PM <DIR> McAfee.com Personal Firewall
05/12/2008 08:46 PM <DIR> NVIDIA Corporation
03/29/2007 01:10 AM <DIR> PC Suite
11/29/2005 01:25 AM <DIR> pixelStorm
02/17/2008 03:27 PM 580 QTSBandwidthCache
04/22/2006 05:03 PM <DIR> QuickTime
11/05/2006 03:31 PM <DIR> Symantec
05/28/2008 09:42 PM <DIR> TEMP
08/13/2005 12:12 AM <DIR> Windows Genuine Advantage
05/28/2008 08:53 PM <DIR> WinZip
03/03/2008 03:55 AM <DIR> WLInstaller
1 File(s) 580 bytes
21 Dir(s) 16,002,215,936 bytes free
Volume in drive C has no label.
Volume Serial Number is 34A5-1FE6

Directory of C:\Documents and Settings\fady1\Application Data

05/01/2008 01:33 AM <DIR> Adobe
05/02/2006 07:41 PM <DIR> AdobeAUM
09/11/2006 02:09 PM <DIR> AdobeUM
11/22/2005 11:31 PM <DIR> Apple Computer
01/28/2006 04:18 PM <DIR> ArcSoft
07/13/2006 11:02 PM <DIR> BitTorrent
11/29/2006 07:43 PM <DIR> Canon
05/15/2006 06:58 PM <DIR> CyberLink
03/29/2007 01:15 AM <DIR> Datalayer
12/15/2007 01:43 PM <DIR> DivX
01/07/2006 12:09 AM <DIR> eAcceleration
09/27/2006 02:01 AM 33,336 GDIPFONTCACHEV1.DAT
04/02/2008 11:33 PM <DIR> GetRightToGo
05/12/2007 07:30 PM <DIR> Google
08/23/2005 05:01 PM <DIR> Help
09/04/2006 08:39 PM <DIR> ICAClient
08/12/2005 11:40 PM <DIR> Identities
07/18/2006 06:08 PM 23 inifile41.ini
08/05/2006 01:16 PM 0 internaldb153.dat
08/05/2006 01:16 PM 0 internaldb1538.dat
01/02/2007 03:00 PM 338 internaldb1942.dat
07/18/2006 06:08 PM 0 internaldb2391.dat
08/24/2006 03:02 PM 0 internaldb3902.dat
08/25/2006 01:45 PM 0 internaldb4604.dat
08/24/2006 03:02 PM 177,152 internaldb4827.dat
08/25/2006 01:45 PM 13,046 internaldb5436.dat
04/02/2008 10:10 PM <DIR> iWin
05/15/2006 05:53 PM <DIR> Leadertech
03/11/2006 04:08 PM <DIR> LG Electronics
08/13/2005 02:28 PM <DIR> Macromedia
11/07/2006 12:23 PM <DIR> McAfee.com Personal Firewall
05/27/2008 11:42 PM <DIR> meet proxy regs
02/26/2008 01:08 AM <DIR> mIRC
06/08/2006 11:12 PM <DIR> MSNInstaller
07/03/2007 06:14 PM 6,225 NMM-MetaData.db
03/29/2007 01:11 AM <DIR> Nokia
05/20/2007 08:10 PM <DIR> Nokia Multimedia Player
03/29/2007 01:12 AM <DIR> PC Suite
04/27/2008 02:30 PM <DIR> Real
10/16/2006 03:15 PM <DIR> Samsung
08/30/2007 11:43 PM <DIR> Screenshot Sender
04/02/2008 10:07 PM <DIR> SpinTop
10/26/2006 05:21 PM <DIR> Sports Interactive
08/22/2005 04:55 PM <DIR> Sun
05/12/2008 08:49 PM <DIR> U3
11 File(s) 230,120 bytes
34 Dir(s) 16,002,215,936 bytes free
Volume in drive C has no label.
Volume Serial Number is 34A5-1FE6

Directory of C:\Documents and Settings\Default User\Application Data

08/13/2005 09:23 AM <DIR> .
08/13/2005 09:23 AM <DIR> ..
08/13/2005 09:23 AM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 16,002,215,936 bytes free
Volume in drive C has no label.
Volume Serial Number is 34A5-1FE6

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 34A5-1FE6

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '83C9A78D847E5F05.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\fady1\applic~1\meetpr~1\Mathownsdefy.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'fady1'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 05/30/2008 0:00:00
NextRun: 05/30/2008 1:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/13/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'AppleSoftwareUpdate.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Apple Software Update\SoftwareUpdate.exe'
Parameters: '-task'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 05/26/2008 20:24:00
NextRun: 06/02/2008 20:24:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 03/12/2008
EndDate: 00/00/0000
StartTime: 20:24
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

========

Logfile of HijackThis v1.99.1
Scan saved at 12:19:51 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7885E057-9998-43D0-9957-713DDF285D90} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {F3918A5A-0BF3-44A0-9103-0D1C49D2313E} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\Extra list.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Amencash] C:\DOCUME~1\fady1\APPLIC~1\MEETPR~1\Livedataonline.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Risk\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Risk\Images\armhelper.ocx
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtqp - C:\WINDOWS\system32\awtqp.dll (file missing)
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll (file missing)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll (file missing)
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll (file missing)
O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll (file missing)
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll (file missing)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll
O20 - Winlogon Notify: ssttq - C:\WINDOWS\system32\ssttq.dll (file missing)
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayxxyv - yayxxyv.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

TheBruce1 · May 29, 2008

Please do not attach logs unless you are advised to do so.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

=====

fabz01 · May 30, 2008

ComboFix 08-05-28.4 - fady1 2008-05-30 17:19:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT 10:00]
Running from: C:\Documents and Settings\fady1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\fady1\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-29 19:39 . 2008-05-29 19:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-29 19:32 . 2008-05-29 20:20 <DIR> d----c--- C:\SDFix
2008-05-28 21:58 . 2008-05-28 21:58 <DIR> d----c--- C:\Deckard
2008-05-28 21:44 . 2008-05-28 21:44 <DIR> d----c--- C:\ie-spyad_zo
2008-05-28 21:35 . 2008-05-28 21:35 6,144 --ahs---- C:\WINDOWS\SYSTEM32\access.ctl
2008-05-28 21:32 . 2008-05-28 21:35 <DIR> d-------- C:\Program Files\ExpressZIP
2008-05-28 04:53 . 2008-05-28 21:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-28 04:53 . 2008-05-28 21:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 23:40 . 2008-05-27 23:40 <DIR> d-------- C:\Program Files\meet proxy regs
2008-05-27 18:17 . 2008-05-27 18:17 <DIR> d-------- C:\Program Files\Panda Security
2008-05-12 20:14 . 2008-05-30 16:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-12 20:14 . 2008-05-12 20:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 20:06 . 2008-05-29 19:03 96,966 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2008-05-12 20:06 . 2008-05-30 15:22 88,774 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2008-05-12 20:02 . 2008-05-12 20:02 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-12 20:02 . 2008-05-29 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 20:02 . 2008-05-30 17:23 6,599,968 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-05-12 20:02 . 2008-05-30 17:25 143,392 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-05-12 20:02 . 2008-05-30 16:25 88,940 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-05-12 20:02 . 2008-05-30 16:25 14,204 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-05-12 19:21 . 2008-05-12 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-12 19:19 . 2008-05-12 20:49 <DIR> d-------- C:\Documents and Settings\fady1\Application Data\U3
2008-04-16 20:35 . 2008-04-16 20:35 244 --ah-c--- C:\sqmnoopt08.sqm
2008-04-16 20:35 . 2008-04-16 20:35 232 --ah-c--- C:\sqmdata04.sqm
2008-04-07 22:46 . 2008-04-07 22:46 <DIR> d-------- C:\Program Files\iPod
2008-04-07 22:45 . 2008-04-07 22:46 <DIR> d-------- C:\Program Files\iTunes
2008-04-06 11:53 . 2008-04-06 11:54 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-04-02 23:22 . 2008-04-02 23:33 <DIR> d-------- C:\Documents and Settings\fady1\Application Data\GetRightToGo
2008-04-02 22:10 . 2008-04-02 22:10 <DIR> d-------- C:\Documents and Settings\fady1\Application Data\iWin
2008-04-02 22:07 . 2008-04-02 22:07 <DIR> d-------- C:\Documents and Settings\fady1\Application Data\SpinTop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 09:31 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-29 09:04 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 10:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-27 13:42 --------- d-----w C:\Documents and Settings\fady1\Application Data\meet proxy regs
2008-05-27 13:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\great coal love default
2008-05-12 11:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\knob glue cdrom jugs
2008-05-12 10:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-05-12 10:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-12 10:30 --------- d-----w C:\Program Files\Qvsd
2008-05-12 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-15 16:20 --------- d-----w C:\Program Files\LimeWire
2008-04-07 12:41 --------- d-----w C:\Program Files\QuickTime
2008-03-31 09:13 --------- d-----w C:\Program Files\MSN Messenger
2008-03-12 08:26 520 -c--a-w C:\Program Files\cmd.txt
2007-01-02 05:00 338 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb1942.dat
2006-09-26 16:01 33,336 -c--a-w C:\Documents and Settings\fady1\Application Data\GDIPFONTCACHEV1.DAT
2006-08-25 03:45 13,046 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb5436.dat
2006-08-25 03:45 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb4604.dat
2006-08-24 05:02 177,152 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb4827.dat
2006-08-24 05:02 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb3902.dat
2006-08-18 15:12 15,617 -c--a-w C:\Program Files\debug.log
2006-08-05 03:16 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb1538.dat
2006-08-05 03:16 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb153.dat
2006-07-18 08:08 0 -c--a-w C:\Documents and Settings\fady1\Application Data\internaldb2391.dat
2006-05-23 11:49 627 -c--a-w C:\Program Files\My Sharing Folders.lnk
2006-04-11 13:38 198 -c--a-w C:\Program Files\SB_usb_log.txt
2005-08-12 22:41 266 --sh--w C:\Program Files\desktop.ini
2005-08-12 22:41 11,079 -c-ha-w C:\Program Files\folder.htt
2005-08-12 22:36 1,010 -c--a-w C:\Program Files\FRUNLOG.TXT
.

((((((((((((((((((((((((((((( [email protected]_ 0.04.15.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 13:46:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 06:26:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-06-20 05:44:04 379,704 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2006-11-20 01:04:18 117,088 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-au.dll
+ 2006-06-20 05:44:02 117,560 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7885E057-9998-43D0-9957-713DDF285D90}]
2007-07-01 14:35 233303 --a------ C:\WINDOWS\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3918A5A-0BF3-44A0-9103-0D1C49D2313E}]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]
"Amencash"="C:\DOCUME~1\fady1\APPLIC~1\MEETPR~1\Livedataonline.exe" [2008-05-27 23:40 432640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
"SchedulingAgent"="mstinit.exe" [2004-08-04 00:56 12288 C:\WINDOWS\SYSTEM32\mstinit.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-20 20:22 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-15 06:09 157592]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Love default global mess"="C:\Documents and Settings\All Users\Application Data\great coal love default\Extra list.exe" [2008-05-30 16:28 1738240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqp]
C:\WINDOWS\system32\awtqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb]
C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcya]
C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
C:\WINDOWS\system32\gebcd.dll 2007-07-01 14:35 233303 C:\WINDOWS\SYSTEM32\gebcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebx]
C:\WINDOWS\system32\geebx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhg]
C:\WINDOWS\system32\jkhhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg]
C:\WINDOWS\system32\mljgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj]
C:\WINDOWS\system32\mljjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
C:\WINDOWS\system32\mllmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhf]
C:\WINDOWS\system32\pmkhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhg]
C:\WINDOWS\system32\pmkhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjh]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj]
C:\WINDOWS\system32\pmnlj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]
C:\WINDOWS\system32\ssqpp.dll 2007-08-25 20:11 218703 C:\WINDOWS\SYSTEM32\ssqpp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttq]
C:\WINDOWS\system32\ssttq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstu]
C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutu]
C:\WINDOWS\system32\vtutu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxyv]
yayxxyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"VIDC.i263"= i263_32.drv
"VIDC.i420"= i263_32.drv
"msacm.imc"= imc32.acm
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 ldiskl;ldiskl;C:\DOCUME~1\fady1\LOCALS~1\Temp\ldiskl.sys []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87e8d908-2004-11dd-96b4-00110919351a}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87e8d909-2004-11dd-96b4-00110919351a}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 07:00:04 C:\WINDOWS\Tasks\83C9A78D847E5F05.job"
- c:\docume~1\fady1\applic~1\meetpr~1\Mathownsdefy.exe
"2008-05-26 10:24:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 17:25:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-05-30 17:31:27
ComboFix-quarantined-files.txt 2008-05-30 07:30:16
ComboFix2.txt 2008-05-29 14:05:59

Pre-Run: 15,810,371,584 bytes free
Post-Run: 15,920,001,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

211 --- E O F --- 2008-05-30 05:22:52
Logfile of HijackThis v1.99.1
Scan saved at 5:38:05 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7885E057-9998-43D0-9957-713DDF285D90} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {F3918A5A-0BF3-44A0-9103-0D1C49D2313E} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\Extra list.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Amencash] C:\DOCUME~1\fady1\APPLIC~1\MEETPR~1\Livedataonline.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Risk\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Risk\Images\armhelper.ocx
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtqp - C:\WINDOWS\system32\awtqp.dll (file missing)
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll (file missing)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll (file missing)
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll (file missing)
O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll (file missing)
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll (file missing)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll
O20 - Winlogon Notify: ssttq - C:\WINDOWS\system32\ssttq.dll (file missing)
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayxxyv - yayxxyv.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

TheBruce1 · May 30, 2008

Hello again

========

Download ATF-Cleaner by Atribune to your desktop.Do not run just yet, we will shortly

========
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\gebcd.dll
C:\sqmnoopt08.sqm
C:\sqmdata04.sqm
C:\Documents and Settings\fady1\Application Data\internaldb1942.dat
C:\Documents and Settings\fady1\Application Data\internaldb5436.dat
C:\Documents and Settings\fady1\Application Data\internaldb4604.dat
C:\Documents and Settings\fady1\Application Data\internaldb4827.dat
C:\Documents and Settings\fady1\Application Data\internaldb3902.dat
C:\Documents and Settings\fady1\Application Data\internaldb1538.dat
C:\Documents and Settings\fady1\Application Data\internaldb153.dat
C:\Documents and Settings\fady1\Application Data\internaldb2391.dat
C:\Documents and Settings\fady1\Application Data\internaldb5436.dat
C:\Documents and Settings\fady1\Application Data\inifile41.ini
C:\Documents and Settings\NetworkService\Application Data\83C9A78D847E5F05.job
Folder::
C:\Program Files\meet proxy regs
C:\Documents and Settings\fady1\Application Data\GetRightToGo
C:\Documents and Settings\fady1\Application Data\iWin
C:\Documents and Settings\fady1\Application Data\meet proxy regs
C:\Documents and Settings\All Users\Application Data\great coal love default
C:\Documents and Settings\All Users\Application Data\knob glue cdrom jugs
C:\Documents and Settings\All Users\Application Data\Internet debug mess great
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7885E057-9998-43D0-9957-713DDF285D90}]l
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3918A5A-0BF3-44A0-9103-0D1C49D2313E}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Amencash"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Love default global mess"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcya]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjh]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxyv]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87e8d909-2004-11dd-96b4-00110919351a}]

Save this as CFscript

Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==========

JAVA OUTDATED

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

=========

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=========

ESET Online Scanner

Please go to the following link ESET Online Scanner Link
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start

The scanner engine will initialise and update
Do Not tick the box Remove found threats
Click the Scan button

The scan will now run, please be patient
When the scan finishes click the Details tab
Copy and paste the contents of the %ProgramFiles%\EsetOnlineScanner\log.txt back here.

============

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

============
Logs Required
C:\Combofix.txt
ESET Scan Report
Hijackthis Log

How is your system running now.

fabz01 · May 31, 2008

ComboFix 08-05-28.4 - fady1 2008-05-31 2:06:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.252 [GMT 10:00]
Running from: C:\Documents and Settings\fady1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\fady1\Desktop\CFSCRIPT.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\fady1\Application Data\inifile41.ini
C:\Documents and Settings\fady1\Application Data\internaldb153.dat
C:\Documents and Settings\fady1\Application Data\internaldb1538.dat
C:\Documents and Settings\fady1\Application Data\internaldb1942.dat
C:\Documents and Settings\fady1\Application Data\internaldb2391.dat
C:\Documents and Settings\fady1\Application Data\internaldb3902.dat
C:\Documents and Settings\fady1\Application Data\internaldb4604.dat
C:\Documents and Settings\fady1\Application Data\internaldb4827.dat
C:\Documents and Settings\fady1\Application Data\internaldb5436.dat
C:\Documents and Settings\NetworkService\Application Data\83C9A78D847E5F05.job
C:\sqmdata04.sqm
C:\sqmnoopt08.sqm
C:\WINDOWS\system32\gebcd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\great coal love default
C:\Documents and Settings\All Users\Application Data\great coal love default\Extra list.exe
C:\Documents and Settings\All Users\Application Data\Internet debug mess great
C:\Documents and Settings\All Users\Application Data\knob glue cdrom jugs
C:\Documents and Settings\fady1\Application Data\GetRightToGo
C:\Documents and Settings\fady1\Application Data\GetRightToGo\Risk2[1].d000
C:\Documents and Settings\fady1\Application Data\GetRightToGo\Risk2[1].data
C:\Documents and Settings\fady1\Application Data\inifile41.ini
C:\Documents and Settings\fady1\Application Data\internaldb153.dat
C:\Documents and Settings\fady1\Application Data\internaldb1538.dat
C:\Documents and Settings\fady1\Application Data\internaldb1942.dat
C:\Documents and Settings\fady1\Application Data\internaldb2391.dat
C:\Documents and Settings\fady1\Application Data\internaldb3902.dat
C:\Documents and Settings\fady1\Application Data\internaldb4604.dat
C:\Documents and Settings\fady1\Application Data\internaldb4827.dat
C:\Documents and Settings\fady1\Application Data\internaldb5436.dat
C:\Documents and Settings\fady1\Application Data\iWin
C:\Documents and Settings\fady1\Application Data\meet proxy regs
C:\Documents and Settings\fady1\Application Data\meet proxy regs\0
C:\Documents and Settings\fady1\Application Data\meet proxy regs\eatctqge.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\erwnucst.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\jybwrjol.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\kxopuwfe.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\Livedataonline.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\Mathownsdefy.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\qsarzpih.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\reebtkgb.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\sojpseqi.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\tick jump inter army.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\ttwoednk.exe
C:\Documents and Settings\fady1\Application Data\meet proxy regs\yditarrc.exe
C:\Program Files\meet proxy regs
C:\WINDOWS\system32\gebcd.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 17:50 . 2008-05-30 17:52 <DIR> d-------- C:\Pop up ****
2008-05-29 19:39 . 2008-05-29 19:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 21:35 . 2008-05-28 21:35 6,144 --ahs---- C:\WINDOWS\SYSTEM32\access.ctl
2008-05-28 21:32 . 2008-05-28 21:35 <DIR> d-------- C:\Program Files\ExpressZIP
2008-05-28 04:53 . 2008-05-28 21:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-28 04:53 . 2008-05-30 18:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 18:17 . 2008-05-27 18:17 <DIR> d-------- C:\Program Files\Panda Security
2008-05-12 20:14 . 2008-05-30 16:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-12 20:14 . 2008-05-12 20:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 20:06 . 2008-05-29 19:03 96,966 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2008-05-12 20:06 . 2008-05-30 15:22 88,774 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2008-05-12 20:02 . 2008-05-12 20:02 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-12 20:02 . 2008-05-29 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 20:02 . 2008-05-31 02:13 6,691,360 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-05-12 20:02 . 2008-05-31 02:10 148,256 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-05-12 20:02 . 2008-05-30 16:25 88,940 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-05-12 20:02 . 2008-05-30 16:25 14,204 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-05-12 19:21 . 2008-05-12 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-12 19:19 . 2008-05-12 20:49 <DIR> d-------- C:\Documents and Settings\fady1\Application Data\U3
2008-04-07 22:46 . 2008-04-07 22:46 <DIR> d-------- C:\Program Files\iPod
2008-04-07 22:45 . 2008-04-07 22:46 <DIR> d-------- C:\Program Files\iTunes
2008-04-06 11:53 . 2008-04-06 11:54 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-04-02 22:07 . 2008-04-02 22:07 <DIR> d-------- C:\Documents and Settings\fady1\Application Data\SpinTop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 07:48 --------- d-----w C:\Program Files\LimeWire
2008-05-29 09:31 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-29 09:04 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 10:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-12 10:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-05-12 10:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-12 10:30 --------- d-----w C:\Program Files\Qvsd
2008-05-12 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-07 12:41 --------- d-----w C:\Program Files\QuickTime
2008-03-31 09:13 --------- d-----w C:\Program Files\MSN Messenger
2008-03-12 08:26 520 -c--a-w C:\Program Files\cmd.txt
2006-09-26 16:01 33,336 -c--a-w C:\Documents and Settings\fady1\Application Data\GDIPFONTCACHEV1.DAT
2006-08-18 15:12 15,617 -c--a-w C:\Program Files\debug.log
2006-05-23 11:49 627 -c--a-w C:\Program Files\My Sharing Folders.lnk
2006-04-11 13:38 198 -c--a-w C:\Program Files\SB_usb_log.txt
2005-08-12 22:41 266 --sh--w C:\Program Files\desktop.ini
2005-08-12 22:41 11,079 -c-ha-w C:\Program Files\folder.htt
2005-08-12 22:36 1,010 -c--a-w C:\Program Files\FRUNLOG.TXT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
"SchedulingAgent"="mstinit.exe" [2004-08-04 00:56 12288 C:\WINDOWS\SYSTEM32\mstinit.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-20 20:22 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-15 06:09 157592]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]
C:\WINDOWS\system32\ssqpp.dll 2007-08-25 20:11 218703 C:\WINDOWS\SYSTEM32\ssqpp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"VIDC.i263"= i263_32.drv
"VIDC.i420"= i263_32.drv
"msacm.imc"= imc32.acm
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 ldiskl;ldiskl;C:\DOCUME~1\fady1\LOCALS~1\Temp\ldiskl.sys []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87e8d908-2004-11dd-96b4-00110919351a}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 16:00:06 C:\WINDOWS\Tasks\83C9A78D847E5F05.job"
- c:\docume~1\fady1\applic~1\meetpr~1\Mathownsdefy.exe
"2008-05-26 10:24:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 02:11:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 2:19:21
ComboFix-quarantined-files.txt 2008-05-30 16:19:11

Pre-Run: 15,912,583,168 bytes free
Post-Run: 15,914,684,416 bytes free

182 --- E O F --- 2008-05-30 05:22:52
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3148 (20080530)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=05704462cc076a4b9b6902ca4bacb71b
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-05-30 07:00:35
# local_time=2008-05-31 05:00:35 (+1000, AUS Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=246476
# found=9
# scan_time=6940
C:\Pop up ****\Deckard\System Scanner\backup\DOCUME~1\fady1\LOCALS~1\Temp\removalfile.bat Win32/Adware.Virtumonde application 9A7EF09167A6F4433681B94351509043
C:\Pop up ****\Deckard\System Scanner\backup\DOCUME~1\fady1\LOCALS~1\Temp\staAB.exe Win32/Etap virus 00000000000000000000000000000000
C:\Pop up ****\Deckard\System Scanner\backup\WINDOWS\temp\saA7.exe Win32/Adware.SpyAxe application 34EF769695B27ADB41ABA977C503E229
C:\Pop up ****\Deckard\System Scanner\backup\WINDOWS\temp\saA7.exe »NSIS »SpyAxe.exe Win32/Adware.SpyAxe application 00000000000000000000000000000000
C:\Pop up ****\Deckard\System Scanner\backup\WINDOWS\temp\saA7.exe »NSIS »uninst.exe Win32/Adware.SpyAxe application 00000000000000000000000000000000
C:\Pop up ****\Deckard\System Scanner\backup\WINDOWS\temp\saA9.exe Win32/Adware.SpyAxe application 34EF769695B27ADB41ABA977C503E229
C:\Pop up ****\Deckard\System Scanner\backup\WINDOWS\temp\saA9.exe »NSIS »SpyAxe.exe Win32/Adware.SpyAxe application 00000000000000000000000000000000
C:\Pop up ****\Deckard\System Scanner\backup\WINDOWS\temp\saA9.exe »NSIS »uninst.exe Win32/Adware.SpyAxe application 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Documents and Settings\fady1\Application Data\meet proxy regs\Livedataonline.exe.vir Win32/Etap virus 00000000000000000000000000000000

Logfile of HijackThis v1.99.1
Scan saved at 1:13:39 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Risk\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Risk\Images\armhelper.ocx
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

------------------------------------------------------------------------

Hello! well after deleting limewire the computer is running much better and less popups although after running that ESET scan it said that there were 9threats and those threats where the files that you have told me to download wich i put into my own folder called "pop up ****" excuse the language lol. Is this a bad thing?

TheBruce1 · May 31, 2008

You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that it can be used to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file!

Microsoft Windows XP Home Edition
- Service Pack 2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464
Microsoft Windows XP Professional
- Service Pack 2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

fabz01 · Jun 3, 2008

alright guys sorrry i havnt been replying for a while but i have a bigger problem. Upon start up, just before windows welcome screen an errror appears saying "The application failed to initialize properly (0xc000005) click OK to terminate. once this happens no desktop or anything appears. on the top it said it was a "Userinit.exe". I am now opening all my programs by ctrl + alt + del. are you able to help thanx.

TheBruce1 · Jun 3, 2008

Can you try a system restore.

*Start
*All Programs
*Accessories
*System Tools
*System Restore

Did you install the recovery console?

Popups!!!!!!

fabz01

TheBruce1

fabz01

Attachments

TheBruce1

fabz01

Attachments

TheBruce1

fabz01

TheBruce1

fabz01

TheBruce1

fabz01

TheBruce1

Top Contributors this Month