viruses and spyware

kieranescourse · #1 (**permalink**) 04-06-2007, 09:43 PM

I think I have some viruses and spyware, I have Virgin PCGuard, and it keeps asking me to let random number files access the internet, and I say block and it will ask with another file with a different number for a name. eg. 2343928.exe So I found out where they were (C:\Documents and Settings\xxx\Local Settings\Temp) So I opened the file and deleted all the [number].exe and they always come back with more.

Also my CPU usage doesn't match. I think I understand how it works, System Idle Process always = 99 and when a program uses CPU it is taken away from the System Idle Process number, and then the CPU usage should match with that, I am only using 50 of the CPU and the CPU usage says 77% when it should onyl be about 49-51% if what I think is right, anyway here is my HiJackThis report could someone look over it for me please.

----

Logfile of HijackThis v1.99.1
Scan saved at 21:31:44, on 04/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
C:\WINDOWS\TEMP\1918203.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\DOCUME~1\PAULIN~1.YOU\LOCALS~1\Temp\12509093.ex e

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oymcjmgjuoie.net/WVvmkFLz...gBGbs1pMpO.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...aX3XpiRAwPV87S
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntl Netguard] C:\Program Files\ntl\ntl Netguard\Rps.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ixojtpbu.dll",realset
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvbax.dll,startup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\1918203.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\Documents and Settings\Pauline.YOUR-HKI1ASH75M\Desktop\WinAntiSpyware2007FreeInstall.e xe" -nag
O4 - HKLM\..\Run: [InstallProvider] "C:\DOCUME~1\PAULIN~1.YOU\LOCALS~1\Temp\miniinst.e xe" -nag
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xedi] C:\WINDOWS\T?sks\regedit.exe
O4 - HKCU\..\Run: [Atat] "C:\WINDOWS\system32\SMBOLS~1\regsvr32.exe" -vt ndrv
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire46.pogo.com/applet/s...-ob-assets.cab
O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/ra...gameloader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwho...-ob-assets.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/fr...esLauncher.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/aplicacion.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/tr...amesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://play09.pogo.com/game/deluxe/z...ploader_v5.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup150.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

Neal · #2 (**permalink**) 05-06-2007, 05:40 PM

Welcome,

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please post all three logs.

kieranescourse · #3 (**permalink**) 06-06-2007, 03:37 AM

Hi, thanks alot for replying and helping me with this.

Here is new hijackthis log (foolyou) before using the two programs:

Logfile of HijackThis v1.99.1
Scan saved at 02:10:44, on 06/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\PAULIN~1.YOU\LOCALS~1\Temp\synlook.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC0 8.EXE
C:\Program Files\HijackThis\foolyou.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oymcjmgjuoie.net/WVvmkFLz...gBGbs1pMpO.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...aX3XpiRAwPV87S
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {457047EB-58B5-48E5-8E2B-49CDD943644E} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {B71FA585-B351-4E48-8DA8-22F6F705EC73} - C:\WINDOWS\system32\qomjhfd.dll
O2 - BHO: (no name) - {C27C3D1C-828C-A351-DB78-8EADDB9224C4} - C:\WINDOWS\system32\oiizuv.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\apvhbppk.dll
O2 - BHO: (no name) - {F3CB1171-2564-4157-93C7-4FCA7C43CE13} - C:\WINDOWS\system32\lnhjsyci.dll
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntl Netguard] C:\Program Files\ntl\ntl Netguard\Rps.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ixojtpbu.dll",realset
O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [InstallProvider] "C:\DOCUME~1\PAULIN~1.YOU\LOCALS~1\Temp\miniinst.e xe" -nag
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\rspuofln.dll",realset
O4 - HKLM\..\Run: [j9231531] rundll32 C:\WINDOWS\system32\j9231531.dll sook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xedi] C:\WINDOWS\T?sks\regedit.exe
O4 - HKCU\..\Run: [Atat] "C:\WINDOWS\system32\SMBOLS~1\regsvr32.exe" -vt ndrv
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire46.pogo.com/applet/s...-ob-assets.cab
O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/ra...gameloader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwho...-ob-assets.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/fr...esLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/tr...amesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://play09.pogo.com/game/deluxe/z...ploader_v5.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup150.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll
O20 - Winlogon Notify: qomjhfd - C:\WINDOWS\SYSTEM32\qomjhfd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll
O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

---------------------------------------------------------------------------------------------------

Here is the report from SDFix:

SDFix: Version 1.86

Run by Pauline - 06/06/2007 - 2

08.93

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\PAULIN~1.YOU\Desktop\SDFix

Safe Mode:
Checking Services:

Killing PID 232 'smss.exe'
Killing PID 304 'winlogon.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Temp\win444.tmp.exe - Deleted
C:\WINDOWS\Temp\win4DE.tmp.exe - Deleted
C:\WINDOWS\Temp\win4F2.tmp.exe - Deleted
C:\WINDOWS\Temp\win8F.tmp.exe - Deleted
C:\WINDOWS\Temp\win444.tmp.exe - Deleted
C:\WINDOWS\Temp\win4DE.tmp.exe - Deleted
C:\WINDOWS\Temp\win4F2.tmp.exe - Deleted
C:\WINDOWS\Temp\win8F.tmp.exe - Deleted
C:\WINDOWS\retadpu1000272.exe - Deleted
C:\WINDOWS\system32\mstsdsc.exe - Deleted
C:\WINDOWS\system32\wudb.dll - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\kdx\\khost.exe"="C:\\WINDOWS\\kdx\\k host.exe:*

isabled:Secure Delivery Plug-In"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*

isabled:P2P Networking"
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"="C:\\Program Files\\Team17\\Worms World Party\\wwp.exe:*:Enabled:Worms World Party"
"C:\\Program Files\\Infogrames\\Risk\\RISK.EXE"="C:\\Program Files\\Infogrames\\Risk\\RISK.EXE:*:Enabled:RISK"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe"="C:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe:*:Enabled:Medieval_TW"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"
"C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"="C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe:*:Enabled:GhostRecon"
"C:\\Program Files\\ubi.com\\Core\\GS4.exe"="C:\\Program Files\\ubi.com\\Core\\GS4.exe:*:Enabled:ubi.com Game Service"
"C:\\Westwood\\RA2\\game.exe"="C:\\Westwood\\RA2\\ game.exe:*:Enabled:Main executable for Red Alert 2"
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\Pauline.YOUR-HKI1ASH75M\\Desktop\\incredimail_install.exe"="C:\ \Documents and Settings\\Pauline.YOUR-HKI1ASH75M\\Desktop\\incredimail_install.exe:*:Ena bled:IncrediMail Installer"
"C:\\Documents and Settings\\Pauline.YOUR-HKI1ASH75M\\Local Settings\\Temp\\ImInstaller\\IncrediMail\\incredim ail_install.exe"="C:\\Documents and Settings\\Pauline.YOUR-HKI1ASH75M\\Local Settings\\Temp\\ImInstaller\\IncrediMail\\incredim ail_install.exe:*:Enabled:IncrediMail Installer"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\ImInstaller\\IncrediMail\\incredim ail_install.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\ImInstaller\\IncrediMail\\incredim ail_install.exe:*:Enabled:IncrediMail Installer"
"C:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe"="C:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe:*:Enabled:jk2mp"
"%windir%\\system32\\ccapp.exe"="%windir%\\system3 2\\ccapp.exe:*:Enabled:System Process"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Google\\Google Earth\\GoogleEarth.exe"="C:\\Program Files\\Google\\Google Earth\\GoogleEarth.exe:*

isabled:Google Earth"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTor rent"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"="C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe:*:Enabled:Anapod Xtreamer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Westwood\\RA2\\patchget.dat"="C:\\Westwood\\R A2\\patchget.dat:*:Enabled

atchgrabber"
"C:\\Westwood\\RA2\\gamemd.exe"="C:\\Westwood\\RA2 \\gamemd.exe:*:Enabled:Main executable for Yuri's Revenge"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WIN DOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"c:\\windows\\system32\\mstsdsc.exe"="c:\\windows\ \system32\\mstsdsc.exe:*:Enabled:mstsdsc"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\PAULIN~1.YOU\Desktop\SDFix\backups\bac kups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Pauline.YOUR-HKI1ASH75M\Desktop\Kieran's Music\L.MAN - IMPATIENTLY WAITING\L.MAN - IMPATIENTLY WAITING - WWW.LDOTMAN.COM\desktop.ini
C:\Documents and Settings\Pauline.YOUR-HKI1ASH75M\Desktop\Kieran's Music\L.MAN - IMPATIENTLY WAITING\L.MAN - IMPATIENTLY WAITING - WWW.LDOTMAN.COM\Thumbs.db
C:\Program Files\Shockwave.com\Thumbs.db
C:\Program Files\Install Provider\InstallProvider.dlldat
C:\WINDOWS\system32\geebc.dll
C:\Documents and Settings\Pauline.YOUR-HKI1ASH75M\Desktop\Kieran s Document s\jamkt.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Simple Star\EZ-DJ Plus\data\EZ-DJ Plus.exe
C:\WINDOWS\T?sks\regedit.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Program Files\Common Files\PestPatrol\Quarantine\ZQ53C.tmp
C:\WINDOWS\system32\cbeeg.tmp

Listing User Accounts:

User accounts for \\YOUR-HKI1ASH75M

Administrator ASPNET Guest
HelpAssistant Pauline SUPPORT_388945a0

Finished

---------------------------------------------------------------------------------------------------

Heres report from VundoFix:

VundoFix V6.4.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 02:41:16 06/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\apvhbppk.dll
C:\WINDOWS\system32\bmekuxck.ini
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cbeeg.tmp
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\ixojtpbu.dll
C:\WINDOWS\system32\jeheouys.ini
C:\WINDOWS\system32\kcxukemb.dll
C:\WINDOWS\system32\nlfoupsr.ini
C:\WINDOWS\system32\oocpgxjj.dll
C:\WINDOWS\system32\pmnnopn.dll
C:\WINDOWS\system32\qomjhfd.dll
C:\WINDOWS\system32\rqrpqqr.dll
C:\WINDOWS\system32\rqrrspo.dll
C:\WINDOWS\system32\rspuofln.dll
C:\WINDOWS\system32\syuoehej.dll
C:\WINDOWS\system32\ubptjoxi.ini
C:\WINDOWS\system32\yaywwur.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\apvhbppk.dll
C:\WINDOWS\system32\apvhbppk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bmekuxck.ini
C:\WINDOWS\system32\bmekuxck.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\cbeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cbeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbeeg.tmp
C:\WINDOWS\system32\cbeeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\geebc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ixojtpbu.dll
C:\WINDOWS\system32\ixojtpbu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jeheouys.ini
C:\WINDOWS\system32\jeheouys.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kcxukemb.dll
C:\WINDOWS\system32\kcxukemb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nlfoupsr.ini
C:\WINDOWS\system32\nlfoupsr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oocpgxjj.dll
C:\WINDOWS\system32\oocpgxjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnopn.dll
C:\WINDOWS\system32\pmnnopn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomjhfd.dll
C:\WINDOWS\system32\qomjhfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpqqr.dll
C:\WINDOWS\system32\rqrpqqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrrspo.dll
C:\WINDOWS\system32\rqrrspo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rspuofln.dll
C:\WINDOWS\system32\rspuofln.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\syuoehej.dll
C:\WINDOWS\system32\syuoehej.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ubptjoxi.ini
C:\WINDOWS\system32\ubptjoxi.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yaywwur.dll
C:\WINDOWS\system32\yaywwur.dll Has been deleted!

Performing Repairs to the registry.
Done!

---

After this I searched and then deleted all the files, when i pressed ok for it to reboot the computer vundofix crashed I left it for 15 minutes but it didnt change, so i had to shut it down by holding the power button on the computer. Just thought id tell you incae it changed things.

---------------------------------------------------------------------------------------------------

Here is a report of hijackthis (foolyou) after i used the two programs.

Logfile of HijackThis v1.99.1
Scan saved at 03:32:22, on 06/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\foolyou.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oymcjmgjuoie.net/WVvmkFLz...gBGbs1pMpO.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...aX3XpiRAwPV87S
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {59ACB381-9910-477D-915D-ABBC4E54E4F8} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {C27C3D1C-828C-A351-DB78-8EADDB9224C4} - C:\WINDOWS\system32\oiizuv.dll
O2 - BHO: (no name) - {F3CB1171-2564-4157-93C7-4FCA7C43CE13} - C:\WINDOWS\system32\lnhjsyci.dll
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntl Netguard] C:\Program Files\ntl\ntl Netguard\Rps.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [InstallProvider] "C:\DOCUME~1\PAULIN~1.YOU\LOCALS~1\Temp\miniinst.e xe" -nag
O4 - HKLM\..\Run: [j9231531] rundll32 C:\WINDOWS\system32\j9231531.dll sook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xedi] C:\WINDOWS\T?sks\regedit.exe
O4 - HKCU\..\Run: [Atat] "C:\WINDOWS\system32\SMBOLS~1\regsvr32.exe" -vt ndrv
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire46.pogo.com/applet/s...-ob-assets.cab
O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/ra...gameloader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwho...-ob-assets.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/fr...esLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/tr...amesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://play09.pogo.com/game/deluxe/z...ploader_v5.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup150.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

---------------------------------------------------------------------------------------------------

One of the adwares is win32/Clickspring.puritySCAN if you know what that is.

But it always comes back.

Thanks alot for the help agian.

Neal · #4 (**permalink**) 06-06-2007, 02:37 PM

Yea you are still heavily infected but nothing two old spyware killers like us can't handle.

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

New HJT log aslso please,
Post a new hijackthis log also please.

kieranescourse · #5 (**permalink**) 07-06-2007, 02:51 PM

ComboFix log:

"Pauline" - 2007-06-07 14:23:49 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Program Files\Mozilla Firefox\"

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))) )))))

C:\WINDOWS\system32\lnhjsyci.dll
C:\WINDOWS\system32\wincqt32.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

-- Purity Folders:
C:\install.log
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\SMBOLS~1
C:\WINDOWS\system32\wnsapiisv32.exe
C:\WINDOWS\TSKS~1

((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))

2007-06-06 02:41 <DIR> d----c--- C:\VundoFix Backups
2007-06-06 02:04 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-06-06 02:04 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-06-06 02:04 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\SiteAdvisor
2007-06-06 01:53 14,868 --a------ C:\WINDOWS\system32\lahsvuwr.exe
2007-06-06 01:53 10,752 --a------ C:\WINDOWS\system32\j9231531.dll
2007-06-04 23:44 <DIR> d----c--- C:\!KillBox
2007-06-04 17:08 <DIR> d-------- C:\Program Files\Install Provider
2007-06-04 16:50 11,984 --a------ C:\WINDOWS\system32\stera.exe
2007-06-04 16:50 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-04 16:50 <DIR> d-------- C:\Program Files\WinAntiVirus Pro 2007
2007-06-04 16:50 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-06-04 16:40 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007
2007-06-04 16:40 <DIR> d-------- C:\Program Files\WinAntiSpyware 2007
2007-06-04 14:59 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-06-04 14:41 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\Virgin Broadband
2007-06-04 14:39 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Virgin Broadband
2007-06-04 14:39 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-06-03 20:33 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-06-03 20:33 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-06-03 20:33 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-06-03 20:33 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-06-03 20:33 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-06-03 20:33 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-06-03 20:30 71,680 --a------ C:\WINDOWS\g1929781.exe
2007-06-03 20:20 71,680 --a------ C:\WINDOWS\g1310375.exe
2007-06-03 20:01 2,580 --a------ C:\WINDOWS\system32\krnwbvvy.exe
2007-06-03 16:32 2,580 --a------ C:\WINDOWS\system32\kyaiseyk.exe
2007-06-03 16:30 60,928 --a------ C:\WINDOWS\system32\oiizuv.dll
2007-06-03 16:29 71,680 --a------ C:\WINDOWS\g342828.exe
2007-06-03 12:32 71,680 --a------ C:\WINDOWS\g4559625.exe
2007-06-03 11:55 2,580 --a------ C:\WINDOWS\system32\lufedqpx.exe
2007-06-03 11:42 71,680 --a------ C:\WINDOWS\g1546750.exe
2007-06-03 11:22 71,680 --a------ C:\WINDOWS\g346093.exe
2007-06-03 11:19 2,580 --a------ C:\WINDOWS\system32\funsnydi.exe
2007-06-03 01:13 71,680 --a------ C:\WINDOWS\g14431375.exe
2007-06-03 00:53 71,680 --a------ C:\WINDOWS\g13228406.exe
2007-06-03 00:33 71,680 --a------ C:\WINDOWS\g12030875.exe
2007-06-03 00:12 71,680 --a------ C:\WINDOWS\g10709734.exe
2007-06-02 23:52 71,680 --a------ C:\WINDOWS\g9506984.exe
2007-06-02 22:24 71,680 --a------ C:\WINDOWS\g4223015.exe
2007-06-02 22:04 71,680 --a------ C:\WINDOWS\g3033265.exe
2007-06-02 21:19 2,580 --a------ C:\WINDOWS\system32\cfwrvoey.exe
2007-06-01 15:25 206 --a------ C:\WINDOWS\g19388390.exe
2007-06-01 12:50 <DIR> d-------- C:\Program Files\Ultimate Fixer
2007-06-01 12:38 206 --a------ C:\WINDOWS\g9279671.exe
2007-06-01 12:18 206 --a------ C:\WINDOWS\g8075921.exe
2007-06-01 11:58 206 --a------ C:\WINDOWS\g6862656.exe
2007-06-01 11:38 206 --a------ C:\WINDOWS\g5668328.exe
2007-06-01 11:18 206 --a------ C:\WINDOWS\g4457390.exe
2007-06-01 09:46 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-01 09:31 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-06-01 00:20 206 --a------ C:\WINDOWS\g7967375.exe
2007-06-01 00:20 <DIR> d-------- C:\Program Files\àdobe
2007-05-31 21:55 262,144 --a------ C:\DOCUME~1\user\NTUSER.DAT
2007-05-31 19:14 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\Uniblue
2007-05-31 19:13 <DIR> d-------- C:\Program Files\Uniblue
2007-05-31 17:07 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\KeySafe
2007-05-25 16:57 21,120 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys
2007-05-25 16:57 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\NCH Swift Sound
2007-05-18 13:50 <DIR> d-------- C:\Program Files\WMR11
2007-05-11 03:41 22,528 --a------ C:\WINDOWS\chi.exe
2007-05-11 03:41 123,392 --a------ C:\WINDOWS\system32\tmwsock.dll
2007-05-09 14:44 <DIR> d-------- C:\Program Files\QuickTime
2007-05-09 14:44 <DIR> d-------- C:\Program Files\Apple Software Update

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-06-04 22:19:57 -------- d-----w C:\Program Files\Common Files\PestPatrol
2007-06-04 21:27:08 -------- d-----w C:\Program Files\winsys180
2007-06-04 13:53:03 230 ----a-w C:\WINDOWS\freedom.backup.dat
2007-06-03 11:36:36 -------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-06-03 11:25:31 -------- d-----w C:\Program Files\?dobe
2007-06-03 11:25:25 -------- d-----w C:\Program Files\DivX
2007-06-02 21:57:12 19,713 ----a-w C:\WINDOWS\mozver.dat
2007-05-30 23:08:49 -------- d-----w C:\Program Files\Championship Manager 2006
2007-05-30 23:05:49 -------- d-----w C:\Program Files\MSN Games
2007-05-30 23:01:14 -------- d-----w C:\Program Files\NCH Swift Sound
2007-05-30 22:59:58 -------- d-----w C:\Program Files\Common Files\Real
2007-05-30 22:59:11 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\Real
2007-05-28 03:33:52 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\Morpheus
2007-05-21 20:41:57 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\AdobeUM
2007-05-20 19:55:37 -------- d-----w C:\Program Files\MagicISO
2007-05-11 19:13:23 -------- d-----w C:\Program Files\JAM's Jedi Knight KT v2.0
2007-05-08 01:01:39 -------- d-----w C:\Program Files\Real
2007-05-03 12:50:05 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\DivX
2007-05-03 12:48:38 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\InterVideo
2007-05-02 19:23:52 -------- d-----w C:\Program Files\CUE Splitter
2007-04-27 18:07:48 79,384 ----a-r C:\WINDOWS\system32\avmontr.dll
2007-04-27 17:49:12 840,352 ----a-r C:\WINDOWS\system32\drivers\css-dvp.sys
2007-04-26 00:41:29 3,532 -c--a-w C:\drmHeader.bin
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-10 21:35:51 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 20:58:06 -------- d-----w C:\Program Files\FM Modifier 2.1
2007-04-07 18:15:39 -------- d-----w C:\Program Files\Mind Compression
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}=C:\Program Files\Virgin Broadband\PCguard\pkR.dll [2007-01-24 18:51]
{56071E0D-C61B-11D3-B41C-00E02927A304}=C:\Program Files\Virgin Broadband\PCguard\FBHR.dll [2007-01-24 18:51]
{59ACB381-9910-477D-915D-ABBC4E54E4F8}=C:\WINDOWS\system32\geebc.dll []
{C27C3D1C-828C-A351-DB78-8EADDB9224C4}=C:\WINDOWS\system32\oiizuv.dll [2007-05-21 14:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UserFaultCheck"="%systemroot%\system32\dumpre p 0 -u" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"ntl Netguard"="C:\Program Files\ntl\ntl Netguard\Rps.exe" []
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-07-21 13:50]
"ipqpwngj.exe"="C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe" []
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
"InstallProvider"="C:\DOCUME~1\PAULIN~1.YOU\LOCALS ~1\Temp\miniinst.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Xedi"="C:\WINDOWS\T?sks\regedit.exe" []
"Atat"="C:\WINDOWS\system32\SMBOLS~1\regsvr32. exe" []

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
backup=C:\WINDOWS\pss\broadband medic.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
rundll32.exe "C:\WINDOWS\system32\kcxukemb.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mstsdsc.exe]
c:\windows\system32\mstsdsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"dvpapi"=2 (0x2)
"Adobe LM Service"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
AutoRun\command- F:\autorun.exe
readit\command- notepad readme.doc

Contents of the 'Scheduled Tasks' folder
2007-05-27 21:35:09 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-07 13:39:23 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-05-31 18:43:30 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
2007-05-31 18:43:24 C:\WINDOWS\tasks\Uniblue SpyEraser.job

************************************************** ************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 14:36:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************

Completion time: 2007-06-07 14:41:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 14:41

--- E O F ---

-----------------------------------------------------------------------------------------------

New HJT log (foolyou) after using combofix:

Logfile of HijackThis v1.99.1
Scan saved at 14:48:21, on 07/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\foolyou.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...aX3XpiRAwPV87S
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {59ACB381-9910-477D-915D-ABBC4E54E4F8} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {C27C3D1C-828C-A351-DB78-8EADDB9224C4} - C:\WINDOWS\system32\oiizuv.dll
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntl Netguard] C:\Program Files\ntl\ntl Netguard\Rps.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [InstallProvider] "C:\DOCUME~1\PAULIN~1.YOU\LOCALS~1\Temp\miniinst.e xe" -nag
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xedi] C:\WINDOWS\T?sks\regedit.exe
O4 - HKCU\..\Run: [Atat] "C:\WINDOWS\system32\SMBOLS~1\regsvr32.exe" -vt ndrv
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire46.pogo.com/applet/s...-ob-assets.cab
O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/ra...gameloader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwho...-ob-assets.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/fr...esLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/tr...amesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://play09.pogo.com/game/deluxe/z...ploader_v5.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup150.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

-----------------------------------------------------------------------------------------------------

Hehe, that (but nothing two old spyware killers like us can't handle.) makes you sound like the big coffin hunters from a book I read

Thanks alot again I have noticed improvements already.

Neal · #6 (**permalink**) 07-06-2007, 06:04 PM

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:[color=purpleOne at a time[/color

C:\WINDOWS\g1929781.exe
C:\WINDOWS\g1310375.exe
C:\WINDOWS\system32\kyaiseyk.exe
C:\WINDOWS\system32\oiizuv.dll
C:\WINDOWS\system32\lufedqpx.exe
C:\WINDOWS\system32\funsnydi.exe
C:\WINDOWS\system32\cfwrvoey.exe
C:\Program Files\?dobe
C:\WINDOWS\system32\oiizuv.dll
C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\chi.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\j9231531.dll
C:\WINDOWS\system32\stera.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\Program Files\WinAntiVirus Pro 2007
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007
C:\Program Files\WinAntiSpyware 2007
C:\Program Files\Ultimate Fixer
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\tmwsock.dll
C:\Program Files\winsys180
C:\WINDOWS\system32\geebc.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the results of the above. Thanks.

kieranescourse · #7 (**permalink**) 07-06-2007, 07:09 PM

When I was doing the scanning on that website, I couldnt find:

C:\Program Files\?dobe

C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe

Here are the results from the ones I could find:
----------------------------------------------------------------------------

Complete scanning result of "g1929781.exe", received in VirusTotal at 06.07.2007, 19:33:59 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 no virus found
AntiVir 7.4.0.32 06.07.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 Win32:Agent-HQT
AVG 7.5.0.467 06.07.2007 no virus found
BitDefender 7.2 06.07.2007 Dropped:Trojan.Downloader.Agent.BFO
CAT-QuickHeal 9.00 06.07.2007 TrojanDownloader.Agent.bqw
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 no virus found
eSafe 7.0.15.0 06.06.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 no virus found
FileAdvisor 1 06.07.2007 no virus found
Fortinet 2.85.0.0 06.07.2007 no virus found
F-Prot 4.3.2.48 06.07.2007 no virus found
F-Secure 6.70.13030.0 06.07.2007 Trojan-Downloader.Win32.Agent.bqw
Ikarus T3.1.1.8 06.07.2007 no virus found
Kaspersky 4.0.2.24 06.07.2007 Trojan-Downloader.Win32.Agent.bqw
McAfee 5048 06.07.2007 no virus found
Microsoft 1.2503 06.07.2007 no virus found
NOD32v2 2316 06.07.2007 no virus found
Norman 5.80.02 06.07.2007 no virus found
Panda 9.0.0.4 06.07.2007 no virus found
Prevx1 V2 06.07.2007 Malicious
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 no virus found
Symantec 10 06.07.2007 no virus found
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.06.2007 no virus found
VirusBuster 4.3.23:9 06.07.2007 no virus found
Webwasher-Gateway 6.0.1 06.07.2007 Worm.Win32.ModifiedUPX.gen!90 (suspicious)

Aditional Information
File size: 71680 bytes
MD5: 2db2d434db1161a0673155c528b39367
SHA1: d87990293274a46b56ca7abb8c12bbd7ace01bc5
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=8cc099870111

----------------------------------------------------------------------------

Complete scanning result of "g1310375.exe", received in VirusTotal at 06.07.2007, 19:22:03 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 no virus found
AntiVir 7.4.0.32 06.07.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 Win32:Agent-HQT
AVG 7.5.0.467 06.07.2007 no virus found
BitDefender 7.2 06.07.2007 Dropped:Trojan.Downloader.Agent.BFO
CAT-QuickHeal 9.00 06.07.2007 TrojanDownloader.Agent.bqw
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 no virus found
eSafe 7.0.15.0 06.06.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 no virus found
FileAdvisor 1 06.07.2007 no virus found
Fortinet 2.85.0.0 06.07.2007 no virus found
F-Prot 4.3.2.48 06.07.2007 no virus found
F-Secure 6.70.13030.0 06.07.2007 Trojan-Downloader.Win32.Agent.bqw
Ikarus T3.1.1.8 06.07.2007 no virus found
Kaspersky 4.0.2.24 06.07.2007 Trojan-Downloader.Win32.Agent.bqw
McAfee 5048 06.07.2007 no virus found
Microsoft 1.2503 06.07.2007 no virus found
NOD32v2 2316 06.07.2007 no virus found
Norman 5.80.02 06.07.2007 no virus found
Panda 9.0.0.4 06.07.2007 no virus found
Prevx1 V2 06.07.2007 Malicious
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 no virus found
Symantec 10 06.07.2007 no virus found
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.06.2007 no virus found
VirusBuster 4.3.23:9 06.07.2007 no virus found
Webwasher-Gateway 6.0.1 06.07.2007 Worm.Win32.ModifiedUPX.gen!90 (suspicious)

Aditional Information
File size: 71680 bytes
MD5: 2db2d434db1161a0673155c528b39367
SHA1: d87990293274a46b56ca7abb8c12bbd7ace01bc5
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=8cc099870111

----------------------------------------------------------------------------

Complete scanning result of "kyaiseyk.exe", received in VirusTotal at 06.07.2007, 19:22:29 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.07.2007 TR/Agent.anr.1
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 no virus found
AVG 7.5.0.467 06.07.2007 Generic4.SLZ
BitDefender 7.2 06.07.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.07.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 Trojan.Agent.anr
FileAdvisor 1 06.07.2007 no virus found
Fortinet 2.85.0.0 06.07.2007 no virus found
F-Prot 4.3.2.48 06.07.2007 no virus found
F-Secure 6.70.13030.0 06.07.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.07.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.07.2007 Trojan.Win32.Agent.anr
McAfee 5048 06.07.2007 no virus found
Microsoft 1.2503 06.07.2007 no virus found
NOD32v2 2316 06.07.2007 no virus found
Norman 5.80.02 06.07.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.07.2007 no virus found
Prevx1 V2 06.07.2007 Covert.Sys.Exec
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 no virus found
Symantec 10 06.07.2007 Trojan.LowZones
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.06.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.07.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.07.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: 50d7df50e5f9ff236e280cddeae20ee7
SHA1: c416205f91351fb6e1780d2f78dcb0bdef30ca64
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500

----------------------------------------------------------------------------

Complete scanning result of "oiizuv.dll", received in VirusTotal at 06.07.2007, 19:22:55 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 no virus found
AntiVir 7.4.0.32 06.07.2007 ADSPY/PurityScan.AK.174
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 Win32:Agent-RY
AVG 7.5.0.467 06.07.2007 no virus found
BitDefender 7.2 06.07.2007 Adware.PurityScan.AK
CAT-QuickHeal 9.00 06.07.2007 no virus found
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 no virus found
eSafe 7.0.15.0 06.06.2007 Spyware.Purityscan
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 Adware.PurityScan
FileAdvisor 1 06.07.2007 No threat detected
Fortinet 2.85.0.0 06.07.2007 Adware/Purityscan
F-Prot 4.3.2.48 06.07.2007 W32/Adware.JOJ
F-Secure 6.70.13030.0 06.07.2007 no virus found
Ikarus T3.1.1.8 06.07.2007 not-a-virus:AdWare.Win32.PurityScan.ak
Kaspersky 4.0.2.24 06.07.2007 not-a-virus:AdWare.Win32.PurityScan.ak
McAfee 5048 06.07.2007 no virus found
Microsoft 1.2503 06.07.2007 no virus found
NOD32v2 2316 06.07.2007 probably a variant of Win32/Adware.PurityScan
Norman 5.80.02 06.07.2007 W32/PurityScan.dam
Panda 9.0.0.4 06.07.2007 Adware/PurityScan
Prevx1 V2 06.07.2007 Trojan.NDrv
Sophos 4.18.0 06.01.2007 ClickSpring
Sunbelt 2.2.907.0 06.07.2007 ClickSpring.PuritySCAN
Symantec 10 06.07.2007 Adware.Purityscan
TheHacker 6.1.6.130 06.06.2007 Adware/PurityScan.ak
VBA32 3.12.0 06.06.2007 AdWare.Win32.PurityScan.ak
VirusBuster 4.3.23:9 06.07.2007 no virus found
Webwasher-Gateway 6.0.1 06.07.2007 Ad-Spyware.PurityScan.AK.174

Aditional Information
File size: 60928 bytes
MD5: 58a29a9dce5d1abc28943567f080245a
SHA1: 0de465208dd61ace144b6d02a9866008dd6c9eb2
packers: PECompact
packers: PECOMPACT
Bit9 info: http://fileadvisor.bit9.com/services...943567f080245a
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=aa6597261699
Sunbelt info: PurityScan is an ad supported program that scans the user's Internet Explorer files, including browser cache, cookies and history for pornographic/adult related words and allows the user to delete them.

----------------------------------------------------------------------------

Complete scanning result of "lufedqpx.exe", received in VirusTotal at 06.07.2007, 19:23:08 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.07.2007 TR/Agent.anr.1
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 no virus found
AVG 7.5.0.467 06.07.2007 Generic4.SLZ
BitDefender 7.2 06.07.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.07.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 Trojan.Agent.anr
FileAdvisor 1 06.07.2007 no virus found
Fortinet 2.85.0.0 06.07.2007 no virus found
F-Prot 4.3.2.48 06.07.2007 no virus found
F-Secure 6.70.13030.0 06.07.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.07.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.07.2007 Trojan.Win32.Agent.anr
McAfee 5048 06.07.2007 no virus found
Microsoft 1.2503 06.07.2007 no virus found
NOD32v2 2316 06.07.2007 no virus found
Norman 5.80.02 06.07.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.07.2007 no virus found
Prevx1 V2 06.07.2007 Covert.Sys.Exec
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 no virus found
Symantec 10 06.07.2007 Trojan.LowZones
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.06.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.07.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.07.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: 50d7df50e5f9ff236e280cddeae20ee7
SHA1: c416205f91351fb6e1780d2f78dcb0bdef30ca64
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500

----------------------------------------------------------------------------

Complete scanning result of "funsnydi.exe", received in VirusTotal at 06.07.2007, 19:23:25 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.07.2007 TR/Agent.anr.1
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 no virus found
AVG 7.5.0.467 06.07.2007 Generic4.SLZ
BitDefender 7.2 06.07.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.07.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 Trojan.Agent.anr
FileAdvisor 1 06.07.2007 no virus found
Fortinet 2.85.0.0 06.07.2007 no virus found
F-Prot 4.3.2.48 06.07.2007 no virus found
F-Secure 6.70.13030.0 06.07.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.07.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.07.2007 Trojan.Win32.Agent.anr
McAfee 5048 06.07.2007 no virus found
Microsoft 1.2503 06.07.2007 no virus found
NOD32v2 2316 06.07.2007 no virus found
Norman 5.80.02 06.07.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.07.2007 no virus found
Prevx1 V2 06.07.2007 Covert.Sys.Exec
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 no virus found
Symantec 10 06.07.2007 Trojan.LowZones
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.06.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.07.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.07.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: 50d7df50e5f9ff236e280cddeae20ee7
SHA1: c416205f91351fb6e1780d2f78dcb0bdef30ca64
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500

----------------------------------------------------------------------------

Complete scanning result of "cfwrvoey.exe", received in VirusTotal at 06.07.2007, 19:23:40 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.07.2007 TR/Agent.anr.1
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 no virus found
AVG 7.5.0.467 06.07.2007 Generic4.SLZ
BitDefender 7.2 06.07.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.07.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 Trojan.Agent.anr
FileAdvisor 1 06.07.2007 no virus found
Fortinet 2.85.0.0 06.07.2007 no virus found
F-Prot 4.3.2.48 06.07.2007 no virus found
F-Secure 6.70.13030.0 06.07.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.07.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.07.2007 Trojan.Win32.Agent.anr
McAfee 5048 06.07.2007 no virus found
Microsoft 1.2503 06.07.2007 no virus found
NOD32v2 2316 06.07.2007 no virus found
Norman 5.80.02 06.07.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.07.2007 no virus found
Prevx1 V2 06.07.2007 Covert.Sys.Exec
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 no virus found
Symantec 10 06.07.2007 Trojan.LowZones
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.06.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.07.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.07.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: 50d7df50e5f9ff236e280cddeae20ee7
SHA1: c416205f91351fb6e1780d2f78dcb0bdef30ca64
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500

----------------------------------------------------------------------------

Complete scanning result of "sysmon32.exe", received in VirusTotal at 06.07.2007, 19:26:17 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 Win-Trojan/Alphabet.28160
AntiVir 7.4.0.32 06.07.2007 TR/AVKiller.18944
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 no virus found
AVG 7.5.0.467 06.07.2007 Clicker.GAX
BitDefender 7.2 06.07.2007 Dropped:Trojan.Downloader.Agent.YCY
CAT-QuickHeal 9.00 06.07.2007 TrojanDownloader.Alphabet.c
ClamAV devel-20070416 06.07.2007 Trojan.Downloader-8298
DrWeb 4.33 06.07.2007 Trojan.DownLoader.23031
eSafe 7.0.15.0 06.06.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 Downloader.Alphabet.c
FileAdvisor 1 06.07.2007 No threat detected
Fortinet 2.85.0.0 06.07.2007 W32/Alphabet.C!tr
F-Prot 4.3.2.48 06.07.2007 W32/Downloader!74ec
F-Secure 6.70.13030.0 06.07.2007 Trojan-Downloader.Win32.Alphabet.c
Ikarus T3.1.1.8 06.07.2007 Trojan-Downloader.Win32.Alphabet.c
Kaspersky 4.0.2.24 06.07.2007 Trojan-Downloader.Win32.Alphabet.c
McAfee 5048 06.07.2007 Generic Downloader
Microsoft 1.2503 06.07.2007 no virus found
NOD32v2 2316 06.07.2007 a variant of Win32/TrojanClicker.Agent.NBS
Norman 5.80.02 06.07.2007 W32/DLoader.CWCG
Panda 9.0.0.4 06.07.2007 Adware/DriveCleaner
Prevx1 V2 06.07.2007 Malicious
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 VIPRE.Suspicious
Symantec 10 06.07.2007 no virus found
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.06.2007 Trojan-Downloader.Win32.Alphabet.c
VirusBuster 4.3.23:9 06.07.2007 no virus found
Webwasher-Gateway 6.0.1 06.07.2007 Trojan.AVKiller.18944

Aditional Information
File size: 28160 bytes
MD5: 046c36ebef94d4468a7c62ec33b16cd2
SHA1: 5e38411042df22a98e72ed3458cc69f70a68e7f2
packers: PECOMPACT
Bit9 info: http://fileadvisor.bit9.com/services...7c62ec33b16cd2
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=aec398717080
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

----------------------------------------------------------------------------

Complete scanning result of "chi.exe", received in VirusTotal at 06.07.2007, 19:26:31 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 no virus found
AntiVir 7.4.0.32 06.07.2007 TR/Proxy.Agent.LY.20
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 no virus found
AVG 7.5.0.467 06.07.2007 Proxy.NTM
BitDefender 7.2 06.07.2007 Win32.Chiclen.A
CAT-QuickHeal 9.00 06.07.2007 TrojanProxy.Agent.ly
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 Trojan.Chiwe
eSafe 7.0.15.0 06.06.2007 Win32.Agent.ly
eTrust-Vet 30.7.3699 06.07.2007 no virus found
Ewido 4.0 06.07.2007 Proxy.Agent.ly
FileAdvisor 1 06.07.2007 High threat detected
Fortinet 2.85.0.0 06.07.2007 W32/Agent.LY!tr
F-Prot 4.3.2.48 06.07.2007 no virus found
F-Secure 6.70.13030.0 06.07.2007 Trojan-Proxy.Win32.Agent.ly
Ikarus T3.1.1.8 06.07.2007 Trojan-Proxy.Win32.Agent.ly
Kaspersky 4.0.2.24 06.07.2007 Trojan-Proxy.Win32.Agent.ly
McAfee 5048 06.07.2007 Proxy-Agent.o
Microsoft 1.2503 06.07.2007 TrojanProxy:Win32/Agent!FAE6
NOD32v2 2316 06.07.2007 no virus found
Norman 5.80.02 06.07.2007 no virus found
Panda 9.0.0.4 06.07.2007 Suspicious file
Prevx1 V2 06.07.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 Trojan-Proxy.Win32.Agent.ly
Symantec 10 06.07.2007 no virus found
TheHacker 6.1.6.130 06.06.2007 Trojan/Proxy.Agent.ly
VBA32 3.12.0 06.06.2007 Trojan.Chiwe
VirusBuster 4.3.23:9 06.07.2007 Trojan.PR.Agent.UGM
Webwasher-Gateway 6.0.1 06.07.2007 Trojan.Proxy.Agent.LY.20

Aditional Information
File size: 22528 bytes
MD5: e6fa328c7fddb48aadd3f4bff30313c8
SHA1: d41b96cf4e6bc97439f4e90720afded887c00f03
packers: ASPACK
Bit9 info: http://fileadvisor.bit9.com/services...d3f4bff30313c8
packers: Aspack

----------------------------------------------------------------------------

I also noticed when I was looking for the first one I had more similar, they are:

----------------------------------------------------------------------------

Neal · #8 (**permalink**) 07-06-2007, 07:36 PM

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\g342828.exe
C:\WINDOWS\g4559625.exe
C:\WINDOWS\g1546750.exe
C:\WINDOWS\g346093.exe
C:\WINDOWS\g14431375.exe
C:\WINDOWS\g13228406.exe
C:\WINDOWS\g12030875.exe
C:\WINDOWS\g10709734.exe
C:\WINDOWS\g9506984.exe
C:\WINDOWS\g4223015.exe
C:\WINDOWS\g3033265.exe
C:\WINDOWS\g19388390.exe
C:\WINDOWS\g9279671.exe
C:\WINDOWS\g8075921.exe
C:\WINDOWS\g6862656.exe
C:\WINDOWS\g5668328.exe
C:\WINDOWS\g4457390.exe
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\g7967375.exe
C:\WINDOWS\system32\kyaiseyk.exe
C:\WINDOWS\system32\oiizuv.dll
C:\WINDOWS\system32\lufedqpx.exe
C:\WINDOWS\system32\funsnydi.exe
C:\WINDOWS\system32\cfwrvoey.exe
C:\WINDOWS\chi.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

new combofix log please and a new hijackthis log

kieranescourse · #9 (**permalink**) 08-06-2007, 02:08 AM

OTMoveIt Report:

C:\WINDOWS\g342828.exe moved successfully.
C:\WINDOWS\g4559625.exe moved successfully.
C:\WINDOWS\g1546750.exe moved successfully.
C:\WINDOWS\g346093.exe moved successfully.
C:\WINDOWS\g14431375.exe moved successfully.
C:\WINDOWS\g13228406.exe moved successfully.
C:\WINDOWS\g12030875.exe moved successfully.
C:\WINDOWS\g10709734.exe moved successfully.
C:\WINDOWS\g9506984.exe moved successfully.
C:\WINDOWS\g4223015.exe moved successfully.
C:\WINDOWS\g3033265.exe moved successfully.
C:\WINDOWS\g19388390.exe moved successfully.
C:\WINDOWS\g9279671.exe moved successfully.
C:\WINDOWS\g8075921.exe moved successfully.
C:\WINDOWS\g6862656.exe moved successfully.
C:\WINDOWS\g5668328.exe moved successfully.
C:\WINDOWS\g4457390.exe moved successfully.
File/Folder C:\WINDOWS\system32\winsys64.exe not found.
C:\WINDOWS\g7967375.exe moved successfully.
C:\WINDOWS\system32\kyaiseyk.exe moved successfully.
C:\WINDOWS\system32\oiizuv.dll unregistered successfully.
C:\WINDOWS\system32\oiizuv.dll moved successfully.
C:\WINDOWS\system32\lufedqpx.exe moved successfully.
C:\WINDOWS\system32\funsnydi.exe moved successfully.
C:\WINDOWS\system32\cfwrvoey.exe moved successfully.
C:\WINDOWS\chi.exe moved successfully.

Created on 06/08/2007 02:07:29

--------------------------------------------------------------------------

Combo Fix Log:

"Pauline" - 2007-06-08 3:09:33 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Pauline.YOUR-HKI1ASH75M\Desktop\"

((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))

2007-06-07 14:41 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 02:41 <DIR> d----c--- C:\VundoFix Backups
2007-06-06 02:04 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-06-06 02:04 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-06-06 02:04 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\SiteAdvisor
2007-06-06 01:53 14,868 --a------ C:\WINDOWS\system32\lahsvuwr.exe
2007-06-04 23:44 <DIR> d----c--- C:\!KillBox
2007-06-04 17:08 <DIR> d-------- C:\Program Files\Install Provider
2007-06-04 14:59 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-06-04 14:41 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\Virgin Broadband
2007-06-04 14:39 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Virgin Broadband
2007-06-04 14:39 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-06-03 20:33 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-06-03 20:33 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-06-03 20:33 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-06-03 20:33 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-06-03 20:33 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-06-03 20:33 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-06-03 20:30 71,680 --a------ C:\WINDOWS\g1929781.exe
2007-06-03 20:20 71,680 --a------ C:\WINDOWS\g1310375.exe
2007-06-03 20:01 2,580 --a------ C:\WINDOWS\system32\krnwbvvy.exe
2007-06-01 09:46 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-01 00:20 <DIR> d-------- C:\Program Files\àdobe
2007-05-31 21:55 262,144 --a------ C:\DOCUME~1\user\NTUSER.DAT
2007-05-31 19:14 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\Uniblue
2007-05-31 19:13 <DIR> d-------- C:\Program Files\Uniblue
2007-05-31 17:07 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\KeySafe
2007-05-25 16:57 21,120 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys
2007-05-25 16:57 <DIR> d-------- C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\NCH Swift Sound
2007-05-18 13:50 <DIR> d-------- C:\Program Files\WMR11
2007-05-09 14:44 <DIR> d-------- C:\Program Files\QuickTime
2007-05-09 14:44 <DIR> d-------- C:\Program Files\Apple Software Update

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-06-07 13:59:47 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\U3
2007-06-04 22:19:57 -------- d-----w C:\Program Files\Common Files\PestPatrol
2007-06-04 13:53:03 230 ----a-w C:\WINDOWS\freedom.backup.dat
2007-06-03 11:36:36 -------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-06-03 11:25:31 -------- d-----w C:\Program Files\?dobe
2007-06-03 11:25:25 -------- d-----w C:\Program Files\DivX
2007-06-02 21:57:12 19,713 ----a-w C:\WINDOWS\mozver.dat
2007-05-30 23:08:49 -------- d-----w C:\Program Files\Championship Manager 2006
2007-05-30 23:05:49 -------- d-----w C:\Program Files\MSN Games
2007-05-30 23:01:14 -------- d-----w C:\Program Files\NCH Swift Sound
2007-05-30 22:59:58 -------- d-----w C:\Program Files\Common Files\Real
2007-05-30 22:59:11 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\Real
2007-05-28 03:33:52 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\Morpheus
2007-05-21 20:41:57 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\AdobeUM
2007-05-20 19:55:37 -------- d-----w C:\Program Files\MagicISO
2007-05-11 19:13:23 -------- d-----w C:\Program Files\JAM's Jedi Knight KT v2.0
2007-05-08 01:01:39 -------- d-----w C:\Program Files\Real
2007-05-03 12:50:05 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\DivX
2007-05-03 12:48:38 -------- d-----w C:\DOCUME~1\PAULIN~1.YOU\APPLIC~1\InterVideo
2007-05-02 19:23:52 -------- d-----w C:\Program Files\CUE Splitter
2007-04-27 18:07:48 79,384 ----a-r C:\WINDOWS\system32\avmontr.dll
2007-04-27 17:49:12 840,352 ----a-r C:\WINDOWS\system32\drivers\css-dvp.sys
2007-04-26 00:41:29 3,532 -c--a-w C:\drmHeader.bin
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-10 21:35:51 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}=C:\Program Files\Virgin Broadband\PCguard\pkR.dll [2007-01-24 18:51]
{56071E0D-C61B-11D3-B41C-00E02927A304}=C:\Program Files\Virgin Broadband\PCguard\FBHR.dll [2007-01-24 18:51]
{59ACB381-9910-477D-915D-ABBC4E54E4F8}=C:\WINDOWS\system32\geebc.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UserFaultCheck"="%systemroot%\system32\dumpre p 0 -u" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"ntl Netguard"="C:\Program Files\ntl\ntl Netguard\Rps.exe" []
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-07-21 13:50]
"ipqpwngj.exe"="C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe" []
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
"InstallProvider"="C:\DOCUME~1\PAULIN~1.YOU\LOCALS ~1\Temp\miniinst.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Xedi"="C:\WINDOWS\T?sks\regedit.exe" []
"Atat"="C:\WINDOWS\system32\SMBOLS~1\regsvr32. exe" []

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
backup=C:\WINDOWS\pss\broadband medic.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
rundll32.exe "C:\WINDOWS\system32\kcxukemb.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mstsdsc.exe]
c:\windows\system32\mstsdsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"dvpapi"=2 (0x2)
"Adobe LM Service"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
AutoRun\command- F:\autorun.exe
readit\command- notepad readme.doc

Contents of the 'Scheduled Tasks' folder
2007-05-27 21:35:09 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-08 01:16:27 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-05-31 18:43:30 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
2007-05-31 18:43:24 C:\WINDOWS\tasks\Uniblue SpyEraser.job

************************************************** ************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 03:17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************

Completion time: 2007-06-08 3:18:54
C:\ComboFix-quarantined-files.txt ... 2007-06-08 03:18
C:\ComboFix2.txt ... 2007-06-07 14:41

--- E O F ---

----------------------------------------------------------------------------------------------------

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 03

57, on 08/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\foolyou.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...aX3XpiRAwPV87S
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {59ACB381-9910-477D-915D-ABBC4E54E4F8} - C:\WINDOWS\system32\geebc.dll (file missing)
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntl Netguard] C:\Program Files\ntl\ntl Netguard\Rps.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [InstallProvider] "C:\DOCUME~1\PAULIN~1.YOU\LOCALS~1\Temp\miniinst.e xe" -nag
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xedi] C:\WINDOWS\T?sks\regedit.exe
O4 - HKCU\..\Run: [Atat] "C:\WINDOWS\system32\SMBOLS~1\regsvr32.exe" -vt ndrv
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire46.pogo.com/applet/s...-ob-assets.cab
O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/ra...gameloader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwho...-ob-assets.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/fr...esLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/tr...amesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://play09.pogo.com/game/deluxe/z...ploader_v5.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup150.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

Neal · #10 (**permalink**) 08-06-2007, 04:50 AM

[*] Please double-click OTMoveIt.exe to run it.[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\lahsvuwr.exe
:\WINDOWS\g1929781.exe
C:\WINDOWS\g1310375.exe
C:\WINDOWS\system32\krnwbvvy.exe

[*] Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.[*]Click the red Moveit! button.[*]Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.[*]Close OTMoveIt[/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

New hijackthis log please