Computer creates random number.exe files

CYMREIG · #1 (**permalink**) 12-12-2008, 06:11 AM

I caught something, so my computer creates and tries to execute some random number.exe files (for example 3375688.exe) and also i get pop-ups to fake anti-virus sites and comp is running slow

Update: my antivirus just picked up:
Trojan.win32.VB.hlm
Trojan.win32.Monderd.gen
Trojan.Win32.Agent.aulw

Here is my HIJACK THIS FILE:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:09:50, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Documents and Settings\Twiggy ^^\Desktop\RRT\RRT.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Steam\Steam.exe
C:\Documents and Settings\Twiggy ^^\Application Data\IMVUClient\IMVUClient.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Twiggy ^^\Desktop\Twiggy's ****\Trillian\trillian.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Documents and Settings\Twiggy ^^\Application Data\IMVUClient\IMVUQualityAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Twiggy ^^\Desktop\RRT\RRT.exe auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [189a7ebe] rundll32.exe "C:\WINDOWS\system32\kwrkesog.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Documents and Settings\Twiggy ^^\Application Data\IMVUClient\IMVUClient.exe
O4 - Startup: Trillian.lnk = C:\Documents and Settings\Twiggy ^^\Desktop\Twiggy's ****\Trillian\trillian.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Twiggy ^^\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1221866844328
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8604 bytes

Neal · #2 (**permalink**) 12-12-2008, 10:42 PM

Welcome,

* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and zLaunch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

CYMREIG · #3 (**permalink**) 13-12-2008, 04:48 PM

Malwarebytes' Anti-Malware Log:

Malwarebytes' Anti-Malware 1.31
Database version: 1494
Windows 5.1.2600 Service Pack 3

13/12/2008 08:27:23
mbam-log-2008-12-13 (08-27-23).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 288931
Time elapsed: 2 hour(s), 30 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 18
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pmnkIAsp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\urqQKaxX.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqqkaxx (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b5ad1983-803f-49a5-945f-5db72b118d81} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b5ad1983-803f-49a5-945f-5db72b118d81} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{f4c03cc5-cb9d-4863-a535-d231edf6071a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f4c03cc5-cb9d-4863-a535-d231edf6071a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{b5ad1983-803f-49a5-945f-5db72b118d81} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnkiasp -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnkiasp -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\urqQKaxX.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yddlqn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkIAsp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\psAIknmp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psAIknmp.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sqokgoxu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uxogkoqs.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Twiggy ^^\Local Settings\Temporary Internet Files\Content.IE5\3K79TXSB\index[2] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Twiggy ^^\Local Settings\Temporary Internet Files\Content.IE5\3K79TXSB\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Twiggy ^^\Local Settings\Temporary Internet Files\Content.IE5\XZYDASXB\kb600179[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dehiqn.dll.vzr (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dirikxkf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dtlfmi.dll.vzr (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lrjhnhbr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qljzvj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\13a898b5.sys (Rootkit.Rustock) -> Delete on reboot.
C:\WINDOWS\system32\drivers\2f55f63a.sys (Rootkit.Agent) -> Delete on reboot.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39:08, on 13/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Documents and Settings\Twiggy ^^\Desktop\RRT\RRT.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Twiggy ^^\Application Data\IMVUClient\IMVUClient.exe
C:\Documents and Settings\Twiggy ^^\Desktop\Twiggy's ****\Trillian\trillian.exe
C:\Program Files\Xfire\xfire.exe
C:\Documents and Settings\Twiggy ^^\Application Data\IMVUClient\IMVUQualityAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1f9f7980-706a-4633-9c31-cca2f9acd183} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {ede46b60-0055-4d4a-bcd1-dc32522b4386} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Twiggy ^^\Desktop\RRT\RRT.exe auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Documents and Settings\Twiggy ^^\Application Data\IMVUClient\IMVUClient.exe
O4 - Startup: Trillian.lnk = C:\Documents and Settings\Twiggy ^^\Desktop\Twiggy's ****\Trillian\trillian.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Twiggy ^^\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1221866844328
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: gebskaqn - geBSKAqN.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9419 bytes

Neal · #4 (**permalink**) 15-12-2008, 12:50 AM

Run hijackthis and click on "scan system only" button and put checks next to these:

O2 - BHO: (no name) - {1f9f7980-706a-4633-9c31-cca2f9acd183} - (no file)
O2 - BHO: (no name) - {ede46b60-0055-4d4a-bcd1-dc32522b4386} - (no file)

O20 - Winlogon Notify: gebskaqn - geBSKAqN.dll (file missing)

Please close ALL browser windows (including this one).

Everything closed out but hijackthis and click on "fix checked"

Reboot your PC

what is happening now?

CYMREIG · #5 (**permalink**) 16-12-2008, 02:07 AM

Still getting new EXE's made cant really tell if there are still popups locked down allot of exe's that i didnt recognise seemed to stop popups but not the new exe's
want a new hijackthis log?

Neal · #6 (**permalink**) 17-12-2008, 10:37 PM

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

CYMREIG · #7 (**permalink**) 20-12-2008, 01:06 AM

Here's my combofix log

ComboFix 08-12-18.03 - Twiggy ^^ 2008-12-19 23:55:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.483 [GMT 0:00]
Running from: c:\documents and settings\Twiggy ^^\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bbmnevcv.dll
c:\windows\system32\cdlkcrbk.ini
c:\windows\system32\dfgksqet.dll
c:\windows\system32\emgsufpx.ini
c:\windows\system32\fNTtutwa.ini
c:\windows\system32\gbkqiktk.dll
c:\windows\system32\gosekrwk.ini
c:\windows\system32\hanayqru.dll
c:\windows\system32\hfyeienp.dll
c:\windows\system32\hnphtbmp.ini
c:\windows\system32\JjQsBJjl.ini
c:\windows\system32\JjQsBJjl.ini2
c:\windows\system32\yblhjtse.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-18 10:42 . 2008-12-18 10:58 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\EVEMon
2008-12-18 10:41 . 2008-12-18 10:41 <DIR> d-------- c:\program files\EVEMon
2008-12-18 10:03 . 2008-12-18 10:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\CCP
2008-12-18 09:58 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-12-18 09:51 . 2008-12-18 09:51 <DIR> d-------- c:\program files\CCP
2008-12-17 01:08 . 2008-12-17 01:08 304,160 --a------ C:\StiImg.dat
2008-12-12 22:39 . 2008-12-12 22:39 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\Malwarebytes
2008-12-12 22:31 . 2008-12-12 22:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 22:31 . 2008-12-12 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 22:31 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 22:31 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 20:37 . 2008-12-11 20:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-06 20:22 . 2008-12-06 20:31 <DIR> d-------- c:\program files\PoxNora
2008-12-05 16:21 . 2008-12-05 17:37 <DIR> d-------- c:\program files\Granado Espada
2008-12-02 20:03 . 2008-12-03 17:09 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-02 20:03 . 2008-12-02 20:03 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\PC Tools
2008-12-02 20:03 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-02 20:03 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-02 20:03 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-02 20:03 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-01 19:46 . 2008-12-01 19:46 <DIR> d-------- c:\program files\Trend Micro
2008-12-01 19:09 . 2008-12-01 19:09 <DIR> d-------- c:\program files\CCleaner
2008-12-01 18:44 . 2008-12-01 18:44 16,244 --a------ c:\windows\system32\rrt_is.wav
2008-12-01 18:44 . 2008-12-01 18:44 7,302 --a------ c:\windows\system32\rrt_vf.wav
2008-12-01 18:44 . 2008-12-01 18:44 7,148 --a------ c:\windows\system32\rrt_tv.wav
2008-12-01 18:44 . 2008-12-01 18:44 6,282 --a------ c:\windows\system32\rrt_tn.wav
2008-12-01 18:30 . 2008-12-01 18:30 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-24 19:58 . 2008-11-27 04:20 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\LimeWire
2008-11-24 19:52 . 2008-11-24 19:55 <DIR> d-------- c:\program files\LimeWire
2008-11-24 18:12 . 2008-11-24 18:42 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\Download Manager
2008-11-22 04:35 . 2008-11-22 04:35 <DIR> d-------- c:\program files\Windows Journal Viewer
2008-11-22 02:53 . 2008-11-22 02:53 <DIR> d-------- c:\documents and settings\Twiggy ^^\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-19 23:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-19 23:41 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\Skype
2008-12-19 22:43 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\IMVU
2008-12-19 16:06 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\skypePM
2008-12-18 18:17 --------- d-----w c:\program files\FlashGet
2008-12-18 18:05 --------- d-----w c:\program files\Steam
2008-12-18 18:04 119,296 ----a-w c:\windows\system32\zlib.dll
2008-12-18 18:03 --------- d-----w c:\program files\Xfire
2008-12-18 18:00 109,620,256 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-16 18:52 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\uTorrent
2008-12-15 23:16 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\Xfire
2008-12-15 02:38 1,198,760 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-14 05:02 162,161 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_05_01_49_small.dmp.zip
2008-12-12 04:44 2,799,616 ----a-w c:\windows\Internet Logs\xDB10.tmp
2008-12-11 15:39 --------- d-----w c:\program files\PaintTool SAI English Pack
2008-12-11 00:27 166,706 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_11_00_26_08_small.dmp.zip
2008-12-11 00:26 2,742,272 ----a-w c:\windows\Internet Logs\xDB5D5.tmp
2008-12-07 22:35 1,038,848 ----a-w c:\windows\Internet Logs\xDBF.tmp
2008-12-07 17:25 2,816,000 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-12-03 02:03 3,226,624 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-12-02 19:43 3,150,336 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-12-02 19:43 2,782,720 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-02 19:23 2,809,856 ----a-w c:\windows\Internet Logs\xDBA.tmp
2008-12-02 18:45 4,427,064 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2008-11-29 13:20 52,882 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_11_29_13_19_09_small.dmp.zi p
2008-11-29 04:52 2,760,192 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-11-26 17:37 --------- d-----w c:\program files\Common Files\Adobe
2008-11-22 15:45 2,774,528 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-11-19 09:36 308,334 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_11_19_09_36_06_small.dmp.zip
2008-11-18 15:21 158,365 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_11_18_15_20_55_small.dmp.zip
2008-11-16 08:54 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-16 08:39 --------- d-----w c:\program files\Adobe Media Player
2008-11-16 08:37 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-16 08:30 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-15 21:26 --------- d-----w c:\program files\Cheat Engine
2008-11-14 15:42 --------- d-----w c:\program files\Gravity
2008-11-12 17:42 --------- d-----w c:\program files\RebirthRO
2008-11-11 19:32 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\IMVUClient
2008-11-11 14:41 --------- d-----w c:\program files\SevenfoldRO
2008-11-11 03:46 2,483,200 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-11-11 03:14 253,440 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-11-10 17:15 4,072,448 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-11-09 21:46 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-11-07 21:03 --------- d-----w c:\program files\VUGames
2008-11-04 22:13 --------- d-----w c:\program files\House of Tales
2008-11-03 21:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 20:54 --------- d-----w c:\program files\Activision
2008-10-31 00:01 --------- d-----w c:\program files\TRABULANCE
2008-10-27 22:56 --------- d-----w c:\program files\EA GAMES
2008-10-24 22:33 --------- d-----w c:\documents and settings\LocalService\Application Data\Xfire
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:21 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-10-22 23:16 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\SYSTEMAX Software Development
2008-10-22 23:16 --------- d-----w c:\documents and settings\All Users\Application Data\SYSTEMAX Software Development
2008-10-22 22:47 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-22 22:27 2,883,584 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-10-21 23:57 2,337,792 ----a-w c:\windows\Internet Logs\xDBBD.tmp
2008-10-21 23:24 2,773,504 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-10-21 18:14 4,640,768 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-10-21 18:14 2,329,600 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-10-09 14:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-09 14:25 1,221,008 ----a-w c:\windows\system32\zpeng25.dll
2008-10-01 15:23 151,442 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_01_16_23_12_small.dmp.zip
2008-09-30 21:20 206 ----a-w C:\rohan_temp_execute.bat
2008-09-30 21:20 0 ----a-w c:\documents and settings\Twiggy ^^\running.dat
2008-09-30 00:19 152,265 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_09_30_01_19_42_small.dmp.zip
2008-09-19 20:06 81,920 ------r c:\windows\bwUnin-6.1.4.36-8876480L.exe
2008-09-19 20:02 14,656 ----a-w c:\windows\gdrv.sys
2008-09-19 19:59 315,392 ----a-w c:\windows\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-16 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2006-10-31 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" [2008-08-14 611712]
"RRT-Auto"="c:\documents and settings\Twiggy ^^\Desktop\RRT\RRT.exe" [2008-09-07 140288]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\LOGI_MWX.EXE]
"atwtusb"="atwtusb.exe" [2005-03-09 c:\windows\system32\atwtusb.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Twiggy ^^\Start Menu\Programs\Startup\
IMVU.lnk - c:\documents and settings\Twiggy ^^\Application Data\IMVUClient\IMVUClient.exe [2008-12-04 49408]
Trillian.lnk - c:\documents and settings\Twiggy ^^\Desktop\Twiggy's ****\Trillian\trillian.exe [2008-10-01 1873280]
Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-12-11 2990416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-09-19 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\messenger (yahoo!)]
--a------ 2008-09-19 16:34 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pinnacle game profiler]
--a------ 2008-10-14 01:42 2473984 c:\program files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Save to disk\\Save to disk\\BearShare\\BearShare.exe"=
"c:\\Documents and Settings\\Twiggy ^^\\Desktop\\Twiggy's ****\\Trillian\\trillian.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"e:\\Program Files\\MC2\\Sniper Elite\\SniperElite.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\WINDOWS\\system32\\mcoinstall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager .exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\DRIVERS\pfc027.sys [2005-02-24 162176]
S1 13a898b5;13a898b5;c:\windows\system32\drivers\13a8 98b5.sys []
S1 2f55f63a;2f55f63a;c:\windows\system32\drivers\2f55 f63a.sys []
S1 aiptektp;HyperPen;c:\windows\system32\DRIVERS\aipt ektp.sys [2008-11-22 22272]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\TWIGGY~1\LOCALS~ 1\Temp\cel90xbe.sys []
S3 Revolution1;Revolution1;\??\c:\documents and settings\Twiggy ^^\Desktop\Twiggy's ****\Hacking and hexing\Revolution_Engine_8.3_By_ShaK3\SHAK3.sys [2008-09-22 20864]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-02 356920]
S3 xdva220;XDva220;\??\c:\windows\system32\XDva220.sy s []

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{1F9F7980-706A-4633-9C31-CCA2F9ACD183} - (no file)

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Twiggy ^^\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Twiggy ^^\Start Menu\Programs\IMVU\Run IMVU.lnk -
FF - ProfilePath - c:\documents and settings\Twiggy ^^\Application Data\Mozilla\Firefox\Profiles\70q6xskm.Defalt\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 23:57:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2008-12-19 23:59:11
ComboFix-quarantined-files.txt 2008-12-19 23:59:02

Pre-Run: 53,307,727,872 bytes free
Post-Run: 53,481,533,440 bytes free

243 --- E O F --- 2008-11-13 03

42

Neal · #8 (**permalink**) 22-12-2008, 12:05 AM

Very good, how are things now?

Have you run CCleaner lately?

CYMREIG · #9 (**permalink**) 24-12-2008, 01:18 AM

I run CCleaner just after doing that scan and still getting exe's made

Neal · #10 (**permalink**) 25-12-2008, 07:35 PM

Do an online scan (scan only tool) with Kaspersky WebScanner
[Internet Explorer required]

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Post the results of the scan back here please and a new hijackthis log.