Part-II Extra.txt

– User Profiles ---------------------------------------------------------------

Administrator I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4100 USB Scanner → C:\WINDOWS\RunUnDrv.exe C:\WINDOWS\Twain_32\4100\PmxScan.INF DefaultUnInstall.USB.NTX86
ABBYY FineReader 5.0 Sprint → MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Bridge 1.0 → MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer → MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX → C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Help Center 1.0 → MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 → msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.9 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Stock Photos 1.0 → MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
ArcSoft Panorama Maker 3 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe” -l0x9
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
C-Media Audio → C:\WINDOWS\CMIUnInstall.exe
Gadwin PrintScreen → C:\Program Files\Gadwin Systems\PrintScreen\Uninstall.exe
HijackThis 2.0.2 → “C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe” /uninstall
hp LaserJet 1010 Series → MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
Intel(R) 845G Chipset Graphics Driver Software → RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562-inteluninstall
K-Lite Mega Codec Pack 1.15 → “C:\Program Files\K-Lite Codec Pack\unins000.exe”
Microsoft Office 2000 Professional → MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Neat Image v5 Demo (with plug-in) → “C:\Program Files\Neat Image\unins000.exe”
Nero - Burning Rom → MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Nikon Message Center → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe” -l0x9 UNINSTALL
OrderReminder hp LaserJet 101x → “C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\Uninstall-hpLJ_101x\installerhelper.exe” “C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\Uninstall-hpLJ_101x\installerhelper.properties” -from-addremove
PictureProject → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe” -l0x9 UNINSTALL
QuickTime → C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Rediff Bol → C:\Program Files\Rediff Bol\uninstall.exe
Ulead Photo Express 4.0 My Custom Edition → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{21BCE515-D5A3-11D4-8E33-0010B53EC668}\Setup.exe”
Winamp (remove only) → “C:\Program Files\Winamp\UninstWA.exe”
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe
WinZip → “C:\Program Files\WinZip\WINZIP32.EXE” /uninstall
Yahoo! Browser Services → C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager → C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail → C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger → C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

– Application Event Log -------------------------------------------------------

Event Record #/Type652 / Error
Event Submitted/Written: 12/31/2007 03:29:22 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dm7.exe, version 0.0.0.0, faulting module dm7.exe, version 0.0.0.0, fault address 0x0000b000.
Processing media-specific event for [dm7.exe!ws!]

Event Record #/Type651 / Error
Event Submitted/Written: 12/30/2007 06:59:52 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application start.exe, version 8.0.22.0, faulting module start.exe, version 8.0.22.0, fault address 0x000ad040.
Processing media-specific event for [start.exe!ws!]

Event Record #/Type650 / Error
Event Submitted/Written: 12/30/2007 06:59:30 PM
Event ID/Source: 1005 / Application Error
Event Description:
Windows cannot access the file G:\start.exe for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Macromedia Flash Player 8.0 r22 because of this error.

Program: Macromedia Flash Player 8.0 r22
File: G:\start.exe

The error value is listed in the Additional Data section.
User Action

1. Open the file again.
   This situation might be a temporary problem that corrects itself when the program runs again.

If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C0000240
Disk type: 5

Event Record #/Type648 / Error
Event Submitted/Written: 12/26/2007 10:28:18 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application winword.exe, version 9.0.0.2717, faulting module winword.exe, version 9.0.0.2717, fault address 0x00203c6e.
Processing media-specific event for [winword.exe!ws!]

Event Record #/Type647 / Error
Event Submitted/Written: 12/26/2007 09:23:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application winword.exe, version 9.0.0.2717, faulting module winword.exe, version 9.0.0.2717, fault address 0x001266fe.
Processing media-specific event for [winword.exe!ws!]

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type29504 / Warning
Event Submitted/Written: 01/02/2008 00:27:51 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0008A1903F4C. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type29500 / Error
Event Submitted/Written: 01/01/2008 10:04:47 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.33 for the Network Card with network address 0008A1903F4C has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type29499 / Warning
Event Submitted/Written: 01/01/2008 10:04:43 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0008A1903F4C. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type29493 / Error
Event Submitted/Written: 01/01/2008 09:12:57 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.33 for the Network Card with network address 0008A1903F4C has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type29492 / Warning
Event Submitted/Written: 01/01/2008 09:12:52 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0008A1903F4C. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

– End of Deckard’s System Scanner: finished at 2008-01-02 02:01:30 ------------

Sharad Garg

Hi sharadgarg,

Hold on to your desktop, here we go again:
The following HJT entries could be flagged, and taken out.
Fire up HijackThis and tag the following entries and give an enter.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O4 - HKUS\S-1-5-18..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User ‘Default user’)

After this post a new HijackThis log,

Also read this: http://www.housing.hawaii.edu/resources/support/restore-point.htm
what to do if ntos.exe has been deleted.

polonus

Hi malware fighters,

Additional information on ntos.exe: http://www.websense.com/securitylabs/blog/blog.php?BlogID=134

We also have to run this afterwards: http://www.cexx.org/lspfix.htm

pol

Ntos is a password stealer

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

I would recommend the following steps :

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Ntos will probably need an avenger run to kill it

Hi sharadgarg2000 and essexboy,

The manual removal instructions for ntos unsollicited malware:
Manual removal

Please follow the instructions below if you would like to remove Exploit ntos.exe manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If Exploit ntos.exe remains on your system after stepping through the removal instructions, please double-check by stepping through them again.

1. Start your computer in safe mode.
2. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
3. Delete ‘HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {98B822AD-6BE7-49BC-B773-97240B774080}’, if it exists.
4. Delete ‘HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {98B822AD-6BE7-49BC-B773-97240B774080}’, if it exists.
5. Browse to the key:
   ‘HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run’
6. In the right pane, delete the value called ‘SystemSv12’, ‘runner1’, ‘RegistryMonitor1’, ‘SpyVampire’, ‘smgr’, ‘System’, ‘spoolsvv’, if they exists.
7. Browse to the key:
   ‘HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run’
8. In the right pane, delete the value called 'Windows update loader ', ‘Service Pack 1’, ‘Brave-Sentry’, ‘WinAble’, ‘PestTrap’, ‘Windows update loader’, if they exists.
9. Exit the registry editor.
10. Start Windows Explorer and delete:
    %SystemDir%\AClient.dll
    %SystemDir%\kernelwind32.exe
    %SystemDir%\vedxg4am1et2.exe
    %SystemDir%\vedxga4m1et4.exe
    %SystemDir%\vedxga4m1et4.exe
    %SystemDir%\spoolsvv.exe
    %SystemDir%\kernelw.sys
    %SystemDir%\aspimgr.exe
    %SystemDir%\msvcrt64.dll
    %SystemDir%\dllh8jkd1q2.exe
    %SystemDir%\max1d11643v.exe
    %SystemDir%\vedxg6ame4.exe
    %SystemDir%\vedxga1me4t1.exe
    %SystemDir%\vedxg4am1et2.exe
    %SystemDir%\vedxga4m1et4.exe
    %SystemDir%\vedxg6ame4.exe
    %SystemDir%\newmaxxsv234.exe
    %SystemDir%\winhld32.dll
    %SystemDir%\ntos.exe
    %WinDir%\avp.exe
    %WinDir%\mgrs.exe
    %WinDir%\xpupdate.exe
    %WinDir%\b122.exe
    %WinDir%\tsitra27.exe
    %WinDir%\desktop.html
    %ProgramsDir%\SpyVampire
    %ProgramsDir%\ucleaner_setup.exe
    %ProgramsDir%\PestTrap\PestTrap.exe
    %ProgramsDir%\WinAble\winable.exe
    %ProgramsDir%\BraveSentry
    c:\syst.exe
    c:\3456346345643.exe
    C:\winstall.exe
11. Start Microsoft Internet Explorer.
12. In Internet Explorer, click Tools → Internet Options.
13. Click the Programs tab → Reset Web Settings.

polonus

combofix log:

ComboFix 08-01-03.3 - MIMMO 2008-01-02 20.41.37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.87 [GMT 1:00]
Eseguito da: C:\Documents and Settings\MIMMO\Desktop\ComboFix.exe

• Creato nuovo punto di ripristino
  .

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dgsetupv.dll . . . . Eliminazione Fallita

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FUFWZYLV
-------\fufwzylv

((((((((((((((((((((((((( Files Creati Da 2007-12-03 al 2008-01-03 )))))))))))))))))))))))))))))))))))
.

2008-01-02 20:40 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 09:35 . 2008-01-02 09:35 118,784 -r------- C:\WINDOWS\bwUnin-6.3.2.62-7681197L.exe
2008-01-02 09:35 . 2004-11-10 13:58 68,752 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-02 09:35 . 2004-11-10 13:57 26,928 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-02 09:34 . 2008-01-02 09:35 d-------- C:\Programmi\F-Secure
2008-01-02 09:32 . 2008-01-02 09:32 d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avg7
2008-01-01 14:26 . 2008-01-01 18:09 d-------- C:\Programmi\SUPERAntiSpyware
2008-01-01 14:26 . 2008-01-01 18:09 d-------- C:\Documents and Settings\MIMMO\Dati applicazioni\SUPERAntiSpyware.com
2008-01-01 14:26 . 2008-01-01 14:26 d-------- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2007-12-26 18:17 . 2007-12-26 18:37 58 --a------ C:\WINDOWS\CTACD.INI
2007-12-23 20:54 . 2007-12-23 20:54 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-23 20:54 . 2007-12-23 20:54 741,632 --a------ C:\WINDOWS\system32\ovoolkjo.dat
2007-12-23 20:54 . 2007-12-23 20:54 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-23 20:54 . 2007-12-23 20:54 42,240 --a------ C:\WINDOWS\system32\sguvldwn.dat
2007-12-23 20:54 . 2007-12-23 20:54 36,096 --a------ C:\WINDOWS\system32\zoyhlzgx.dat
2007-12-23 20:54 . 2007-12-23 20:54 35,072 --a------ C:\WINDOWS\system32\zmuhtbhf.dat
2007-12-22 21:37 . 2007-12-22 21:37 30 --a------ C:\WINDOWS\CTWave32.ini
2007-12-22 20:44 . 2007-12-25 21:09 120,576 --a------ C:\WINDOWS\system32\bbrbppyr.dat
2007-12-22 20:37 . 2007-12-23 20:54 84,992 --a------ C:\WINDOWS\system32\dgsetupv.dll.bak
2007-12-22 20:37 . 2008-01-03 20:47 84,992 --a------ C:\WINDOWS\system32\dgsetupv.dll
2007-12-22 20:36 . 19,584 C:\WINDOWS\system32\drivers\ufsncrmk.dat
2007-12-22 20:36 . 2007-12-22 20:36 16,896 --a------ C:\WINDOWS\system32\if12va.0xe
2007-12-22 20:35 . 2001-08-31 12:00 84,992 --a------ C:\WINDOWS\system32\cdmodeml.dll
2007-12-18 20:42 . 2007-12-18 20:42 d-------- C:\Programmi\Google
2007-12-13 11:22 . 2007-12-13 11:22 d—s---- C:\Documents and Settings\MIMMO\UserData
2007-12-05 18:06 . 2007-12-05 18:42 d-------- C:\Programmi\yengnwuy
2007-12-05 18:05 . 2007-12-05 18:05 291,328 --a------ C:\WINDOWS\system32\libcurl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 19:33 --------- d-----w C:\Programmi\eMule
2008-01-02 08:31 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Grisoft
2007-12-22 09:31 --------- d-----w C:\Programmi\MSN Messenger
2007-12-22 09:31 --------- d-----w C:\Programmi\Messenger Plus! Live
2007-12-16 09:54 --------- d-----w C:\Programmi\SopCast
2007-12-16 09:22 --------- d-----w C:\Documents and Settings\MIMMO\Dati applicazioni\SopCast
2007-11-23 10:38 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-11-23 10:38 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-11-23 10:38 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-11-23 10:36 --------- d–h–w C:\Programmi\InstallShield Installation Information
2007-11-22 17:13 --------- d-----w C:\Programmi\Sierra On-Line
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Nota i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{80B188C9-0198-4BB6-B2CB-AD40811F746E}]
2001-08-31 12:00 84992 --a------ C:\WINDOWS\system32\cdmodeml.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{B2A822B0-2E56-4D7F-9782-CBB82207C7D5}]
2008-01-03 20:47 84992 --a------ c:\windows\system32\dgsetupv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-19 14:39 15360]
“DAEMON Tools”=“C:\Programmi\DAEMON Tools\daemon.exe” [2006-11-12 11:48 157592]
“RocketDock”=“C:\Programmi\RocketDock\RocketDock.exe” [2007-03-18 23:05 630784]
“CTSyncU.exe”=“C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe” [2006-08-07 09:06 700416]
“PcSync”=“C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe” [2006-06-19 14:59 1449984]
“updateMgr”=“C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TkBellExe”=“C:\Programmi\File comuni\Real\Update_OB\realsched.exe” [2007-10-06 08:07 185896]
“RemoteControl”=“C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 18:42 32768]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 09:50 155648]
“WINDVDPatch”=“CTHELPER.EXE” [2002-07-02 10:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
“UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 00:00 90112]
“Jet Detection”=“C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe” [2001-11-29 00:00 28672]
“CTStartup”=“C:\Programmi\Creative\Splash Screen\CTEaxSpl.exe” [2001-12-20 00:00 28672]
“NvCplDaemon”=“NvQTwk”
“nwiz”=“nwiz.exe” [2002-05-03 09:06 364544 C:\WINDOWS\system32\nwiz.exe]
“AdslTaskBar”=“stmctrl.dll” [2003-01-22 11:01 151552 C:\WINDOWS\system32\stmctrl.dll]
“SunJavaUpdateSched”=“C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11 132496]
“QuickTime Task”=“C:\Programmi\QuickTime\qttask.exe” [2007-06-29 05:24 286720]
“iTunesHelper”=“C:\Programmi\iTunes\iTunesHelper.exe” [2007-09-26 13:42 267064]
“PCSuiteTrayApplication”=“C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe” [2006-06-15 11:36 229376]
“!AVG Anti-Spyware”=“C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 10:25 6731312]
“F-Secure Manager”=“C:\Programmi\F-Secure\Common\FSM32.exe” [2004-09-09 10:03 118832]
“F-Secure TNB”=“C:\Programmi\F-Secure\TNB\TNBUtil.exe” [2004-05-27 09:57 684032]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-19 14:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Tasto di scelta rapida per l’avvio di AutoCAD.lnk - C:\Programmi\File comuni\Autodesk Shared\acstart16.exe [2004-02-25 01:35:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”= 0 (0x0)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2004-11-10 13:58]
R0 wfjkwxgm;wfjkwxgm;C:\WINDOWS\system32\drivers\ufsncrmk.dat
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2008-01-02 09:35]
R2 F-Secure Filter;F-Secure File System Filter;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 17:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSgk.sys [2004-09-10 17:14]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 13:32]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2002-09-25 06:37]
S3 TaurusUsb;ADSL Modem USB Service 1.09a;C:\WINDOWS\system32\DRIVERS\torususb.sys [2003-01-09 14:21]

.
Contenuto della cartella ‘Scheduled Tasks’
“2008-01-01 20:43:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

• C:\Programmi\Apple Software Update\SoftwareUpdate.exe
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 20:50:19
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti …

scansione entrate autostart nascoste …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run???h???s????w? ?w???w???w4???.??w4???4???TA?s4???&2???wd??w??????????w-??w???????_???C@????????s???????s????&2?A??s?&2??C@?x???`|?w????@

Scansione files nascosti …

Scansione completata con successo
Files nascosti: 0

.
Ora fine scansione: 2008-01-03 20:52:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 19:51:59

Logfile of HijackThis v1.99.1
Scan saved at 20.59.14, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmi\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmi\F-Secure\Common\FSMA32.EXE
C:\Programmi\F-Secure\Anti-Virus\fssm32.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\F-Secure\Common\FCH32.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\F-Secure\Common\FAMEH32.EXE
C:\Programmi\F-Secure\Common\FNRB32.EXE
C:\Programmi\F-Secure\Common\FIH32.EXE
C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\spnpinst.exe
C:\Programmi\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\RocketDock\RocketDock.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Programmi\F-Secure\FSGUI\fsguiexe.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MIMMO\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {80B188C9-0198-4BB6-B2CB-AD40811F746E} - C:\WINDOWS\system32\cdmodeml.dll
O2 - BHO: (no name) - {B2A822B0-2E56-4D7F-9782-CBB82207C7D5} - c:\windows\system32\dgsetupv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM..\Run: [TkBellExe] “C:\Programmi\File comuni\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM..\Run: [CTStartup] C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Programmi\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Programmi\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [F-Secure Manager] “C:\Programmi\F-Secure\Common\FSM32.EXE” /splash
O4 - HKLM..\Run: [F-Secure TNB] “C:\Programmi\F-Secure\TNB\TNBUtil.exe” /CHECKALL /WAITFORSW
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [DAEMON Tools] “C:\Programmi\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKCU..\Run: [RocketDock] “C:\Programmi\RocketDock\RocketDock.exe”
O4 - HKCU..\Run: [CTSyncU.exe] “C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe”
O4 - HKCU..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tasto di scelta rapida per l’avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: tnkqaqmj - C:\WINDOWS\SYSTEM32\dgsetupv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmi\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmi\F-Secure\Common\FSMA32.EXE
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe

OK lets start removing some of this rubbish

Please download the OTMoveIt by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\bwUnin-6.3.2.62-7681197L.exe
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\ovoolkjo.dat
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\sguvldwn.dat
C:\WINDOWS\system32\zoyhlzgx.dat
C:\WINDOWS\system32\zmuhtbhf.dat
C:\WINDOWS\system32\bbrbppyr.dat
C:\WINDOWS\system32\dgsetupv.dll.bak
C:\WINDOWS\system32\dgsetupv.dll
C:\WINDOWS\system32\drivers\ufsncrmk.dat
C:\WINDOWS\system32\if12va.0xe
C:\WINDOWS\system32\cdmodeml.dll

[*] Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
[*]Click the red Moveit! button.
[*]Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
[*]Close OTMoveIt

If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
[b]C:_OTMoveIt\MovedFiles*_.log[/b]
(where “**_” is the “date_time”)

Click “Exit” to close OTMoveIt.

THEN

1. Please download The Avenger by Swandog46 to your Desktop.
   [*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

[QUOTE]drivers to unload:
wfjkwxgm

Files to delete:
C:\WINDOWS\system32\drivers\ufsncrmk.dat
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
   [*] Under “Script file to execute” choose “Input Script Manually”.
   [*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
   [*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
   [*] Click Done
   [*] Now click on the Green Light to begin execution of the script
   [*] Answer “Yes” twice when prompted.
4. The Avenger will automatically do the following:
   [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
   [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
   [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
   [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Also what can you tell me about this folder C:\Programmi\yengnwuy

Hi,

Unfortunatley I have exactly the same problem. Has the problem been solved yet and how?

As I don’t use this machine for internet banking I’m wondering if I should wait until an easy fix is created or am I being naieve?

I’m assuming this is a new trojan as Avast is not dealing with it and spyware blaster did not recognise it. I’ve noticed the scrolling on my laptop is really sluggish - is this because of the key logging?

Any suggestions?

thanks essexboy, but I resolved the problem:
I move this file: CFScript.txt

File::
C:\WINDOWS\system32\drivers\ufsncrmk.dat
C:\WINDOWS\system32\ovoolkjo.dat
C:\WINDOWS\system32\sguvldwn.dat
C:\WINDOWS\system32\zoyhlzgx.dat
C:\WINDOWS\system32\zmuhtbhf.dat
C:\WINDOWS\system32\bbrbppyr.dat
C:\WINDOWS\system32\dgsetupv.dll.bak
C:\WINDOWS\system32\dgsetupv.dll
C:\WINDOWS\system32\if12va.0xe
C:\WINDOWS\system32\cdmodeml.dll
C:\WINDOWS\CTACD.INI
C:\WINDOWS\CTWave32.ini

Registry::
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{80B188C9-0198-4BB6-B2CB-AD40811F746E}]
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{B2A822B0-2E56-4D7F-9782-CBB82207C7D5}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wfjkwxgm]

on the combofix icon

Yes. Open a new thread for you to follow the suggestions.
General cleaning procedures are:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

hi,plz help me 2 remove the same virus…

Hi santu_1786 if you could start a new topic, as it can get confusing otherwise. Post a Hijackthis log there

Download & Run HijackThis.exe

[*]Download HJTInstall.exe to your Desktop.
[*]Doubleclick HJTInstall.exe to install it.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Copy/Paste the log to your next reply please.

Don’t use the Analyse This button, its findings are dangerous if misinterpreted.
Don’t have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

I’ve encountered the same trojan on this PC as well. It’s associated with the dll “nddeap”. What happens if I delete this dll altogether? Would it affect the OS?

Hi pegasus4,

Better do this using a fix tool, so post a hjt log like essexboy suggests, sometimes a special script is needed to delete the dll while the malware is putting it back onto the computer through other means,

polonus

Trojans are like spyware. they can take control your computer if you dont have good firewall. I recommed zone alarm because windows firewall sucks. i have same trojan too. I think this world baddest trojan.i need too help. I hate this trojan because you cant remove like normal. I need heeelpp!!! . sorry my bad english

i have this trojan file system32/cryptsv.dll/[UPX]

Hi Trojanhater666

Download & Run HijackThis.exe

[*]Download HJTInstall.exe to your Desktop.
[*]Doubleclick HJTInstall.exe to install it.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Copy/Paste the log to your next reply please.

Don’t use the Analyse This button, its findings are dangerous if misinterpreted.
Don’t have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you could then start a new topic and post it there

ComboFix 08-02-21 - mine 2008-02-20 22:17:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.434 [GMT -5:00]
Running from: C:\Documents and Settings\mine\Local Settings\Temporary Internet Files\Content.IE5\1XHU8ASY\ComboFix[1].exe

• Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Internet Explorer\nipyradim89104.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\aoldia.dll
C:\WINDOWS\system32\drivers\sjauqnep.dat
C:\WINDOWS\system32\evytlbqm.dll
C:\WINDOWS\system32\ggvwwjem.ini
C:\WINDOWS\system32\gjjlm.ini
C:\WINDOWS\system32\gjjlm.ini2
C:\WINDOWS\system32\iiravyow.dll
C:\WINDOWS\system32\ksvnydd.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mejwwvgg.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\nGpxx18\nGpxx182328.exe
C:\WINDOWS\system32\p9
C:\WINDOWS\system32\p9\liopud89104.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\parcnxjl.dll
C:\WINDOWS\system32\poxmihov.ini
C:\WINDOWS\system32\tbdiekmm.dll
C:\WINDOWS\system32\tuvuspm.dll
C:\WINDOWS\system32\utryquww.dll
C:\WINDOWS\system32\v6
C:\WINDOWS\system32\w11
C:\WINDOWS\system32\w11\hiba3133.exe
C:\WINDOWS\system32\wssdgysu.ini
C:\WINDOWS\system32\wvurpno.dll
C:\WINDOWS\wr.txt
C:\WINDOWS\Fonts'

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MEBTUVZZ
-------\mebtuvzz

((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 20:32 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-20 20:32 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-20 20:32 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-20 20:32 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-20 20:32 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-20 20:32 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-20 20:31 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-20 20:31 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-18 20:31 . 2008-02-19 14:11 414 --ahs---- C:\WINDOWS\system32\olmxfluw.ini
2008-02-17 22:31 . 2008-02-17 22:33 d-------- C:\Program Files\Easy MPEG AVI DIVX WMV RM to DVD
2008-02-17 22:31 . 2008-02-20 08:46 67 --a------ C:\WINDOWS\Easy Video to DVD.INI
2008-02-17 22:23 . 2008-02-17 22:24 1,250,147 --ahs---- C:\WINDOWS\system32\wuinducy.tmp
2008-02-17 21:36 . 2008-02-17 21:36 d-------- C:\Program Files\Opera
2008-02-17 20:47 . 2008-02-17 20:47 d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-17 20:47 . 2008-02-17 20:47 29 --a------ C:\WINDOWS\atid.ini
2008-02-17 18:53 . 2008-02-17 19:10 d-------- C:\Program Files\RegCure
2008-02-17 17:50 . 2008-02-18 08:05 d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-02-17 17:15 . 2008-02-17 17:15 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-02-17 12:03 . 2008-02-17 12:03 d-------- C:\Program Files\Common Files\RuleSpace
2008-02-17 12:01 . 2008-02-17 12:01 d-------- C:\Program Files\Common Files\Aluria
2008-02-17 11:54 . 2008-02-17 11:54 d-------- C:\Program Files\Common Files\Authentium
2008-02-17 02:33 . 2008-02-17 02:33 d-------- C:\Program Files\Lavasoft
2008-02-17 02:33 . 2008-02-17 02:37 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-17 02:32 . 2008-02-17 02:32 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 02:10 . 2008-02-17 02:10 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-02-17 01:07 . 2008-02-17 01:07 d-------- C:\Program Files\Windows Defender
2008-02-16 08:26 . 2008-02-20 20:19 d-------- C:\Documents and Settings\mine\Incomplete
2008-02-16 08:26 . 2008-02-16 08:26 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-16 08:23 . 2008-02-16 19:53 d-------- C:\Program Files\RABCO
2008-02-16 08:23 . 2008-02-16 08:23 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-16 08:22 . 2008-02-20 22:18 d-------- C:\Temp
2008-02-15 21:26 . 2008-02-15 23:37 d-------- C:\my dvd
2008-02-14 13:06 . 2008-02-14 13:06 d-------- C:\Documents and Settings\mine\Application Data\NewsLeecher
2008-02-12 00:37 . 2008-02-12 00:37 d-------- C:\Program Files\LightScribe Diagnostic Utility
2008-02-11 20:24 . 2008-02-11 20:24 d-------- C:\Program Files\Common Files\LightScribe
2008-02-11 20:03 . 2005-11-14 08:33 139,264 -ra------ C:\WINDOWS\system32\geneicon.dll
2008-02-11 20:03 . 2005-11-14 08:33 45,056 -ra------ C:\WINDOWS\system32\usbmonit.exe
2008-02-11 20:03 . 2005-11-14 08:33 36,864 -ra------ C:\WINDOWS\system32\deluidrv.exe
2008-02-11 20:03 . 2005-11-14 08:33 32,768 -ra------ C:\WINDOWS\system32\delentry.exe
2008-02-11 20:03 . 2005-11-14 08:33 24,720 -ra------ C:\WINDOWS\system32\drivers\geneuide.sys
2008-02-11 20:03 . 2005-11-14 08:33 445 -ra------ C:\WINDOWS\system32\iconcfg.ini
2008-02-11 19:20 . 2008-02-11 19:20 d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-02-11 18:52 . 2008-02-20 20:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-10 21:26 . 2008-02-18 21:17 d-------- C:\Documents and Settings\mine\Application Data\Ahead
2008-02-10 21:23 . 2008-02-10 21:23 d-------- C:\Program Files\Nero
2008-02-10 21:23 . 2008-02-10 21:29 d-------- C:\Program Files\Common Files\Ahead
2008-02-10 21:23 . 2008-02-10 21:23 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-02-09 23:29 . 2008-02-09 23:30 d-------- C:\Program Files\Easy Avi Divx Xvid to DVD Burner
2008-02-09 23:29 . 2008-02-20 19:26 67 --a------ C:\WINDOWS\Easy Avi Divx Xvid to DVD Burner.INI
2008-02-09 17:01 . 2008-02-14 13:06 d-------- C:\Program Files\NewsLeecher
2008-02-09 17:00 . 2008-02-09 17:00 d-------- C:\Program Files\ParNRar
2008-02-03 11:15 . 2008-02-03 11:15 111 --a------ C:\WINDOWS\musicmaker.INI
2008-02-03 11:09 . 2004-08-11 20:53 38,912 --a------ C:\WINDOWS\system32\mgxasio.dll
2008-01-21 10:45 . 2008-01-21 10:47 d-------- C:\Movies
2008-01-21 10:43 . 2008-01-21 10:43 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-21 10:43 . 2007-05-13 12:24 86,683 --a------ C:\WINDOWS\system32\pthreadGC2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 23:56 --------- d-----w C:\Documents and Settings\mine\Application Data\LimeWire
2008-02-20 05:06 --------- d-----w C:\Documents and Settings\mine\Application Data\uTorrent
2008-02-18 04:06 --------- d-----w C:\Program Files\Java
2008-02-18 03:23 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-18 03:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-18 03:08 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2008-02-17 16:44 --------- d-----w C:\Program Files\Clearwire
2008-02-13 03:54 786 ----a-w C:\Documents and Settings\mine\Application Data\wklnhst.dat
2008-02-13 02:22 --------- d-----w C:\Program Files\BitLord
2007-12-30 13:52 --------- d-----w C:\Program Files\Native Instruments
2006-10-09 22:40 0 -c-ha-w C:\Documents and Settings\All Users\Application Data\gwseh.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“DellSupport”=“C:\Program Files\Dell Support\DSAgnt.exe” [2006-07-16 21:29 389120]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 05:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-10-14 20:49 94208]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-10-14 20:46 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-10-14 20:50 114688]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-08 18:48 761947]
“Broadcom Wireless Manager UI”=“C:\WINDOWS\system32\WLTRAY.exe” [2005-12-19 15:08 1347584]
“SigmatelSysTrayApp”=“stsystra.exe” [2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe]
“Dell QuickSet”=“C:\Program Files\Dell\QuickSet\quickset.exe” [2006-06-29 12:13 1032192]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2004-12-06 01:05 127035]
“ScratchAmp”=“C:\Program Files\Stanton\FinalScratch\ScratchAmpControl.exe” [2004-11-18 05:51 1363968]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-10-09 17:39 98304]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20 866584]
“RegistryMechanic”=“C:\Program Files\Registry Mechanic\RegMech.exe” [2007-08-20 11:58 2483496]
“ESP”=“C:\Program Files\Clearwire\CSS 3.0\app\start.exe” [2007-11-28 13:26 62952]
“HostManager”=“C:\Program Files\Common Files\AOL\1203304959\ee\AOLSoftware.exe” [2006-04-13 15:36 50792]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“MySpaceIM”=“C:\Program Files\MySpace\IM\MySpaceIM.exe” [2007-08-13 19:04 5562368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-09 17:36:20 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

[HKLM~\startupfolder\C:^Documents and Settings^mine^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM~\startupfolder\C:^Documents and Settings^mine^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
–a------ 2007-05-04 10:39 149040 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
–a------ 2006-03-21 20:30 1191936 C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
–a------ 2006-02-09 17:34 106496 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
–a------ 2006-10-09 17:48 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPhoneVideoConverter_upgrade]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
–a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
–a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
–a------ 2008-01-24 12:32 2289664 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
–a------ 2005-07-12 19:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
–a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
–a------ 2007-08-13 19:04 5562368 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2007-05-04 10:59 161328 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
–a------ 2006-03-21 12:19 69632 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2006-10-09 17:39 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
–a------ 2006-10-09 17:38 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-09-29 23:14 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
–a------ 2007-06-25 20:44 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
–a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“SysmonLog”=3 (0x3)
“ose”=3 (0x3)
“mcupdmgr.exe”=3 (0x3)
“McTskshd.exe”=2 (0x2)
“McShield”=2 (0x2)
“McDetect.exe”=2 (0x2)
“gusvc”=3 (0x3)