help please look

I’m getting random web sites popping up on computer. IE starts and loads these automatticlly. here is my HJT. please help

Logfile of HijackThis v1.99.1
Scan saved at 10:08:49 PM, on 10/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Turbine Download Manager Tray Icon] “C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe”
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [Byte Tool Tons Mail] C:\Documents and Settings\All Users\Application Data\Ping Sign Byte Tool\Admin Long.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [GoldenFTPserver] “C:\Program Files\Golden FTP Server\GFTP.exe”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [BoltMove] C:\DOCUME~1\LtDan\APPLIC~1\DEFAUL~1\MathCash.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: YPOPs.lnk = C:\Program Files\YPOPs\ypops.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\LtDan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra ‘Tools’ menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\LtDan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219179277346
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Hi ltdanman44,

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

Try the usual free adware/spyware scanners.

Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
Malwarebytes’ Anti-Malware

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

Hi ltdanman44,

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.We recommend you to use a firewall. Download and install one or activate windows xp´s own one.

Two things you could fix with HJT:

O4 - HKLM..\Run: [Turbine Download Manager Tray Icon] “C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe” Must be fixed!

O4 - HKCU..\Run: [BoltMove] C:\DOCUME~1\LtDan\APPLIC~1\DEFAUL~1\MathCash.exe Nasty (2.06 / 5.00)

Because of the second find, I propose you download SmitfraudFix:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Download Smitfraudfix (first save, then unpack all files). Place the file SmitfraudFix.exe on your desktop.
Now start your pc in safe mode (after harddisk screen etc, keep pushing the functionkey F8)
Then choose to rtestart in safe mode, then perform the next steps:

Doubleclick smitfraudfix.exe.
Choose option #2 - Clean by typiing 2 and push “Enter”.

When you get the next prompt: “Registry cleaning - Do you want to clean the registry ?”; answer “yes” by clicking Y and then click “Enter”. Your desktop will be restored and cleanse the registrykeys that were put there by the malware from your computer.

It is possible that Smitfraudfix makes the computer restart again to cleanse off rests of malware.
When the computer does not restart automatically, restart your computer manually in normal mode.
Give us a survey of all the files and folders that die smitfraudfix deleted, you find those in c:rapport.txt
Attach that as a txt fiule to your next posting,

polonus

thanks guys for the help!! HJT was able to remove the smitfraud virus…I was reading about it on wiki, and found out a friend wanted to watch a movie on a website and installed thier “software” to view…but he said after he installed it nothing happened. And of course he did it on my computer! not his! :frowning:

crap! its back. I tried all the previous suggestions and none of them work…i know its the mathcash.exe file but i can’t get rid of it. any further help would be appreciated.

Hi ltdanman44,

It is the system restore, that does that or some registry setting that brings it back, try the suggested cleansing with system restore disabled: http://www.pchell.com/virus/systemrestore.shtml and also then also run SafeMode: http://www.pchell.com/support/safemode.shtml

polonus

system resore was already disabled, but not by me…tried your response, its still there

Hi Itdanman44,

Well you try the combofix then, following the instructions you will find at this link:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the logfile txt and we will find a way to analyze it, and further assistance,

polonus

hi
next time go to trend micro and download a new version of HJT
we need to see your logs not just a verbal report

did you run the smitfraudfix suggested by polonus?
how bout
MBAM
Spybot
and
SAS?
post the logs

MBAM update put a check mark nest to all baddies and click REMOVE SELECTED

Spybot and SAS update -Clean and Quarantine edit out cookies when you post logs

we may have to bring in a combofix specialist but we need to see the logs

with a fresh HJT
thanks

ComboFix 08-10-10.09 - LtDan 2008-10-10 22:51:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1589 [GMT -5:00]
Running from: C:\Documents and Settings\LtDan\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 )))))))))))))))))))))))))))))))
.

2008-10-10 18:09 . 2008-10-10 18:18 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-10 16:46 . 2008-10-10 16:46 d-------- C:\Documents and Settings\LtDan\Application Data\Malwarebytes
2008-10-10 16:46 . 2008-10-10 16:46 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-10 16:19 . 2008-10-10 16:19 d-------- C:\ERDNT
2008-10-10 16:10 . 2008-10-10 16:40 d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-10 16:10 . 2008-10-10 16:40 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-10 15:58 . 2008-10-10 15:59 d-------- C:\SmitfraudFix
2008-10-10 15:56 . 2008-10-10 15:51 1,660,243 --a------ C:\SmitfraudFix.exe
2008-10-10 15:53 . 2008-10-10 15:53 d-------- C:\Documents and Settings\Administrator
2008-10-09 22:22 . 2008-10-10 17:22 2,548 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-10-09 17:02 . 2008-10-09 17:02 d-------- C:\Program Files\DefaultBashFour
2008-10-09 17:02 . 2008-10-09 17:02 d-------- C:\Documents and Settings\All Users\Application Data\Ping Sign Byte Tool
2008-10-09 17:01 . 2008-10-09 17:01 d-------- C:\WINDOWS\Sun
2008-10-09 17:01 . 2008-10-09 17:01 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-09 17:01 . 2008-10-09 17:01 d-------- C:\Documents and Settings\LtDan\Application Data\Yahoo!
2008-10-09 17:01 . 2008-10-09 17:01 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-09 15:12 . 2008-04-13 13:39 206,976 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Dot4.sys
2008-10-09 15:12 . 2008-04-13 13:39 206,976 --a–c— C:\WINDOWS\SYSTEM32\dllcache\dot4.sys
2008-10-09 15:12 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Dot4usb.sys
2008-10-09 15:12 . 2001-08-17 13:47 23,808 --a–c— C:\WINDOWS\SYSTEM32\dllcache\dot4usb.sys
2008-10-09 15:12 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Dot4Prt.sys
2008-10-09 15:12 . 2001-08-17 13:47 12,928 --a–c— C:\WINDOWS\SYSTEM32\dllcache\dot4prt.sys
2008-09-28 16:21 . 2008-09-28 16:21 303 --a------ C:\WINDOWS\ST6UNST.010
2008-09-28 16:20 . 2008-09-28 16:20 303 --a------ C:\WINDOWS\ST6UNST.009
2008-09-28 16:20 . 2008-09-28 16:20 303 --a------ C:\WINDOWS\ST6UNST.008
2008-09-28 16:19 . 2008-09-28 16:19 303 --a------ C:\WINDOWS\ST6UNST.007
2008-09-28 16:19 . 2008-09-28 16:19 303 --a------ C:\WINDOWS\ST6UNST.006
2008-09-28 16:14 . 2008-09-28 16:14 303 --a------ C:\WINDOWS\ST6UNST.005
2008-09-28 16:08 . 2008-09-28 16:21 4,265 --a------ C:\WINDOWS\SETUP.LST
2008-09-28 16:08 . 2008-09-28 16:08 303 --a------ C:\WINDOWS\ST6UNST.004
2008-09-28 16:08 . 2008-09-28 16:08 303 --a------ C:\WINDOWS\ST6UNST.003
2008-09-28 16:08 . 2008-09-28 16:08 303 --a------ C:\WINDOWS\ST6UNST.002
2008-09-28 16:08 . 2008-09-28 16:08 303 --a------ C:\WINDOWS\ST6UNST.001
2008-09-28 16:07 . 2008-10-09 17:00 d-------- C:\hero
2008-09-28 16:07 . 2008-04-28 00:58 24,525 --a------ C:\ANGELOSD.ZIP
2008-09-28 16:06 . 2006-01-22 13:37 5,657,192 --a------ C:\HEROEDIT.CAB
2008-09-28 16:06 . 2006-01-22 13:36 4,265 --a------ C:\SETUP.LST
2008-09-28 16:06 . 2004-08-03 00:00 232 --a------ C:\DOWNLOAD.URL
2008-09-28 16:05 . 2008-09-28 16:05 303 --a------ C:\WINDOWS\ST6UNST.000
2008-09-24 16:55 . 2008-09-24 16:55 d-------- C:\Program Files\Western Digital
2008-09-17 20:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-17 20:11 . 2008-09-17 20:12 d-------- C:\Program Files\Java
2008-09-17 20:10 . 2008-09-17 20:10 d-------- C:\Program Files\Common Files\Java
2008-09-16 20:07 . 2008-10-09 17:01 d-------- C:\Program Files\SUPERAntiSpyware
2008-09-16 20:07 . 2008-09-16 20:07 d-------- C:\Documents and Settings\LtDan\Application Data\SUPERAntiSpyware.com
2008-09-16 19:58 . 2008-10-10 18:31 d-------- C:\Program Files\Exterminate It!
2008-09-15 19:15 . 2008-10-09 17:01 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-15 19:15 . 2008-10-09 17:01 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-15 19:14 . 2008-09-15 19:15 d-------- C:\Program Files\Yahoo!
2008-09-15 17:50 . 2008-09-15 17:50 dr-h----- C:\Documents and Settings\LtDan\Application Data\SecuROM
2008-09-15 15:55 . 2008-10-09 17:01 d-------- C:\Documents and Settings\LtDan\Application Data\GetRightToGo
2008-09-14 01:11 . 2008-09-14 01:11 d-------- C:\Program Files\Google
2008-09-14 00:59 . 2008-09-14 02:55 d-------- C:\Program Files\Golden FTP Server
2008-09-14 00:36 . 2008-09-14 00:41 d-------- C:\Documents and Settings\LtDan\Application Data\FileZilla
2008-09-13 21:41 . 2008-09-13 21:41 d-------- C:\Documents and Settings\LtDan\Application Data\acccore
2008-09-13 21:40 . 2008-09-13 21:40 d-------- C:\Program Files\Common Files\AOL
2008-09-13 21:40 . 2008-10-09 17:42 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-13 21:40 . 2008-09-13 21:42 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-09-13 21:40 . 2008-09-13 21:40 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-09-13 21:40 . 2008-09-13 21:40 d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-09-13 21:39 . 2008-09-13 21:41 d-------- C:\Program Files\AIM6
2008-09-13 21:39 . 2008-09-13 21:41 466 --ah----- C:\IPH.PH
2008-09-13 21:21 . 2008-09-13 21:21 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-09-13 21:21 . 2008-09-13 21:30 27,449 --a------ C:\WINDOWS\DIIUnin.dat
2008-09-13 21:21 . 2008-09-13 21:21 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-09-13 21:15 . 2006-03-17 20:39 147,456 --a------ C:\BURNCDCC.EXE
2008-09-13 20:52 . 2008-09-13 20:52 d--------

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 23:50 138,464 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-10 23:47 183,128 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2008-10-10 23:36 --------- d-----w C:\Program Files\YPOPs
2008-10-09 22:02 --------- d-----w C:\Program Files\Absolute Poker
2008-10-09 22:01 --------- d-----w C:\Documents and Settings\LtDan\Application Data\uTorrent
2008-09-24 21:55 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-09-18 06:58 --------- d-----w C:\Program Files\Turbine
2008-09-14 02:28 21,840 ----atw C:\WINDOWS\SYSTEM32\SIntfNT.dll
2008-09-14 02:28 17,212 ----atw C:\WINDOWS\SYSTEM32\SIntf32.dll
2008-09-14 02:28 12,067 ----atw C:\WINDOWS\SYSTEM32\SIntf16.dll
2008-08-31 04:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-08-31 04:17 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-31 04:17 --------- d-----w C:\Documents and Settings\LtDan\Application Data\Microsoft Web Folders
2008-08-28 10:23 --------- d-----w C:\Program Files\Codemasters
2008-08-26 22:21 --------- d-----w C:\Program Files\HooTech
2008-08-26 21:09 --------- d-----w C:\Program Files\Free Sound Recorder
2008-08-26 21:09 --------- d-----w C:\Documents and Settings\LtDan\Application Data\Free Sound Recorder
2008-08-26 00:42 --------- d-----w C:\Program Files\MSXML 4.0
2008-08-25 02:55 --------- d-----w C:\Program Files\Microsoft Games
2008-08-25 02:25 --------- d-----w C:\Program Files\Electronic Arts
2008-08-23 03:07 --------- d-----w C:\Program Files_uninstallation_info
2008-08-22 20:59 524,288 ----a-w C:\Nf72_15.bin
2008-08-22 20:59 47,686 ----a-w C:\awdflash.exe
2008-08-22 20:59 341 ----a-w C:\RUNME.BAT
2008-08-22 18:59 --------- d-----w C:\Program Files\EA GAMES
2008-08-21 03:21 682,280 ----a-w C:\WINDOWS\SYSTEM32\pbsvc[1].exe
2008-08-20 22:14 --------- d-----w C:\Program Files\VideoLAN
2008-08-20 22:14 --------- d-----w C:\Documents and Settings\LtDan\Application Data\vlc
2008-08-20 21:52 --------- d-----w C:\Program Files\7-Zip
2008-08-20 09:34 107,888 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-08-20 08:49 --------- d-----w C:\Program Files\NOS
2008-08-20 08:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-20 08:47 --------- d-----w C:\Program Files\Alwil Software
2008-08-20 05:16 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-20 05:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-20 01:02 --------- d-----w C:\Program Files\Atari
2008-08-19 22:56 --------- d-----w C:\Program Files\Alex Feinman
2008-08-19 22:25 --------- d-----w C:\Program Files\uTorrent
2008-08-19 21:22 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-08-19 21:01 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-08-18 15:22 --------- d-----w C:\Program Files\DirectX
2008-08-18 15:21 266 --sh–w C:\Program Files\desktop.ini
2008-08-18 15:21 11,079 —ha-w C:\Program Files\folder.htt
2008-08-18 15:13 5,166 --sh–w C:\SUHDLOG.DAT
2008-08-18 15:07 --------- d-----w C:\Program Files\PLUS!
2008-08-18 15:07 --------- d-----w C:\Program Files\CHAT
2008-08-18 15:07 --------- d-----r C:\Program Files\Accessories
2008-07-31 15:41 68,616 ----a-w C:\WINDOWS\SYSTEM32\XAPOFX1_1.dll
2008-07-31 15:41 238,088 ----a-w C:\WINDOWS\SYSTEM32\xactengine3_2.dll
2008-07-31 15:40 509,448 ----a-w C:\WINDOWS\SYSTEM32\XAudio2_2.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-12 13:18 467,984 ----a-w C:\WINDOWS\SYSTEM32\d3dx10_39.dll
2008-07-12 13:18 3,851,784 ----a-w C:\WINDOWS\SYSTEM32\D3DX9_39.dll
2008-07-12 13:18 1,493,528 ----a-w C:\WINDOWS\SYSTEM32\D3DCompiler_39.dll
2004-01-01 05:42 22,328 ----a-w C:\Documents and Settings\LtDan\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-13 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2008-04-13 1695232]
“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 4670704]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NVMixerTray”=“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” [2004-06-03 131072]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2008-05-16 13529088]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2008-05-16 86016]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2008-06-12 34672]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 78008]
“googletalk”=“C:\Program Files\Google\Google Talk\googletalk.exe” [2007-01-01 3739648]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]
“nwiz”=“nwiz.exe” [2008-05-16 C:\WINDOWS\SYSTEM32\nwiz.exe]

C:\Documents and Settings\LtDan\Start Menu\Programs\Startup
YPOPs.lnk - C:\Program Files\YPOPs\ypops.exe [2008-09-13 1347584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.iv41”= ir41_32.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\uTorrent\uTorrent.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe”=
“C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe”=
“C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe”=
“C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe”=
“C:\Program Files\EA GAMES\Battlefield 2\BF2.exe”=
“C:\WINDOWS\SYSTEM32\PnkBstrA.exe”=
“C:\WINDOWS\SYSTEM32\PnkBstrB.exe”=
“C:\Program Files\Electronic Arts\Need For Speed III\nfs3.exe”=
“C:\Program Files\Common Files\AOL\Loader\aolload.exe”=
“C:\Program Files\AIM6\aim6.exe”=
“C:\Program Files\Google\Google Talk\googletalk.exe”=
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“C:\Program Files\Yahoo!\Messenger\YServer.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“5121:UDP”= 5121:UDP:nw2
“6500:UDP”= 6500:UDP:n w21
“6667:UDP”= 6667:UDP:nw22
“27900:UDP”= 27900:UDP:nw23
“28900:UDP”= 28900:UDP:nw24
“4000:TCP”= 4000:TCP:diablo 2
“6112:UDP”= 6112:UDP:diablo 2 also

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2003-09-02 44032]

Newly Created Service - IKFILESEC
Newly Created Service - IKSYSFLT
Newly Created Service - IKSYSSEC
Newly Created Service - MCHINJDRV
Newly Created Service - PNKBSTRB
.
Contents of the ‘Scheduled Tasks’ folder

2008-10-11 C:\WINDOWS\Tasks\B07949EF9042C133.job

  • c:\docume~1\ltdan\applic~1\defaul~1\Memo Hide Third.exe
    .
    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.fark.com/

O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
C:\WINDOWS\Downloaded Program Files\SysReqLab3.osd
C:\WINDOWS\Downloaded Program Files\sysreqlab3.dll
.


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 22:53:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


.
Completion time: 2008-10-10 22:54:11
ComboFix-quarantined-files.txt 2008-10-11 03:54:02
ComboFix2.txt 2008-10-10 21:24:29

Pre-Run: 53,394,508,800 bytes free
Post-Run: 53,466,948,608 bytes free

232 — E O F — 2008-09-09 22:47:59

heres a fresh HJT log as well

Logfile of HijackThis v1.99.1
Scan saved at 22:58:38, on 10/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: YPOPs.lnk = C:\Program Files\YPOPs\ypops.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\LtDan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra ‘Tools’ menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\LtDan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219179277346
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

Hi ltdanman44,

Your apparent lop-infection was cured according to what I see in your latest HJT logfile, but they are not showing up in the ComboFix report of what was cleansed. May I ask you what did remove these? -

O4 - HKLM..\Run: [Byte Tool Tons Mail] C:\Documents and Settings\All Users\Application Data\Ping Sign Byte Tool\Admin Long.exe

O4 - HKCU..\Run: [BoltMove] C:\DOCUME~1\LtDan\APPLIC~1\DEFAUL~1\MathCash.exe

Furthermore you now seem “out of the woods”,

polonus

polonus I placed checkmarks in the boxes before those and told HJT to remove them. I have not had any web pages “pop” up in 24 hours…I will keep an eye on it though. For some reason when I saw

O4 - HKLM..\Run: [Byte Tool Tons Mail] C:\Documents and Settings\All Users\Application Data\Ping Sign Byte Tool\Admin Long.exe

I thought to myself that don’t belong there…the same with that mathcash.exe

I know exactly every program on my machine and those stuck out like a sore thumb…thanks for your help polonus, you are awesome

Hi Itdanman44,

Well good that is settled then, this will set you at ease. You are welcome to the forums.
Come here often and learn about securing your programs and computer,

polonus