Mysterious Pop-ups

Unknown

Last week I discovered that my pc (win xp pro sp2) had been infected with various spyware and malware. After scanning with the latest versions of Ad-Aware and CCleaner I found and removed almost 200. After that the only problem that remains is something that launches two IE pop-up windows about every 30 seconds. The scanners I have can't find it and nothing in my installed programs list or Task Manager Processes looks suspicious, to me anyway. I have disabled startup programs, but that doesn't fix it. I got the pop-ups to stop by setting IE to "Work Offline". This doesn't stop me from browsing because I use Firefox anyways. But, some programs cannot connect to the Internet...iTunes, my FTP client, basiclly anything that isn't through Firefox. Whenever I turn "Work Offline" off to use one of the other programs the pop-ups come right back. Help in finding what is launching these pop-ups would be much appreciated.



Here is my HiJackThis Log:



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:35:12 PM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\altsvc.exe
C:\WINDOWS\system32\lssas.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134606102781
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--

Thanks, just tell me if you need more info.

Rahina-Rescue

Hello, you have some nasty bastards on your system, we will help you to get rid of them all.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Step #1

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira AVG OR Active Virus shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again.

Step #2

We Have to move Hijackthis to it's own folder because In it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later

Click START>My Computer >right click Local Disk (usually (C:) for most people)>Explore.
Right click an open area in the main panel.
Select New > Folder.
Type in HJT & press Enter

Now We have Created C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Please Post a Fresh Hijackthis log in your next reply.

Step #3

Please download Combofix to your desktop.

• Double click on Combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

adagosti

Thank you for the help so far. I managed to find and remove a core.sys infection before seeing your post. This stopped all of the pop-ups. I have decided to follow your instructions anyway in an attempt to remove any other infections and prevent them in the future. I have installed Avira AVG and COMODO. Avira found 2 infections and cleaned them.

Here is my HJT log:



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:25:52 AM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134606102781
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 5336 bytes


And my Combofix log:


"Administrator" - 2007-07-11 3:04:29 - ComboFix 07-07-10.1 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\service.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\ms32.dll
C:\WINDOWS\system32\wnstssv32.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

---

\LEGACY_CMDSERVICE

---

\LEGACY_CORE

---

\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-11 03:04 51,200 --a

---

C:\WINDOWS\nircmd.exe
2007-07-11 02:54 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-11 02:54 <DIR> d

---

C:\DOCUME~1\ADMINI~1\APPLIC~1\Comodo
2007-07-11 02:52 <DIR> d

---

C:\Program Files\Comodo
2007-07-10 23:54 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-07-10 23:26 <DIR> d

---

C:\DOCUME~1\ADMINI~1\APPLIC~1\Logitech
2007-07-10 23:23 <DIR> d

---

C:\HJT2
2007-07-10 23:21 13,440 --a

---

C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2007-07-10 23:20 68,864 --a

---

C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-07-10 23:20 55,040 --a

---

C:\WINDOWS\system32\drivers\L8042MOU.SYS
2007-07-10 23:20 36,608 --a

---

C:\WINDOWS\system32\drivers\LHidUsbK.sys
2007-07-10 23:20 28,160 --a

---

C:\WINDOWS\KHALMNPR.Exe
2007-07-10 23:20 26,112 --a

---

C:\WINDOWS\system32\drivers\LHidKE.Sys
2007-07-10 23:20 <DIR> d

---

C:\Program Files\Logitech
2007-07-10 23:20 <DIR> d

---

C:\Program Files\Common Files\Logitech
2007-07-10 07:27 54,784 --a

---

C:\WINDOWS\system32\msvci70.dll
2007-07-10 07:27 153,088 --a

---

C:\UNWISE.EXE
2007-07-10 07:27 <DIR> d

---

C:\Program Files\steinberg
2007-07-10 07:27 <DIR> d

---

C:\Program Files\FXpansion
2007-07-10 07:27 <DIR> d

---

C:\Program Files\Common Files\Digidesign
2007-07-10 06:22 <DIR> d

---

C:\audio
2007-07-09 17:49 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-30 06:19 <DIR> d

---

C:\Program Files\a-squared Anti-Malware
2007-06-30 05:01 <DIR> d

---

C:\Program Files\a-squared Free
2007-06-26 02:06 <DIR> d

---

C:\Program Files\CCleaner
2007-06-26 00:43 <DIR> d

---

C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-24 22:52 <DIR> d

---

C:\WINDOWS\kquu
2007-06-24 22:52 <DIR> d

---

C:\Program Files\Common Files\kquu
2007-06-24 22:37 <DIR> d--hs---- C:\WINDOWS\M0RCT1hYLVczMjAw
2007-06-22 22:04 <DIR> d

---

C:\Program Files\the-myspace-editor


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 07:08:50 12,670 ----a-w C:\WINDOWS\system32\tablet.dat
2007-07-11 07:07:40 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 07:07:40 384 ----a-w C:\WINDOWS\system32\DVCState-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 03:20:23

---

d--h--w C:\Program Files\InstallShield Installation Information
2007-07-10 10:31:38 73 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-07-10 10:31:38 205 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-07-10 10:25:12

---

d

---

w C:\Program Files\Native Instruments
2007-06-07 05:05:45

---

d

---

w C:\Program Files\Antares Audio Technologies
2007-06-04 01:52:36

---

d

---

w C:\Program Files\Add Remove Pro
2007-06-02 19:39:33

---

d

---

w C:\Program Files\Yahoo!
2007-06-02 00:04:54 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-26 21:41:38

---

d

---

w C:\Program Files\FLAC
2007-05-25 00:05:41

---

d

---

w C:\Program Files\Real Alternative
2007-05-25 00:05:40

---

d

---

w C:\Program Files\CamStudio
2007-05-25 00:05:40

---

d

---

w C:\Program Files\Better File Rename
2007-05-24 22:22:58

---

d--h--r C:\DOCUME~1\ADMINI~1\APPLIC~1\yahoo!
2007-05-20 06:46:15

---

d

---

w C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
2007-05-20 06:13:25

---

d

---

w C:\Program Files\VideoLAN
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\M0RCT1hYLVczMjAw\gXlFnY1sMpwWg3ET.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a

---

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a

---

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a

---

C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-11 02:52]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 13:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu272.exe 61A847B5BBF728103599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfcbb642-8009-11d9-bee5-806d6172696f}]
AutoRun\command- D:\ASUSACPI.exe


Contents of the 'Scheduled Tasks' folder
2007-07-09 12:57:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 03:08:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\maya70docserver]
"ImagePath"="\"C:\Program Files\Alias\Maya7.0\docs\wrapper.exe\" -s \"C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf\""

Completion time: 2007-07-11 3:10:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-11 03:09

--- E O F ---

Rahina-Rescue

( 1 ) Next, Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Winpop

( 2 ) Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\altsvc.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\nircmd.exe
C:\WINDOWS\retadpu272.exe

Folder::
C:\Program Files\WinPop

Driver::
Netbios Helper Service
Network DDE Connections

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]

Save this as ComboFix-Do.txt



Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

( 3 ) Please open HiJackThis and scan. Check the boxes next to all the entries listed below

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)


( 4 ) Please download Deckard's System Scanner (DSS) to your desktop.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, a text file will open - Main.txt
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
• A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
• Please also copy the contents of Extra.txt to your post as well.
• Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

• What DSS will do:
• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

adagosti

Deckard's System Scanner v20070708.52
Run by Administrator on 2007-07-11 at 07:08:46
Computer is in Normal Mode.

---

-- System Restore

---

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
88: 2007-07-11 11:08:49 UTC - RP528 - Deckard's System Scanner Restore Point
87: 2007-07-11 09:44:33 UTC - RP527 - SPTD setup V1.49
86: 2007-07-11 08:57:48 UTC - RP526 - Installed iTunes
85: 2007-07-11 03:50:09 UTC - RP525 - AntiVir PersonalEdition Classic - 7/10/2007 23:50
84: 2007-07-11 00:35:05 UTC - RP524 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-04-12 07:00:21 UTC - RP441 - Software Distribution Service 2.0


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone

---

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-07-11 07:09:43
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\Security\dss.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: sndvol32.lnk = C:\WINDOWS\system32\sndvol32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} () - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134606102781
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"
O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - "C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf"
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


-- HijackThis Fixed Entries (C:\Documents and Settings\Administrator\Desktop\Security\backups\)

---

backup-20070711-070610-660 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
backup-20070711-070610-839 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20070711-070610-870 O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
backup-20070711-070610-881 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

-- File Associations

---

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R1 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>

S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys (file missing)
S3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - c:\windows\system32\drivers\alcxwdm.sys (file missing)
S3 Sntnlusb (Rainbow USB SuperPro) - c:\windows\system32\drivers\sntnlusb.sys <Not Verified; Rainbow Technologies Inc.; Rainbow Technologies USB Security Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 maya70docserver (Maya 7.0 Documentation Server) - "c:\program files\alias\maya7.0\docs\wrapper.exe" -s "c:\program files\alias\maya7.0\docs\wrapper.conf"
R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>

S2 NETDDEC (Network DDE Connections) - c:\windows\system32\service.exe (file missing)
S3 Hliid394 -


-- Scheduled Tasks

---

2007-07-09 08:57:01 284 --a

---

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-06-11 and 2007-07-11

---

2007-07-11 06:58:17 528 --a

---

C:\CFCleanUp.bat
2007-07-11 04:58:09 0 d

---

C:\Program Files\iPod
2007-07-11 04:57:06 0 d

---

C:\Program Files\QuickTime
2007-07-11 04:56:04 0 d

---

c- C:\WINDOWS\system32\DRVSTORE
2007-07-11 04:55:49 0 d

---

C:\Program Files\Common Files\Apple
2007-07-11 04:55:49 0 d

---

C:\Documents and Settings\All Users\Application Data\Apple
2007-07-11 03:02:22 0 dr-h

---

C:\Documents and Settings\Administrator\Recent
2007-07-11 02:54:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\Comodo
2007-07-11 02:54:39 0 d

---

C:\Documents and Settings\All Users\Application Data\Comodo
2007-07-11 02:52:39 0 d

---

C:\Program Files\Comodo
2007-07-10 23:54:33 0 d

---

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-07-10 23:26:07 0 d

---

C:\Documents and Settings\Administrator\Application Data\Logitech
2007-07-10 23:23:15 0 d

---

C:\HJT2
2007-07-10 23:20:31 0 d

---

C:\Program Files\Common Files\Logitech
2007-07-10 23:20:26 0 d

---

C:\Program Files\Logitech
2007-07-10 07:27:29 0 d

---

C:\Program Files\steinberg
2007-07-10 07:27:29 0 d

---

C:\Program Files\Common Files\Digidesign
2007-07-10 07:27:20 153088 --a

---

C:\UNWISE.EXE
2007-07-10 07:27:20 0 d

---

C:\Program Files\FXpansion
2007-07-10 06:22:18 0 d

---

C:\audio
2007-07-09 17:49:03 0 d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-06-30 06:19:54 0 d

---

C:\Program Files\a-squared Anti-Malware
2007-06-30 05:01:12 0 d

---

C:\Program Files\a-squared Free
2007-06-26 02:06:08 0 d

---

C:\Program Files\CCleaner
2007-06-26 00:43:44 0 d

---

C:\Documents and Settings\Administrator\.housecall6.6
2007-06-24 22:52:37 0 d

---

C:\WINDOWS\kquu
2007-06-24 22:52:37 0 d

---

C:\Program Files\Common Files\kquu
2007-06-24 22:37:31 0 d--hs---- C:\WINDOWS\M0RCT1hYLVczMjAw
2007-06-22 22:04:13 0 d

---

C:\Program Files\the-myspace-editor


-- Find3M Report

---

2007-07-11 07:01:01 12670 --a

---

C:\WINDOWS\system32\tablet.dat
2007-07-11 07:00:07 384 --a

---

C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 07:00:07 384 --a

---

C:\WINDOWS\system32\DVCState-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 05:48:19 0 d

---

C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-07-11 04:58:18 0 d

---

C:\Program Files\iTunes
2007-07-11 04:56:15 0 d

---

C:\Program Files\Apple Software Update
2007-07-10 23:20:23 0 d--h

---

C:\Program Files\InstallShield Installation Information
2007-07-10 06:31:38 73 --a

---

C:\WINDOWS\system32\ssprs.dll
2007-07-10 06:31:38 205 --a

---

C:\WINDOWS\system32\lsprst7.dll
2007-07-10 06:25:12 0 d

---

C:\Program Files\Native Instruments
2007-07-08 19:18:22 0 d

---

C:\Program Files\Java
2007-06-07 01:05:45 0 d

---

C:\Program Files\Antares Audio Technologies
2007-06-03 23:01:16 0 d

---

C:\Documents and Settings\Administrator\Application Data\Adobe
2007-06-03 22:33:25 0 d

---

C:\Program Files\Common Files\Adobe
2007-06-03 21:52:36 0 d

---

C:\Program Files\Add Remove Pro
2007-06-02 15:39:33 0 d

---

C:\Program Files\Yahoo!
2007-05-26 17:41:38 0 d

---

C:\Program Files\FLAC
2007-05-24 20:05:41 0 d

---

C:\Program Files\Real Alternative
2007-05-24 20:05:40 0 d

---

C:\Program Files\CamStudio
2007-05-24 20:05:40 0 d

---

C:\Program Files\Better File Rename
2007-05-24 18:22:58 0 dr-h

---

C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-05-20 02:46:15 0 d

---

C:\Documents and Settings\Administrator\Application Data\vlc
2007-05-20 02:13:25 0 d

---

C:\Program Files\VideoLAN


-- Registry Dump

---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"nwiz"="nwiz.exe /install"
"H2O"="C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"CTHelper"="CTHELPER.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bfcbb642-8009-11d9-bee5-806d6172696f}]
Shell\AutoRun\command D:\ASUSACPI.exe


-- End of Deckard's System Scanner: finished at 2007-07-11 at 07:10:05

---

Deckard's System Scanner v20070708.52
Extra logfile - please post this as an attachment with your post.

---

-- System Information

---

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 4000+
Percentage of Memory in Use: 20%
Physical Memory (total/avail): 2047.48 MiB / 1627.49 MiB
Pagefile Memory (total/avail): 3939.77 MiB / 3617.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1965.28 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.79 GiB total, 47.55 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 111.79 GiB total, 69.52 GiB free.
F: is CDROM (CDFS)


-- Security Center

---

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: COMODO Firewall Pro v2.3.035 (COMODO)
AV: Avira AntiVir PersonalEdition v 6.39.0.131
(Avira GmbH)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables

---

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
BOXXPT=102
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=3DBOXX-W3200
ComSpec=C:\WINDOWS\system32\cmd.exe
DEVMGR_SHOW_NONPRESENT_DEVICES=True
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\3DBOXX-W3200
MAYA_MODULE_PATH=C:\Program Files\Pixar\RenderManForMaya7.0-1.2-Eval\etc
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Shake-v2.50.0810;C:\Program Files\Alias\Maya7.0\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\iZotope\Runtimes;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 39 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2701
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=3DBOXX-W3200
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
XBMLANGPATH=C:\Program Files\Pixar\RenderManForMaya7.0-1.2-Eval
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles

---

Administrator (admin)


-- Add/Remove Programs

---

a-squared Anti-Malware 3.0 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
a-squared Free 3.0 --> "C:\Program Files\a-squared Free\unins000.exe"
Add/Remove Pro (Freeware) --> "C:\Program Files\Add Remove Pro\unins000.exe"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Antares Auto-Tune v4.39 --> C:\PROGRA~1\ANTARE~1\AUTO-T~2\AIRLOG~1\AT4\UNWISE.EXE C:\PROGRA~1\ANTARE~1\AUTO-T~2\AIRLOG~1\AT4\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{8FC46258-0843-4D79-B7F0-F2B82FE6173B}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Avira AntiVir PersonalEdition Classic --> C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
FXpansion DR-008 --> \UNWISE.EXE
HijackThis 2.0.0 --> "C:\HJT2\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
N.I Pro-53 v3.0-OxYGeN --> C:\Korg\LEGACY~1\SOFTSY~1\Pro-53\UNWISE.EXE C:\Korg\LEGACY~1\SOFTSY~1\Pro-53\INSTALL.LOG
Native Instruments FM7 --> C:\PROGRA~1\NATIVE~1\Fm7\UNWISE.EXE C:\PROGRA~1\NATIVE~1\Fm7\INSTALL.LOG
Native Instruments Spektral Delay --> C:\audio\NATIVE~1\SPEKTR~1\UNWISE.EXE C:\audio\NATIVE~1\SPEKTR~1\INSTALL.LOG
Novation Bass-Station VSTi v1.10 --> C:\Korg\LEGACY~1\SOFTSY~1\BASS-S~1\BASS-S~1\UNWISE.EXE C:\Korg\LEGACY~1\SOFTSY~1\BASS-S~1\BASS-S~1\INSTALL.LOG
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"


-- End of Deckard's System Scanner: finished at 2007-07-11 at 07:10:05

---

Rahina-Rescue

Hello there, are you able to post the report that combofix created after running the script, it should be located at C:\Combofix.txt, there might be few of those reports depending on how many times you scanned with it.

But the right one should have been created at 11.7.07

adagosti

I've got two from 11-7-07, can't remember why, but here they are.



"Administrator" - 2007-07-11 6:58:26 - ComboFix 07-07-10.1 - Service Pack 2
Command switches used :: C:\Documents and Settings\Administrator\Desktop\Security\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\nircmd.exe
C:\WINDOWS\system32\altsvc.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

---

\Netbios Helper Service


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-11 04:58 <DIR> d

---

C:\Program Files\iPod
2007-07-11 04:57 <DIR> d

---

C:\Program Files\QuickTime
2007-07-11 04:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-11 04:55 <DIR> d

---

C:\Program Files\Common Files\Apple
2007-07-11 04:55 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-11 02:54 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-11 02:54 <DIR> d

---

C:\DOCUME~1\ADMINI~1\APPLIC~1\Comodo
2007-07-11 02:52 <DIR> d

---

C:\Program Files\Comodo
2007-07-10 23:54 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-07-10 23:26 <DIR> d

---

C:\DOCUME~1\ADMINI~1\APPLIC~1\Logitech
2007-07-10 23:23 <DIR> d

---

C:\HJT2
2007-07-10 23:21 13,440 --a

---

C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2007-07-10 23:20 68,864 --a

---

C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-07-10 23:20 55,040 --a

---

C:\WINDOWS\system32\drivers\L8042MOU.SYS
2007-07-10 23:20 36,608 --a

---

C:\WINDOWS\system32\drivers\LHidUsbK.sys
2007-07-10 23:20 28,160 --a

---

C:\WINDOWS\KHALMNPR.Exe
2007-07-10 23:20 26,112 --a

---

C:\WINDOWS\system32\drivers\LHidKE.Sys
2007-07-10 23:20 <DIR> d

---

C:\Program Files\Logitech
2007-07-10 23:20 <DIR> d

---

C:\Program Files\Common Files\Logitech
2007-07-10 07:27 153,088 --a

---

C:\UNWISE.EXE
2007-07-10 07:27 <DIR> d

---

C:\Program Files\steinberg
2007-07-10 07:27 <DIR> d

---

C:\Program Files\FXpansion
2007-07-10 07:27 <DIR> d

---

C:\Program Files\Common Files\Digidesign
2007-07-10 06:22 <DIR> d

---

C:\audio
2007-07-09 17:49 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-30 06:19 <DIR> d

---

C:\Program Files\a-squared Anti-Malware
2007-06-30 05:01 <DIR> d

---

C:\Program Files\a-squared Free
2007-06-26 02:06 <DIR> d

---

C:\Program Files\CCleaner
2007-06-26 00:43 <DIR> d

---

C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-24 22:52 <DIR> d

---

C:\WINDOWS\kquu
2007-06-24 22:52 <DIR> d

---

C:\Program Files\Common Files\kquu
2007-06-24 22:37 <DIR> d--hs---- C:\WINDOWS\M0RCT1hYLVczMjAw
2007-06-22 22:04 <DIR> d

---

C:\Program Files\the-myspace-editor


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 11:01:01 12,670 ----a-w C:\WINDOWS\system32\tablet.dat
2007-07-11 11:00:07 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 11:00:07 384 ----a-w C:\WINDOWS\system32\DVCState-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 09:48:19

---

d

---

w C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-07-11 09:44:34 686,840 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-07-11 08:58:18

---

d

---

w C:\Program Files\iTunes
2007-07-11 08:56:15

---

d

---

w C:\Program Files\Apple Software Update
2007-07-11 03:20:23

---

d--h--w C:\Program Files\InstallShield Installation Information
2007-07-10 10:31:38 73 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-07-10 10:31:38 205 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-07-10 10:25:12

---

d

---

w C:\Program Files\Native Instruments
2007-06-07 05:05:45

---

d

---

w C:\Program Files\Antares Audio Technologies
2007-06-04 01:52:36

---

d

---

w C:\Program Files\Add Remove Pro
2007-06-02 19:39:33

---

d

---

w C:\Program Files\Yahoo!
2007-05-26 21:41:38

---

d

---

w C:\Program Files\FLAC
2007-05-25 00:05:41

---

d

---

w C:\Program Files\Real Alternative
2007-05-25 00:05:40

---

d

---

w C:\Program Files\CamStudio
2007-05-25 00:05:40

---

d

---

w C:\Program Files\Better File Rename
2007-05-24 22:22:58

---

d--h--r C:\DOCUME~1\ADMINI~1\APPLIC~1\yahoo!
2007-05-20 06:46:15

---

d

---

w C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
2007-05-20 06:13:25

---

d

---

w C:\Program Files\VideoLAN
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\M0RCT1hYLVczMjAw\gXlFnY1sMpwWg3ET.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a

---

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a

---

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a

---

C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-11 02:52]
"nwiz"="nwiz.exe" [2005-11-04 13:38 C:\WINDOWS\system32\nwiz.exe]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-11-01 01:00]
"CTHelper"="CTHELPER.EXE" [2004-09-22 23:39 C:\WINDOWS\system32\CTHELPER.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfcbb642-8009-11d9-bee5-806d6172696f}]
AutoRun\command- D:\ASUSACPI.exe


Contents of the 'Scheduled Tasks' folder
2007-07-09 12:57:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer,
Rootkit scan 2007-07-11 07:01:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\maya70docserver]
"ImagePath"="\"C:\Program Files\Alias\Maya7.0\docs\wrapper.exe\" -s \"C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf\""

Completion time: 2007-07-11 7:02:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-11 07:02
C:\ComboFix2.txt ... 2007-07-11 03:10

--- E O F ---




"Administrator" - 2007-07-11 3:04:29 - ComboFix 07-07-10.1 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\service.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\ms32.dll
C:\WINDOWS\system32\wnstssv32.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

---

\LEGACY_CMDSERVICE

---

\LEGACY_CORE

---

\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-11 03:04 51,200 --a

---

C:\WINDOWS\nircmd.exe
2007-07-11 02:54 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-11 02:54 <DIR> d

---

C:\DOCUME~1\ADMINI~1\APPLIC~1\Comodo
2007-07-11 02:52 <DIR> d

---

C:\Program Files\Comodo
2007-07-10 23:54 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-07-10 23:26 <DIR> d

---

C:\DOCUME~1\ADMINI~1\APPLIC~1\Logitech
2007-07-10 23:23 <DIR> d

---

C:\HJT2
2007-07-10 23:21 13,440 --a

---

C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2007-07-10 23:20 68,864 --a

---

C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-07-10 23:20 55,040 --a

---

C:\WINDOWS\system32\drivers\L8042MOU.SYS
2007-07-10 23:20 36,608 --a

---

C:\WINDOWS\system32\drivers\LHidUsbK.sys
2007-07-10 23:20 28,160 --a

---

C:\WINDOWS\KHALMNPR.Exe
2007-07-10 23:20 26,112 --a

---

C:\WINDOWS\system32\drivers\LHidKE.Sys
2007-07-10 23:20 <DIR> d

---

C:\Program Files\Logitech
2007-07-10 23:20 <DIR> d

---

C:\Program Files\Common Files\Logitech
2007-07-10 07:27 54,784 --a

---

C:\WINDOWS\system32\msvci70.dll
2007-07-10 07:27 153,088 --a

---

C:\UNWISE.EXE
2007-07-10 07:27 <DIR> d

---

C:\Program Files\steinberg
2007-07-10 07:27 <DIR> d

---

C:\Program Files\FXpansion
2007-07-10 07:27 <DIR> d

---

C:\Program Files\Common Files\Digidesign
2007-07-10 06:22 <DIR> d

---

C:\audio
2007-07-09 17:49 <DIR> d

---

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-30 06:19 <DIR> d

---

C:\Program Files\a-squared Anti-Malware
2007-06-30 05:01 <DIR> d

---

C:\Program Files\a-squared Free
2007-06-26 02:06 <DIR> d

---

C:\Program Files\CCleaner
2007-06-26 00:43 <DIR> d

---

C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-24 22:52 <DIR> d

---

C:\WINDOWS\kquu
2007-06-24 22:52 <DIR> d

---

C:\Program Files\Common Files\kquu
2007-06-24 22:37 <DIR> d--hs---- C:\WINDOWS\M0RCT1hYLVczMjAw
2007-06-22 22:04 <DIR> d

---

C:\Program Files\the-myspace-editor


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 07:08:50 12,670 ----a-w C:\WINDOWS\system32\tablet.dat
2007-07-11 07:07:40 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 07:07:40 384 ----a-w C:\WINDOWS\system32\DVCState-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 03:20:23

---

d--h--w C:\Program Files\InstallShield Installation Information
2007-07-10 10:31:38 73 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-07-10 10:31:38 205 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-07-10 10:25:12

---

d

---

w C:\Program Files\Native Instruments
2007-06-07 05:05:45

---

d

---

w C:\Program Files\Antares Audio Technologies
2007-06-04 01:52:36

---

d

---

w C:\Program Files\Add Remove Pro
2007-06-02 19:39:33

---

d

---

w C:\Program Files\Yahoo!
2007-06-02 00:04:54 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-26 21:41:38

---

d

---

w C:\Program Files\FLAC
2007-05-25 00:05:41

---

d

---

w C:\Program Files\Real Alternative
2007-05-25 00:05:40

---

d

---

w C:\Program Files\CamStudio
2007-05-25 00:05:40

---

d

---

w C:\Program Files\Better File Rename
2007-05-24 22:22:58

---

d--h--r C:\DOCUME~1\ADMINI~1\APPLIC~1\yahoo!
2007-05-20 06:46:15

---

d

---

w C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
2007-05-20 06:13:25

---

d

---

w C:\Program Files\VideoLAN
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\M0RCT1hYLVczMjAw\gXlFnY1sMpwWg3ET.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a

---

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a

---

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a

---

C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-11 02:52]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 13:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu272.exe 61A847B5BBF728103599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfcbb642-8009-11d9-bee5-806d6172696f}]
AutoRun\command- D:\ASUSACPI.exe


Contents of the 'Scheduled Tasks' folder
2007-07-09 12:57:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer,
Rootkit scan 2007-07-11 03:08:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\maya70docserver]
"ImagePath"="\"C:\Program Files\Alias\Maya7.0\docs\wrapper.exe\" -s \"C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf\""

Completion time: 2007-07-11 3:10:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-11 03:09

--- E O F ---

adagosti

I noticed a reference in the second report to "WinPop" in the registry. I have since deleted that registry entry.

Rahina-Rescue

Thank you for the reports!

Now i would like to see a fresh Deckard's System Scanner logfile.

Thanks

adagosti

Deckard's System Scanner v20070708.52
Run by Administrator on 2007-07-12 at 03:52:12
Computer is in Normal Mode.

---

-- HijackThis Clone

---

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-07-12 03:53:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\sndvol32.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\Security\dss.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: sndvol32.lnk = C:\WINDOWS\system32\sndvol32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} () - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134606102781
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"
O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - "C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf"
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


-- Files created between 2007-06-12 and 2007-07-12

---

2007-07-11 20:18:26 0 dr-h

---

C:\Documents and Settings\Administrator\Recent
2007-07-11 06:58:17 528 --a

---

C:\CFCleanUp.bat
2007-07-11 04:58:09 0 d

---

C:\Program Files\iPod
2007-07-11 04:57:06 0 d

---

C:\Program Files\QuickTime
2007-07-11 04:56:04 0 d

---

c- C:\WINDOWS\system32\DRVSTORE
2007-07-11 04:55:49 0 d

---

C:\Program Files\Common Files\Apple
2007-07-11 04:55:49 0 d

---

C:\Documents and Settings\All Users\Application Data\Apple
2007-07-11 02:54:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\Comodo
2007-07-11 02:54:39 0 d

---

C:\Documents and Settings\All Users\Application Data\Comodo
2007-07-11 02:52:39 0 d

---

C:\Program Files\Comodo
2007-07-10 23:54:33 0 d

---

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-07-10 23:26:07 0 d

---

C:\Documents and Settings\Administrator\Application Data\Logitech
2007-07-10 23:23:15 0 d

---

C:\HJT2
2007-07-10 23:20:31 0 d

---

C:\Program Files\Common Files\Logitech
2007-07-10 23:20:26 0 d

---

C:\Program Files\Logitech
2007-07-10 07:27:29 0 d

---

C:\Program Files\steinberg
2007-07-10 07:27:29 0 d

---

C:\Program Files\Common Files\Digidesign
2007-07-10 07:27:20 153088 --a

---

C:\UNWISE.EXE
2007-07-10 07:27:20 0 d

---

C:\Program Files\FXpansion
2007-07-10 06:22:18 0 d

---

C:\audio
2007-07-09 17:49:03 0 d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-06-30 06:19:54 0 d

---

C:\Program Files\a-squared Anti-Malware
2007-06-30 05:01:12 0 d

---

C:\Program Files\a-squared Free
2007-06-26 02:06:08 0 d

---

C:\Program Files\CCleaner
2007-06-26 00:43:44 0 d

---

C:\Documents and Settings\Administrator\.housecall6.6
2007-06-24 22:52:37 0 d

---

C:\WINDOWS\kquu
2007-06-24 22:52:37 0 d

---

C:\Program Files\Common Files\kquu
2007-06-24 22:37:31 0 d--hs---- C:\WINDOWS\M0RCT1hYLVczMjAw
2007-06-22 22:04:13 0 d

---

C:\Program Files\the-myspace-editor


-- Find3M Report

---

2007-07-11 18:51:32 12670 --a

---

C:\WINDOWS\system32\tablet.dat
2007-07-11 09:22:49 384 --a

---

C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 09:22:49 384 --a

---

C:\WINDOWS\system32\DVCState-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 05:48:19 0 d

---

C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-07-11 04:58:18 0 d

---

C:\Program Files\iTunes
2007-07-11 04:56:15 0 d

---

C:\Program Files\Apple Software Update
2007-07-10 23:20:23 0 d--h

---

C:\Program Files\InstallShield Installation Information
2007-07-10 06:31:38 73 --a

---

C:\WINDOWS\system32\ssprs.dll
2007-07-10 06:31:38 205 --a

---

C:\WINDOWS\system32\lsprst7.dll
2007-07-10 06:25:12 0 d

---

C:\Program Files\Native Instruments
2007-07-08 19:18:22 0 d

---

C:\Program Files\Java
2007-06-07 01:05:45 0 d

---

C:\Program Files\Antares Audio Technologies
2007-06-03 23:01:16 0 d

---

C:\Documents and Settings\Administrator\Application Data\Adobe
2007-06-03 22:33:25 0 d

---

C:\Program Files\Common Files\Adobe
2007-06-03 21:52:36 0 d

---

C:\Program Files\Add Remove Pro
2007-06-02 15:39:33 0 d

---

C:\Program Files\Yahoo!
2007-05-26 17:41:38 0 d

---

C:\Program Files\FLAC
2007-05-24 20:05:41 0 d

---

C:\Program Files\Real Alternative
2007-05-24 20:05:40 0 d

---

C:\Program Files\CamStudio
2007-05-24 20:05:40 0 d

---

C:\Program Files\Better File Rename
2007-05-24 18:22:58 0 dr-h

---

C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-05-20 02:46:15 0 d

---

C:\Documents and Settings\Administrator\Application Data\vlc
2007-05-20 02:13:25 0 d

---

C:\Program Files\VideoLAN


-- Registry Dump

---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"nwiz"="nwiz.exe /install"
"H2O"="C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"CTHelper"="CTHELPER.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bfcbb642-8009-11d9-bee5-806d6172696f}]
Shell\AutoRun\command D:\ASUSACPI.exe


-- End of Deckard's System Scanner: finished at 2007-07-12 at 03:53:42

---

Rahina-Rescue

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

( 1 ) Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\service.exe

Driver::
NETDDEC

Save this as ComboFix-Do.txt



Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

( 2 )

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
  IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

adagosti

I followed your instructions exactly but for some reason AVG did not generate a report. Here is a screen cap of what it found. I'm also posting the latest HJT and DSS logs.



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:19:12 AM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\sndvol32.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\Security\dss.exe
C:\Documents and Settings\Administrator\Desktop\Security\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: sndvol32.lnk = C:\WINDOWS\system32\sndvol32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134606102781
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6872 bytes




Deckard's System Scanner v20070708.52
Run by Administrator on 2007-07-13 at 08:18:49
Computer is in Normal Mode.

---

-- HijackThis Clone

---

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-07-13 08:18:52
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\sndvol32.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\Security\dss.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: sndvol32.lnk = C:\WINDOWS\system32\sndvol32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} () - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134606102781
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"
O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - "C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf"
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


-- Files created between 2007-06-13 and 2007-07-13

---

2007-07-12 08:57:34 0 d

---

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-07-12 08:33:30 0 dr-h

---

C:\Documents and Settings\Administrator\Recent
2007-07-12 07:07:19 0 d

---

C:\Program Files\VSTplugins
2007-07-11 04:58:09 0 d

---

C:\Program Files\iPod
2007-07-11 04:57:06 0 d

---

C:\Program Files\QuickTime
2007-07-11 04:56:04 0 d

---

c- C:\WINDOWS\system32\DRVSTORE
2007-07-11 04:55:49 0 d

---

C:\Program Files\Common Files\Apple
2007-07-11 04:55:49 0 d

---

C:\Documents and Settings\All Users\Application Data\Apple
2007-07-11 02:54:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\Comodo
2007-07-11 02:54:39 0 d

---

C:\Documents and Settings\All Users\Application Data\Comodo
2007-07-11 02:52:39 0 d

---

C:\Program Files\Comodo
2007-07-10 23:54:33 0 d

---

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-07-10 23:26:07 0 d

---

C:\Documents and Settings\Administrator\Application Data\Logitech
2007-07-10 23:23:15 0 d

---

C:\HJT2
2007-07-10 23:20:31 0 d

---

C:\Program Files\Common Files\Logitech
2007-07-10 23:20:26 0 d

---

C:\Program Files\Logitech
2007-07-10 07:27:29 0 d

---

C:\Program Files\steinberg
2007-07-10 07:27:29 0 d

---

C:\Program Files\Common Files\Digidesign
2007-07-10 07:27:20 153088 --a

---

C:\UNWISE.EXE
2007-07-10 07:27:20 0 d

---

C:\Program Files\FXpansion
2007-07-10 06:22:18 0 d

---

C:\audio
2007-07-09 17:49:03 0 d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-06-30 06:19:54 0 d

---

C:\Program Files\a-squared Anti-Malware
2007-06-30 05:01:12 0 d

---

C:\Program Files\a-squared Free
2007-06-26 02:06:08 0 d

---

C:\Program Files\CCleaner
2007-06-26 00:43:44 0 d

---

C:\Documents and Settings\Administrator\.housecall6.6
2007-06-24 22:52:37 0 d

---

C:\WINDOWS\kquu
2007-06-24 22:52:37 0 d

---

C:\Program Files\Common Files\kquu
2007-06-24 22:37:31 0 d--hs---- C:\WINDOWS\M0RCT1hYLVczMjAw
2007-06-22 22:04:13 0 d

---

C:\Program Files\the-myspace-editor


-- Find3M Report

---

2007-07-13 05:33:13 73 --a

---

C:\WINDOWS\system32\ssprs.dll
2007-07-13 05:33:13 205 --a

---

C:\WINDOWS\system32\lsprst7.dll
2007-07-13 00:04:59 12670 --a

---

C:\WINDOWS\system32\tablet.dat
2007-07-12 09:03:57 384 --a

---

C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-12 09:03:57 384 --a

---

C:\WINDOWS\system32\DVCState-{00000005-00000000-00000006-00001102-00000004-20071102}.dat
2007-07-11 05:48:19 0 d

---

C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-07-11 04:58:18 0 d

---

C:\Program Files\iTunes
2007-07-11 04:56:15 0 d

---

C:\Program Files\Apple Software Update
2007-07-10 23:20:23 0 d--h

---

C:\Program Files\InstallShield Installation Information
2007-07-10 06:25:12 0 d

---

C:\Program Files\Native Instruments
2007-07-08 19:18:22 0 d

---

C:\Program Files\Java
2007-06-07 01:05:45 0 d

---

C:\Program Files\Antares Audio Technologies
2007-06-03 23:01:16 0 d

---

C:\Documents and Settings\Administrator\Application Data\Adobe
2007-06-03 22:33:25 0 d

---

C:\Program Files\Common Files\Adobe
2007-06-03 21:52:36 0 d

---

C:\Program Files\Add Remove Pro
2007-06-02 15:39:33 0 d

---

C:\Program Files\Yahoo!
2007-05-26 17:41:38 0 d

---

C:\Program Files\FLAC
2007-05-24 20:05:41 0 d

---

C:\Program Files\Real Alternative
2007-05-24 20:05:40 0 d

---

C:\Program Files\CamStudio
2007-05-24 20:05:40 0 d

---

C:\Program Files\Better File Rename
2007-05-24 18:22:58 0 dr-h

---

C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-05-20 02:46:15 0 d

---

C:\Documents and Settings\Administrator\Application Data\vlc
2007-05-20 02:13:25 0 d

---

C:\Program Files\VideoLAN


-- Registry Dump

---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"nwiz"="nwiz.exe /install"
"H2O"="C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"CTHelper"="CTHELPER.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bfcbb642-8009-11d9-bee5-806d6172696f}]
Shell\AutoRun\command D:\ASUSACPI.exe


-- End of Deckard's System Scanner: finished at 2007-07-13 at 08:19:24

---

Rahina-Rescue

( 1 )

Open notepad and Copy/Paste the text in the quotebox below into it:

Folder::
C:\WINDOWS\kquu
C:\Program Files\Common Files\kquu
C:\WINDOWS\M0RCT1hYLVczMjAw
C:\Qoobox

Save this as ComboFix-Do.txt



Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

( 2 )

Download ATF-Cleaner by Atribune to your desktop.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

( 3 )

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

( 4 )

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

Let me know the Results