# HELP: Ardamax Keylogger



## BQfromNY (Jan 10, 2008)

Like an idiot, I clicked on an exe file that I knew I shouldnt have. The file took me into what appeared to be dos and low and behold I became infected with a keylogger. I installed spysweaper and it found some issues but no matter what I do I can not get rid of this keylogger... PLEASE HELP!! Iam terrified of using my computer in fear that vulnurable information will be logged and sent to be used against me. Im seeking any and all instructions on how to remove anything that may be malware or virus. Below is my hyjackthis log. Please let me know if any other info is needed.

Thxs in advance

----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:41 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\LEXPPS .EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Config\lsass.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\28463\NMTI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\WINDOWS\system32\regscan.exe
C:\Program Files\PowerISO\PWRISOVM .EXE
C:\WINDOWS\system32\28463\NMTI .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\DAEMON Tools\daemon .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\WINDOWS\system32\regscan .exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ewnet.org/ubbthreads/ubbthreads.php?ubb=cfrm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhg.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NMTI Agent] C:\WINDOWS\system32\28463\NMTI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6574 bytes


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## BQfromNY (Jan 10, 2008)

OK... First let me say Thankyou sooo much for replying - I have been checking every few hours since the day I have posted for a reply.

Next, let me explain some other things that have been happening since my first post... (1) my Spysweeper is no longer working - cant boot up (2) The keylogger is no longer in the system trey yet Iam sure its still running (3) I get several "virus warnings" from what I believe to be fake window warnings that come from my system trey (4) I now have the infimis "Outerinfo" icon in my trey and a ship load of popups (5) I cant restore (6) I cant access my control pannel and I have a "ESC spyware cleaner" that appears at boot up.

These were all before I ran combo fix. I will report shortly if those issues are still there. Here are the logs you asked for and THXS AGAIN!!

-------

ComboFix 08-01-11.3 - BQfromNY 2008-01-12 14:48:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1579 [GMT -8:00]
Running from: C:\Documents and Settings\BQfromNY\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\BQfromNY\Application Data\printer.exe
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Outerinfo
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Startup\findfast .exe
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Startup\findfast .exe
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Startup\findfast .exe
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Startup\findfast .exe
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Startup\findfast .exe
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Startup\findfast .exe
C:\Documents and Settings\BQfromNY\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\3269.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
C:\Program Files\Helper
C:\Program Files\Helper\Helper9.dll
C:\Program Files\lsass.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\Outerinfo\Outerinfo .exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\Outerinfo.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\OuterinfoUpdate .exe
C:\Program Files\outerinfo\OuterinfoUpdate.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\PokerOffice\POEngine.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\spoolsv.exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\xloader10181.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\lsass .exe
C:\WINDOWS\lsass .exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\drvcakr.dll
C:\WINDOWS\system32\drvhobr.dll
C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\system32\ljjhhij.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkhg.exe
C:\WINDOWS\system32\printer .exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\RCX34.tmp
C:\WINDOWS\system32\RCX35.tmp
C:\WINDOWS\system32\RCX36.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\RCX38.tmp
C:\WINDOWS\system32\RCX3B.tmp
C:\WINDOWS\system32\RCX3D.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX57.tmp
C:\WINDOWS\system32\RCX58.tmp
C:\WINDOWS\system32\RCX6E.tmp
C:\WINDOWS\system32\RCX71.tmp
C:\WINDOWS\system32\RCXE0.tmp
C:\WINDOWS\system32\spoolvs .exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\urqqolk.dll
C:\WINDOWS\system32\winohw32.dll
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\Temp\04166755.exe
C:\WINDOWS\Temp\winBA0 .exe
C:\WINDOWS\TEMP\winBA0 .exe


```
<pre>
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe ---> CLIStart.exe
C:\Program Files\DAEMON Tools\daemon .exe ---> daemon.exe
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner .exe ---> EasySpywareCleaner.exe
C:\Program Files\Messenger\msmsgs .exe ---> msmsgs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe ---> GrooveMonitor.exe
C:\Program Files\Outerinfo\Outerinfo .exe ---> QooBox
C:\Program Files\Outerinfo\OuterinfoUpdate .exe ---> QooBox
C:\Program Files\PokerOffice\POEngine .exe ---> POEngine.exe
C:\Program Files\PowerISO\PWRISOVM .EXE ---> PWRISOVM.EXE
C:\Program Files\Spyware Doctor\SDTrayApp .exe ---> QooBox
C:\Program Files\Steam\Steam .exe ---> Steam.exe
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
C:\WINDOWS\system32\LEXPPS .EXE ---> QooBox
C:\WINDOWS\system32\printer .exe ---> QooBox
C:\WINDOWS\system32\spoolvs .exe ---> QooBox
</pre>
```
.
.
((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-12 15:06 . 2008-01-12 15:06	174,592	--a------	C:\WINDOWS\system32\LEXPPS .EXE
2008-01-12 14:33 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-12 11:23 . 2008-01-12 12:03	19,080	--a------	C:\WINDOWS\system32\ctfmona .exe
2008-01-12 10:46 . 2008-01-12 15:06 d--------	C:\Program Files\EasySpywareCleaner
2008-01-12 10:46 . 2008-01-12 10:46 d--------	C:\Documents and Settings\BQfromNY\Application Data\EasySpywareCleaner.com
2008-01-12 10:10 . 2008-01-12 10:10	103,424	--a------	C:\WINDOWS\system32\drvcak.dll
2008-01-11 17:39 . 2008-01-11 17:39	328,192	--a------	C:\WINDOWS\system32\RCX3F2.tmp
2008-01-11 15:08 . 2008-01-11 15:08 d--------	C:\Documents and Settings\Catoria\Application Data\Webroot
2008-01-10 22:06 . 2008-01-10 22:06	328,192	--a------	C:\WINDOWS\system32\RCX16F.tmp
2008-01-10 06:38 . 2008-01-10 06:38	328,192	--a------	C:\WINDOWS\system32\RCX168.tmp
2008-01-09 21:48 . 2008-01-09 21:48 d--------	C:\Program Files\Trend Micro
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Program Files\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\BQfromNY\Application Data\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-08 00:21 . 2007-10-01 16:40	1,526,072	--a------	C:\WINDOWS\WRSetup.dll
2008-01-08 00:21 . 2007-10-01 16:24	163,640	--a------	C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-08 00:21 . 2007-10-01 16:24	23,864	--a------	C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-08 00:21 . 2007-10-01 16:24	21,816	--a------	C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-08 00:21 . 2007-10-01 16:24	20,280	--a------	C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-08 00:20 . 2008-01-08 00:20	164	--a------	C:\install.dat
2008-01-07 22:19 . 2008-01-07 22:20 d--------	C:\Program Files\Advanced Spyware Remover Pro
2008-01-07 22:19 . 2008-01-07 22:19	10,046	--a------	C:\WINDOWS\system32\mspriv32.dll
2008-01-07 19:01 . 2008-01-07 19:01	67,072	--a------	C:\WINDOWS\system32\MSWINSCK.OCX
2008-01-07 17:49 . 2008-01-12 12:53	368,640	--a------	C:\WINDOWS\system32\regscan .exe
2008-01-07 08:37 . 2008-01-07 08:37	104,448	--a------	C:\WINDOWS\system32\drvhob.dll
2008-01-07 07:45 . 2008-01-07 07:45	278,984	--a------	C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-07 07:45 . 2008-01-07 07:45	25,416	--a------	C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-07 07:08 . 2008-01-07 08:32 d--------	C:\Program Files\The Witcher
2008-01-01 02:37 . 2008-01-01 02:37 d--------	C:\Program Files\The Tournament Director 2
2008-01-01 00:45 . 2008-01-01 00:45 d--------	C:\Program Files\Common Files\Adobe
2007-12-29 01:44 . 2007-12-29 01:45 d--------	C:\Program Files\DivX
2007-12-25 21:18 . 2007-12-25 21:18 d--------	C:\Documents and Settings\BQfromNY\Application Data\dvdcss
2007-12-25 21:14 . 2007-12-25 21:14 d--------	C:\Documents and Settings\BQfromNY\Application Data\vlc
2007-12-25 21:13 . 2007-12-25 21:13 d--------	C:\Program Files\VideoLAN
2007-12-25 21:01 . 2007-12-25 21:01 d--------	C:\Program Files\Xvid
2007-12-25 21:01 . 2007-06-28 18:52	765,952	--a------	C:\WINDOWS\system32\xvidcore.dll
2007-12-25 21:01 . 2007-06-28 18:54	180,224	--a------	C:\WINDOWS\system32\xvidvfw.dll
2007-12-25 21:01 . 2007-06-28 18:55	77,824	--a------	C:\WINDOWS\system32\xvid.ax
2007-12-25 19:12 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-23 11:02 . 2007-12-23 11:02 d--------	C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2007-12-23 11:01 . 2007-12-23 11:01 d--------	C:\Program Files\JumpStart
2007-12-23 11:01 . 2007-12-23 11:01 d--------	C:\Program Files\Common Files\Knowledge Adventure
2007-12-23 11:01 . 2007-12-23 11:01	87	--a------	C:\WINDOWS\ka.ini
2007-12-17 10:55 . 2008-01-12 10:39 d--------	C:\WINDOWS\system32\28463
2007-12-17 10:55 . 2008-01-12 15:06 d--------	C:\Program Files\PokerOffice
2007-12-16 19:10 . 2007-12-16 19:10 d--------	C:\Program Files\Hasbro
2007-12-12 14:44 . 2007-12-12 14:44	20,213	--a------	C:\Certificate of Completion.docx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 23:07	---------	d-----w	C:\Program Files\Steam
2008-01-12 23:06	---------	d-----w	C:\Program Files\PowerISO
2008-01-12 23:06	---------	d-----w	C:\Program Files\DAEMON Tools
2008-01-12 22:58	---------	d-----w	C:\Program Files\QuickTime
2008-01-12 22:57	---------	d-----w	C:\Program Files\Spyware Doctor
2008-01-08 08:19	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-08 08:03	74,240	----a-w	C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-08 08:03	56,832	----a-w	C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-07 16:31	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-06 20:36	---------	d-----w	C:\Program Files\PokerStars
2007-12-02 05:44	22,328	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-30 02:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-23 14:21	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-23 14:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-23 14:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple
2007-11-21 02:02	---------	d-----w	C:\Documents and Settings\Catoria\Application Data\ATI
2007-11-21 00:14	---------	d-----w	C:\Documents and Settings\Jr\Application Data\ATI
2007-11-20 18:11	---------	d-----w	C:\Program Files\Futuremark
2007-11-19 04:10	---------	d-----w	C:\Documents and Settings\Mary Ellen\Application Data\ATI
2007-11-19 04:07	---------	d-----w	C:\Program Files\Creative
2007-11-19 04:06	---------	d-----w	C:\Documents and Settings\BQfromNY\Application Data\Creative
2007-11-19 03:52	---------	d-----w	C:\Documents and Settings\BQfromNY\Application Data\ATI
2007-11-19 03:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\ATI
2007-11-19 03:48	---------	d-----w	C:\Program Files\ATI Technologies
2007-11-19 03:47	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-11-19 01:40	---------	d--h--r	C:\Documents and Settings\Mary Ellen\Application Data\SecuROM
2007-11-18 19:20	---------	d-----w	C:\Program Files\Aspyr
2007-11-17 21:31	---------	d--h--r	C:\Documents and Settings\BQfromNY\Application Data\SecuROM
2007-11-17 21:13	---------	d-----w	C:\Program Files\Electronic Arts
2007-11-17 02:45	0	---ha-w	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-17 02:45	0	---ha-w	C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
.

```
<pre>
----a-w         5,367,608 2008-01-12 19:24:00  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w            19,080 2008-01-12 20:03:37  C:\WINDOWS\system32\ctfmona .exe
----a-w           174,592 2008-01-12 23:06:50  C:\WINDOWS\system32\LEXPPS .EXE
----a-w           368,640 2008-01-12 20:53:30  C:\WINDOWS\system32\regscan .exe
</pre>
```
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-12 14:40 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-12 14:40 171464]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-12 14:40 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POEngine"="C:\Program Files\PokerOffice\POEngine.exe" [2008-01-12 14:39 475136]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-12 14:39 200704]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-01-12 14:39 31016]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-12 14:39 90112]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NMTI Agent"="C:\WINDOWS\system32\28463\NMTI.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 14:39 39792]
"Winupdate Engine"="C:\WINDOWS\system32\wupeng.exe" [ ]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]
"EasySpywareCleaner"="C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe" [2008-01-12 14:39 305490]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnnnl]
ssqnnnl.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\pmkhg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
Trusted	1704

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c087de1d-b1f9-11dc-afa9-001a700fa44b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/keylauncher/?code=3654335592357576

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 18:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 15:07:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\PokerOffice\bin\pshimp.Dll
.
Completion time: 2008-01-12 15:10:06 - machine was rebooted [BQfromNY]
ComboFix-quarantined-files.txt 2008-01-12 23:10:03
.
2008-01-10 11:03:15	--- E O F ---

---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:02 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.techguy.org/malware-removal-hijackthis-logs/670135-help-ardamax-keylogger.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NMTI Agent] C:\WINDOWS\system32\28463\NMTI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [EasySpywareCleaner] C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: ssqnnnl - ssqnnnl.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6630 bytes


----------



## BQfromNY (Jan 10, 2008)

OK since I did the fix you suggested the following issues were resolved:

1. "Virus warnings" comming from the system trey appears to have stopped

2. Outter info and their popups appear to be gone

3. My control pannel is back

The following things are still issues:

1. Still cant run spysweeper - I get the following error, "The item 'TMP7EE.tmp' that this shortcut refers to has been changed or moved." This error occurs even when I attempt to start the prg from the start menu.

2. I still get the "ESC spyware cleaner" popup which is a program I never installed - it asks me if I want to scan or order its product.

The status on the following are unkown:

1. Keylogger - is it safe to assume that this bugger is gone?

2. System restore - I cant access any restore pts at this time but I assume thats a good thing 

One more note - can you (or anyone else) please let me know if my startup program is clean - at this time, I dont want anything to be ran at startup.

Thxs agin!


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\WINDOWS\system32\ctfmona .exe
> C:\WINDOWS\system32\ctfmona.exe
> 
> ...


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## BQfromNY (Jan 10, 2008)

OK, thxs again for working with me! Hee are the two logs you asked for. I will post any known issues shortly.

-------------

ComboFix 08-01-11.3 - BQfromNY 2008-01-12 18:31:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1596 [GMT -8:00]
Running from: C:\Documents and Settings\BQfromNY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BQfromNY\Desktop\CFScript.txt.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\drvcak.dll
C:\WINDOWS\system32\drvhob.dll
C:\WINDOWS\system32\RCX168.tmp
C:\WINDOWS\system32\RCX16F.tmp
C:\WINDOWS\system32\RCX3F2.tmp
C:\WINDOWS\system32\regscan .exe
C:\WINDOWS\system32\regscan.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\BQfromNY\Application Data\EasySpywareCleaner.com
C:\Program Files\EasySpywareCleaner
C:\Program Files\EasySpywareCleaner\defs.pkg
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe.local
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe.log
C:\Program Files\EasySpywareCleaner\Kernel.dll
C:\Program Files\EasySpywareCleaner\msvcp71.dll
C:\Program Files\EasySpywareCleaner\msvcr71.dll
C:\Program Files\EasySpywareCleaner\Resources.dll
C:\Program Files\EasySpywareCleaner\Uninstall.exe
C:\Program Files\EasySpywareCleaner\WndLayer.dll
C:\WINDOWS\system32\28463
C:\WINDOWS\system32\28463\AKV.exe
C:\WINDOWS\system32\28463\NMTI .001
C:\WINDOWS\system32\28463\NMTI .002
C:\WINDOWS\system32\28463\NMTI .009
C:\WINDOWS\system32\28463\NMTI.001
C:\WINDOWS\system32\28463\NMTI.002
C:\WINDOWS\system32\28463\NMTI.005
C:\WINDOWS\system32\28463\NMTI.006
C:\WINDOWS\system32\28463\NMTI.007
C:\WINDOWS\system32\28463\NMTI.008
C:\WINDOWS\system32\28463\NMTI.009
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\drvcak.dll
C:\WINDOWS\system32\drvhob.dll
C:\WINDOWS\system32\RCX168.tmp
C:\WINDOWS\system32\RCX16F.tmp
C:\WINDOWS\system32\RCX3F2.tmp
C:\WINDOWS\system32\regscan .exe

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 14:33 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-11 15:08 . 2008-01-11 15:08 d--------	C:\Documents and Settings\Catoria\Application Data\Webroot
2008-01-09 21:48 . 2008-01-09 21:48 d--------	C:\Program Files\Trend Micro
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Program Files\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\BQfromNY\Application Data\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-08 00:21 . 2007-10-01 16:40	1,526,072	--a------	C:\WINDOWS\WRSetup.dll
2008-01-08 00:21 . 2007-10-01 16:24	163,640	--a------	C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-08 00:21 . 2007-10-01 16:24	23,864	--a------	C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-08 00:21 . 2007-10-01 16:24	21,816	--a------	C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-08 00:21 . 2007-10-01 16:24	20,280	--a------	C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-08 00:20 . 2008-01-08 00:20	164	--a------	C:\install.dat
2008-01-07 22:19 . 2008-01-07 22:20 d--------	C:\Program Files\Advanced Spyware Remover Pro
2008-01-07 22:19 . 2008-01-07 22:19	10,046	--a------	C:\WINDOWS\system32\mspriv32.dll
2008-01-07 19:01 . 2008-01-07 19:01	67,072	--a------	C:\WINDOWS\system32\MSWINSCK.OCX
2008-01-07 07:45 . 2008-01-07 07:45	278,984	--a------	C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-07 07:45 . 2008-01-07 07:45	25,416	--a------	C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-07 07:08 . 2008-01-07 08:32 d--------	C:\Program Files\The Witcher
2008-01-01 02:37 . 2008-01-01 02:37 d--------	C:\Program Files\The Tournament Director 2
2008-01-01 00:45 . 2008-01-01 00:45 d--------	C:\Program Files\Common Files\Adobe
2007-12-29 01:44 . 2007-12-29 01:45 d--------	C:\Program Files\DivX
2007-12-25 21:18 . 2007-12-25 21:18 d--------	C:\Documents and Settings\BQfromNY\Application Data\dvdcss
2007-12-25 21:14 . 2007-12-25 21:14 d--------	C:\Documents and Settings\BQfromNY\Application Data\vlc
2007-12-25 21:13 . 2007-12-25 21:13 d--------	C:\Program Files\VideoLAN
2007-12-25 21:01 . 2007-12-25 21:01 d--------	C:\Program Files\Xvid
2007-12-25 21:01 . 2007-06-28 18:52	765,952	--a------	C:\WINDOWS\system32\xvidcore.dll
2007-12-25 21:01 . 2007-06-28 18:54	180,224	--a------	C:\WINDOWS\system32\xvidvfw.dll
2007-12-25 21:01 . 2007-06-28 18:55	77,824	--a------	C:\WINDOWS\system32\xvid.ax
2007-12-25 19:12 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-23 11:02 . 2007-12-23 11:02 d--------	C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2007-12-23 11:01 . 2007-12-23 11:01 d--------	C:\Program Files\JumpStart
2007-12-23 11:01 . 2007-12-23 11:01 d--------	C:\Program Files\Common Files\Knowledge Adventure
2007-12-23 11:01 . 2007-12-23 11:01	87	--a------	C:\WINDOWS\ka.ini
2007-12-17 10:55 . 2008-01-12 15:06 d--------	C:\Program Files\PokerOffice
2007-12-16 19:10 . 2007-12-16 19:10 d--------	C:\Program Files\Hasbro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 02:34	---------	d-----w	C:\Program Files\Steam
2008-01-12 23:06	---------	d-----w	C:\Program Files\PowerISO
2008-01-12 23:06	---------	d-----w	C:\Program Files\DAEMON Tools
2008-01-12 22:58	---------	d-----w	C:\Program Files\QuickTime
2008-01-12 22:57	---------	d-----w	C:\Program Files\Spyware Doctor
2008-01-08 08:19	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-08 08:03	74,240	----a-w	C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-08 08:03	56,832	----a-w	C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-07 16:31	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-06 20:36	---------	d-----w	C:\Program Files\PokerStars
2007-12-02 05:44	22,328	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-30 02:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-23 14:21	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-23 14:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-23 14:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple
2007-11-21 02:02	---------	d-----w	C:\Documents and Settings\Catoria\Application Data\ATI
2007-11-21 00:14	---------	d-----w	C:\Documents and Settings\Jr\Application Data\ATI
2007-11-20 18:11	---------	d-----w	C:\Program Files\Futuremark
2007-11-19 04:10	---------	d-----w	C:\Documents and Settings\Mary Ellen\Application Data\ATI
2007-11-19 04:07	---------	d-----w	C:\Program Files\Creative
2007-11-19 04:06	---------	d-----w	C:\Documents and Settings\BQfromNY\Application Data\Creative
2007-11-19 03:52	---------	d-----w	C:\Documents and Settings\BQfromNY\Application Data\ATI
2007-11-19 03:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\ATI
2007-11-19 03:48	---------	d-----w	C:\Program Files\ATI Technologies
2007-11-19 03:47	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-11-19 01:40	---------	d--h--r	C:\Documents and Settings\Mary Ellen\Application Data\SecuROM
2007-11-18 19:20	---------	d-----w	C:\Program Files\Aspyr
2007-11-17 21:31	---------	d--h--r	C:\Documents and Settings\BQfromNY\Application Data\SecuROM
2007-11-17 21:13	---------	d-----w	C:\Program Files\Electronic Arts
2007-11-17 02:45	0	---ha-w	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-17 02:45	0	---ha-w	C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
.

```
<pre>
----a-w         5,367,608 2008-01-12 19:24:00  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
</pre>
```
((((((((((((((((((((((((((((( [email protected]_15.09.51.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-12 22:47:16	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 02:31:08	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 02:31:08	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-12 22:47:17	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 02:31:08	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 02:31:08	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-12 22:47:17	4,870,144	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 02:31:08	4,870,144	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 02:31:09	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-12 20:02:45	503,808	----a-w	C:\WINDOWS\system32\lexpps.exe
+ 2008-01-12 23:06:50	174,592	----a-w	C:\WINDOWS\system32\LEXPPS.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-12 14:40 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-12 14:40 171464]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-12 14:40 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POEngine"="C:\Program Files\PokerOffice\POEngine.exe" [2008-01-12 14:39 475136]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-12 14:39 200704]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-01-12 14:39 31016]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-12 14:39 90112]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NMTI Agent"="C:\WINDOWS\system32\28463\NMTI.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 14:39 39792]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
Trusted	1704

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c087de1d-b1f9-11dc-afa9-001a700fa44b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/keylauncher/?code=3654335592357576

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 18:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 18:34:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\PokerOffice\bin\pshimp.Dll
.
Completion time: 2008-01-12 18:36:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 02:36:47
ComboFix2.txt 2008-01-12 23:10:06
.
2008-01-10 11:03:15	--- E O F --- 
----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:41 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.techguy.org/malware-removal-hijackthis-logs/670135-help-ardamax-keylogger.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NMTI Agent] C:\WINDOWS\system32\28463\NMTI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6307 bytes


----------



## BQfromNY (Jan 10, 2008)

OK... spy sweeper still not able to load + "Steam" is still loading at boot.

"ESC Spyware cleaner" no longer loading on boot and I can now go back to an earlier restore point if I choose too.

As for the keylogger... am I safe? Can I resume activities as normal?

Thxs!


----------



## Cookiegal (Aug 27, 2003)

Please wait until all is clear.

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please (note the space in the file name):

http://virusscan.jotti.org/

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe

Open Notepad and copy and paste the text in the quote box below into it:



> Registry::
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
> "NMTI Agent"=-
> [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
> "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## BQfromNY (Jan 10, 2008)

ComboFix 08-01-11.3 - BQfromNY 2008-01-12 22:30:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1594 [GMT -8:00]
Running from: C:\Documents and Settings\BQfromNY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BQfromNY\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 14:33 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-11 15:08 . 2008-01-11 15:08 d--------	C:\Documents and Settings\Catoria\Application Data\Webroot
2008-01-09 21:48 . 2008-01-09 21:48 d--------	C:\Program Files\Trend Micro
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Program Files\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\BQfromNY\Application Data\Webroot
2008-01-08 00:21 . 2008-01-08 00:21 d--------	C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-08 00:21 . 2007-10-01 16:40	1,526,072	--a------	C:\WINDOWS\WRSetup.dll
2008-01-08 00:21 . 2007-10-01 16:24	163,640	--a------	C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-08 00:21 . 2007-10-01 16:24	23,864	--a------	C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-08 00:21 . 2007-10-01 16:24	21,816	--a------	C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-08 00:21 . 2007-10-01 16:24	20,280	--a------	C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-08 00:20 . 2008-01-08 00:20	164	--a------	C:\install.dat
2008-01-07 22:19 . 2008-01-07 22:20 d--------	C:\Program Files\Advanced Spyware Remover Pro
2008-01-07 22:19 . 2008-01-07 22:19	10,046	--a------	C:\WINDOWS\system32\mspriv32.dll
2008-01-07 19:01 . 2008-01-07 19:01	67,072	--a------	C:\WINDOWS\system32\MSWINSCK.OCX
2008-01-07 07:45 . 2008-01-07 07:45	278,984	--a------	C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-07 07:45 . 2008-01-07 07:45	25,416	--a------	C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-07 07:08 . 2008-01-07 08:32 d--------	C:\Program Files\The Witcher
2008-01-01 02:37 . 2008-01-01 02:37 d--------	C:\Program Files\The Tournament Director 2
2008-01-01 00:45 . 2008-01-01 00:45 d--------	C:\Program Files\Common Files\Adobe
2007-12-29 01:44 . 2007-12-29 01:45 d--------	C:\Program Files\DivX
2007-12-25 21:18 . 2007-12-25 21:18 d--------	C:\Documents and Settings\BQfromNY\Application Data\dvdcss
2007-12-25 21:14 . 2007-12-25 21:14 d--------	C:\Documents and Settings\BQfromNY\Application Data\vlc
2007-12-25 21:13 . 2007-12-25 21:13 d--------	C:\Program Files\VideoLAN
2007-12-25 21:01 . 2007-12-25 21:01 d--------	C:\Program Files\Xvid
2007-12-25 21:01 . 2007-06-28 18:52	765,952	--a------	C:\WINDOWS\system32\xvidcore.dll
2007-12-25 21:01 . 2007-06-28 18:54	180,224	--a------	C:\WINDOWS\system32\xvidvfw.dll
2007-12-25 21:01 . 2007-06-28 18:55	77,824	--a------	C:\WINDOWS\system32\xvid.ax
2007-12-25 19:12 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-23 11:02 . 2007-12-23 11:02 d--------	C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2007-12-23 11:01 . 2007-12-23 11:01 d--------	C:\Program Files\JumpStart
2007-12-23 11:01 . 2007-12-23 11:01 d--------	C:\Program Files\Common Files\Knowledge Adventure
2007-12-23 11:01 . 2007-12-23 11:01	87	--a------	C:\WINDOWS\ka.ini
2007-12-17 10:55 . 2008-01-12 15:06 d--------	C:\Program Files\PokerOffice
2007-12-16 19:10 . 2007-12-16 19:10 d--------	C:\Program Files\Hasbro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 02:53	---------	d-----w	C:\Program Files\Steam
2008-01-12 23:06	174,592	----a-w	C:\WINDOWS\system32\LEXPPS.EXE
2008-01-12 23:06	---------	d-----w	C:\Program Files\PowerISO
2008-01-12 23:06	---------	d-----w	C:\Program Files\DAEMON Tools
2008-01-12 22:58	---------	d-----w	C:\Program Files\QuickTime
2008-01-12 22:57	---------	d-----w	C:\Program Files\Spyware Doctor
2008-01-08 08:19	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-08 08:03	74,240	----a-w	C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-08 08:03	56,832	----a-w	C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-07 16:31	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-06 20:36	---------	d-----w	C:\Program Files\PokerStars
2007-12-02 05:44	22,328	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-02 05:44	103,736	----a-w	C:\WINDOWS\system32\PnkBstrB.exe
2007-11-30 02:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-29 22:30	200,704	----a-w	C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30	1,044,480	----a-w	C:\WINDOWS\system32\libdivx.dll
2007-11-23 14:21	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-23 14:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-23 14:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple
2007-11-22 20:09	26,662,841	----a-w	C:\WINDOWS\system32\Steelers_Super_Bowl_XL_62966.scr
2007-11-21 02:02	---------	d-----w	C:\Documents and Settings\Catoria\Application Data\ATI
2007-11-21 00:14	---------	d-----w	C:\Documents and Settings\Jr\Application Data\ATI
2007-11-20 18:11	---------	d-----w	C:\Program Files\Futuremark
2007-11-19 04:10	---------	d-----w	C:\Documents and Settings\Mary Ellen\Application Data\ATI
2007-11-19 04:07	---------	d-----w	C:\Program Files\Creative
2007-11-19 04:06	---------	d-----w	C:\Documents and Settings\BQfromNY\Application Data\Creative
2007-11-19 03:52	---------	d-----w	C:\Documents and Settings\BQfromNY\Application Data\ATI
2007-11-19 03:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\ATI
2007-11-19 03:48	---------	d-----w	C:\Program Files\ATI Technologies
2007-11-19 03:47	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-11-19 01:40	---------	d--h--r	C:\Documents and Settings\Mary Ellen\Application Data\SecuROM
2007-11-18 19:20	---------	d-----w	C:\Program Files\Aspyr
2007-11-17 21:38	66,872	----a-w	C:\WINDOWS\system32\PnkBstrA.exe
2007-11-17 21:31	107,888	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2007-11-17 21:31	---------	d--h--r	C:\Documents and Settings\BQfromNY\Application Data\SecuROM
2007-11-17 21:13	---------	d-----w	C:\Program Files\Electronic Arts
2007-11-17 02:45	0	---ha-w	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-17 02:45	0	---ha-w	C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26	721,920	------w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43	1,287,680	------w	C:\WINDOWS\system32\quartz.dll
2007-10-28 02:00	409,600	----a-w	C:\WINDOWS\system32\wrap_oal.dll
2007-10-28 02:00	114,688	----a-w	C:\WINDOWS\system32\OpenAL32.dll
2007-10-28 01:40	222,720	------w	C:\WINDOWS\system32\wmasf.dll
.

```
<pre>
----a-w         5,367,608 2008-01-12 19:24:00  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
</pre>
```
((((((((((((((((((((((((((((( [email protected]8-01-12_15.09.51.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-12 22:47:16	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 06:29:59	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 06:29:59	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-12 22:47:17	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 06:29:59	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 06:29:59	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-12 22:47:17	4,870,144	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 06:29:59	4,870,144	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 06:30:00	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-12 14:40 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-12 14:40 171464]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-12 14:40 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POEngine"="C:\Program Files\PokerOffice\POEngine.exe" [2008-01-12 14:39 475136]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-12 14:39 200704]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-01-12 14:39 31016]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-12 14:39 90112]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 14:39 39792]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
Trusted	1704

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c087de1d-b1f9-11dc-afa9-001a700fa44b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/keylauncher/?code=3654335592357576

*Newly Created Service* - WUDFPF 
*Newly Created Service* - WUDFSVC 
.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 18:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 22:31:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\PokerOffice\bin\pshimp.Dll
.
Completion time: 2008-01-12 22:31:58
ComboFix-quarantined-files.txt 2008-01-13 06:31:56
ComboFix2.txt 2008-01-13 02:36:51
ComboFix3.txt 2008-01-12 23:10:06
.
2008-01-10 11:03:15	--- E O F ---

--------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:18 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ewnet.org/ubbthreads/ubbthreads.php?ubb=cfrm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6208 bytes


----------



## Cookiegal (Aug 27, 2003)

Download *RenV.exe* to your Desktop.

Double-Click on *RenV.exe*.

It shall produce a log, please post the log in your next reply.


----------



## Cookiegal (Aug 27, 2003)

I'm also attaching a LookSecurityProviders.zip file to this post. Save it to your desktop. Unzip it and double-click the Look SecurityProviders.bat file and allow it to run. It will automatically open up a report in Notepad. Please copy and paste the entire contents of that report here.


----------



## BQfromNY (Jan 10, 2008)

```
Ran on Sun 01/13/2008 - 18:56:48.45

----a-w         5,367,608 2008-01-12 19:24:00  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe

 Entries:                1  (1)
 Directories:            0  Files:             1
 Bytes:          5,367,608  Blocks:       10,484
```
-----------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
"Trusted"="1704"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\DES 56/56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\NULL]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\Triple DES 168/168]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\MD5]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\SHA]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\WDigest]
"Lifetime"=dword:00008ca0
"Negotiate"=dword:00000000
"UTF8HTTP"=dword:00000001
"UTF8SASL"=dword:00000001

---------------

Please note: Everything appears to be working fine + I have gotten spysweeper to work BUT it will not load on start up like I want it to. Also, it should be nooted that I found some "issues" through spysweeper through my last scan. And, If you could PLEASE can you please tell me if its secure for me to log onto site using my name and password. I have some (ie poker site) that are sensative with real cash. I feel as if the keylogger is gone but I want to be sure before I start using my name/pass. And, once again, THANKYOU SOOO MUCH!! You have been a God send!

BQ


----------



## Cookiegal (Aug 27, 2003)

*Copy the entire contents of the Code Box * below to *Notepad*. 
Name the file as *Log.txt* (Overwrite the existing one)
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 


```
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
```










Refering to the picture above, drag Log.txt into RenV.exe and post back the resulting report.

*Click here* to download Silent Runners.
Save (do not choose open) it to the desktop.
Run SilentRunners by double clicking the "SilentRunners" icon on your desktop.
You will see a text file appear on the desktop - *it's not done, let it run (it won't appear to be doing anything!)*
Once you receive the prompt *All Done!*, open the text file on the desktop, copy that entire log, and paste it here.
**NOTE* If you receive any warning message about scripts, please choose to allow the script to run.*


----------



## BQfromNY (Jan 10, 2008)

```
Ran on Sun 01/13/2008 - 20:39:40.35

----a-w         5,367,608 2008-01-12 19:24:00  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe

 Entries:                1  (1)
 Directories:            0  Files:             1
 Bytes:          5,367,608  Blocks:       10,484
```
-------------

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet" ["Yahoo! Inc."]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"POEngine" = ""C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice" [null data]
"PWRISOVM.EXE" = ""C:\Program Files\PowerISO\PWRISOVM.EXE"" ["PowerISO Computing, Inc."]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"" [null data]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask .exe" -atboottime" ["Apple Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"SpySweeper" = "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\BQfromNY\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"wrSpySweeper_LAFF49490DEE34F6A9D6C573FE7D5C3D7" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe /ScheduleSweep=wrSpySweeper_LAFF49490DEE34F6A9D6C573FE7D5C3D7" ["Webroot Software, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS]

{3AD14F0C-ED16-4E43-B6D8-661B03F6A1EF}\
"ButtonText" = "PokerStars"
"Exec" = "C:\Program Files\PokerStars\PokerStarsUpdate.exe" ["PokerStars"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"" ["Webroot Software, Inc."]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}

Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "SSKBFD" ["Webroot Software Inc (www.webroot.com)"]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

---------- (launch time: 2008-01-13 20:42:01)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 180 seconds, including 12 seconds for message boxes)


----------



## BQfromNY (Jan 10, 2008)

Update:

Spysweeper keep catching the following two thins trying to install itself:

Rundll32.exe and pmkhg.dll


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group click *SELECT ALL*
in the *Additional Scans* sections please press select *ALL* and make sure Non-Microsoft only is *UNCHECKED*.
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## BQfromNY (Jan 10, 2008)

The file was MUCH too long to post so I uploaded it to yousendit.com so you can dl it and view it. If thats not good for you please sugest another way. Here is the link:

http://download.yousendit.com/4848D9252462025D

*NOTE*

1. I have been running spysweeper the last few steps - I ope that it doesen tinterfere w/ anything

2. My system has been running slow - i THINk its because the files, Rundll32.exe and pmkhg.dll, that I mentioned earlier try to install themselves and spysweeper keeps blocking them and thus there is a constant loop.

3. I deleted steam so thats no longer an issue (I think)

4. Spysweeper is still not loading on startup dispite it being checked to do so in its options

5. Still am unsure if its safe to goto sensative sites - is the keylogger gone?

Thxs again!


----------



## BQfromNY (Jan 10, 2008)

Cookiegal said:


> Please post the resulting log here as an attachment.


Duh didnt see that - tis done!


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixBQ.zip file. Save it to your desktop. Unzip the FixBQ.reg file and allow it to enter into the registry.

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\Windows\System32\bkknawls.dll
C:\Windows\System32\cqbfpblu.exe
C:\Windows\System32\qneiidrr.dll

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - All]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> POEngine -> %ProgramFiles%\PokerOffice\POEngine.exe
YN -> QuickTime Task -> %ProgramFiles%\QuickTime\qttask       .exe
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger                         .exe
< Windows NT\\Load [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\load
YY -> C:\WINDOWS\system32\pmkhg.exe -> %System32%\pmkhg.exe
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {94E684AC-FC0D-453B-885A-BC20608B94FD} [HKLM] -> %System32%\pmkhg.dll [Reg Data - Value does not exist]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YY -> {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} -> %ProgramFiles%\PokerStars\PokerStarsUpdate.exe [ButtonText: PokerStars]
[Registry - Additional Scans - All]
< Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> PokerOffice -> PokerOffice (remove only)
[Files/Folders - Created Within 60 days]
NY -> ctfmon .exe -> %System32%\ctfmon .exe
NY -> evfjeybk.dll -> %System32%\evfjeybk.dll
NY -> ghkmp.ini -> %System32%\ghkmp.ini
NY -> ghkmp.ini2 -> %System32%\ghkmp.ini2
NY -> pmkhg.dll -> %System32%\pmkhg.dll
NY -> pmkhg.exe -> %System32%\pmkhg.exe
NY -> RCX1D.tmp -> %System32%\RCX1D.tmp
NY -> sgmivdut.dll -> %System32%\sgmivdut.dll
NY -> sgmivdut.dllbox -> %System32%\sgmivdut.dllbox
[Files/Folders - Modified Within 30 days]
NY -> DUMP54a7.tmp -> %SystemRoot%\DUMP54a7.tmp
NY -> evfjeybk.dll -> %System32%\evfjeybk.dll
NY -> ghkmp.ini -> %System32%\ghkmp.ini
NY -> ghkmp.ini2 -> %System32%\ghkmp.ini2
NY -> pmkhg.dll -> %System32%\pmkhg.dll
NY -> pmkhg.exe -> %System32%\pmkhg.exe
NY -> RCX1D.tmp -> %System32%\RCX1D.tmp
NY -> sgmivdut.dll -> %System32%\sgmivdut.dll
NY -> sgmivdut.dllbox -> %System32%\sgmivdut.dllbox
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersAppData%\TEMP:C980DA7D
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersAppData%\TEMP:DFC5A2B2
[File String Scan - All]
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersAppData%\TEMP:C980DA7D
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersAppData%\TEMP:DFC5A2B2
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## BQfromNY (Jan 10, 2008)

Found some issues:

File: bkknawls.dll 
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: 89a980725f9d7d4257c68f844f7be1b2 
Packers detected: Analyzing...
Bit9 reports: File not found

Scanner results 
Scan taken on 15 Jan 2008 04:44:50 (GMT) 
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen 
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Lop 
BitDefender Found Trojan.Vundo.DVC 
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Virtumonde.JUD 
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen 
VirusBuster Found nothing
VBA32 Found nothing

File: cqbfpblu.exe 
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: c921e90658afab157994ab90d2f561e9 
Packers detected: -
Bit9 reports: File not found

Scanner results 
Scan taken on 15 Jan 2008 05:06:05 (GMT) 
A-Squared Found Backdoor.Win32.Agent.czt 
AntiVir Found ADSPY/Agent.74304 
ArcaVir Found Trojan.Agent.Dbm 
Avast Found Win32:Agent-PCJ 
AVG Antivirus Found BackDoor.Agent.PTA 
BitDefender Found Trojan.Fotomoto.H 
ClamAV Found Trojan.Agent-10096 
CPsecure Found BackDoor.W32.Agent.czu 
Dr.Web Found Trojan.EzulaAd 
F-Prot Antivirus Found W32/Backdoor2.DK 
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.gwe 
Fortinet Found nothing
Ikarus Found Trojan.Agent.AGBD 
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.gwe 
NOD32 Found Win32/Adware.Ezula application 
Norman Virus Control Found W32/Virtumonde.JDS 
Panda Antivirus Found nothing
Rising Antivirus Found Backdoor.Win32.Agent.czt 
Sophos Antivirus Found Troj/Virtum-Gen 
VirusBuster Found nothing
VBA32 Found Backdoor.Win32.Agent.dbm

File: qneiidrr.dll 
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: 89a980725f9d7d4257c68f844f7be1b2 
Packers detected: -
Bit9 reports: File not found

Scanner results 
Scan taken on 15 Jan 2008 05:07:32 (GMT) 
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen 
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Lop 
BitDefender Found Trojan.Vundo.DVC 
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Virtumonde.JUD 
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen 
VirusBuster Found nothing
VBA32 Found nothing

----------

Explorer killed successfully
[Registry - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\POEngine deleted successfully.
C:\Program Files\PokerOffice\POEngine.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Yahoo! Pager deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\C:\WINDOWS\system32\pmkhg.exe not found.
C:\WINDOWS\SYSTEM32\pmkhg.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94E684AC-FC0D-453B-885A-BC20608B94FD} not found.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\pmkhg.dll
C:\WINDOWS\SYSTEM32\pmkhg.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\pmkhg.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} deleted successfully.
C:\Program Files\PokerStars\PokerStarsUpdate.exe moved successfully.
[Registry - Additional Scans - All]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PokerOffice deleted successfully.
[Files/Folders - Created Within 60 days]
C:\WINDOWS\SYSTEM32\ctfmon .exe moved successfully.
C:\WINDOWS\SYSTEM32\evfjeybk.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\evfjeybk.dll moved successfully.
C:\WINDOWS\SYSTEM32\ghkmp.ini moved successfully.
C:\WINDOWS\SYSTEM32\ghkmp.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\pmkhg.dll
C:\WINDOWS\SYSTEM32\pmkhg.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\pmkhg.dll scheduled to be moved on reboot.
File C:\WINDOWS\SYSTEM32\pmkhg.exe not found!
C:\WINDOWS\SYSTEM32\RCX1D.tmp moved successfully.
C:\WINDOWS\SYSTEM32\sgmivdut.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\sgmivdut.dll moved successfully.
C:\WINDOWS\SYSTEM32\sgmivdut.dllbox moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\DUMP54a7.tmp moved successfully.
File C:\WINDOWS\SYSTEM32\evfjeybk.dll not found!
File C:\WINDOWS\SYSTEM32\ghkmp.ini not found!
File C:\WINDOWS\SYSTEM32\ghkmp.ini2 not found!
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\pmkhg.dll
C:\WINDOWS\SYSTEM32\pmkhg.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\pmkhg.dll scheduled to be moved on reboot.
File C:\WINDOWS\SYSTEM32\pmkhg.exe not found!
File C:\WINDOWS\SYSTEM32\RCX1D.tmp not found!
File C:\WINDOWS\SYSTEM32\sgmivdut.dll not found!
File C:\WINDOWS\SYSTEM32\sgmivdut.dllbox not found!
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C980DA7D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 deleted successfully.
[File String Scan - All]
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:C980DA7D .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 .
[Empty Temp Folders]
C:\DOCUME~1\BQfromNY\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\BQfromNY\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 01/15/2008 00:13:04

----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:48 AM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\DAEMON Tools\daemon .exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ewnet.org/ubbthreads/ubbthreads.php?ubb=cfrm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhg.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5364 bytes


----------



## Cookiegal (Aug 27, 2003)

You should remove SpySweeper and reinstall it as the user interface file was damaged by the malware and cannot be repaired. Please hold off on doing that until we're finished though.

Please run a new scan with WinpFind3u as you did before and post that log.

Please remove the version of ComboFix that you currently have and redownload it:

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## BQfromNY (Jan 10, 2008)

We have an issue that prevents me from doing what you instructed. After your last post, I removed spysweeper and yahoo mail (no longer use it) and then rebooted. When I rebooted, I received the following error message:

""Durring a scan of files at system startup, potential errors in the system registry were found.
P-07-0100 irql sysver 0xff00024
NT_kernl error 1256
KMODE_EXCEPTION_NOT_HANDLED"

I then immediately had a pop up (not sure if its related). I then tried to do as instructed but I couldnt due to the fact that I couldnt access any of the folders on my desktop; when I click them, I get an hour glass that lasts just about 5 seconds and nothing. Upon further review, I went into my docs where I believe I should be able to access my desktop there and I found no such folder. However, I did find a desktop.ini.

Please advise... should I restore?

Thxs again!


----------



## Cookiegal (Aug 27, 2003)

Try this:

Open the Task Manager (Ctrl-Alt-Del) and click on File and select "NewTask (Run...). Then in the dialog box type:

*explore.exe*

Does this give you your desktop back?


----------



## BQfromNY (Jan 10, 2008)

Says "Windows can not find 'explore.exe'..."


----------



## Cookiegal (Aug 27, 2003)

Sorry, my mistake (typo). Type:

*explorer.exe*


----------



## Cookiegal (Aug 27, 2003)

How are things here?


----------



## BQfromNY (Jan 10, 2008)

ne - still issue... and just so we are clear... my desktop is ther, BUT, when I try to access a folder it wont allowme... an hour glass appears for a few seconds but it does nt open. The desktop.ini is still in the my docs folder as well.


----------



## BQfromNY (Jan 10, 2008)

*note* I also have two new icons that I did not put there; they are called "Windows update" and Help and support"; they APPEAR to be windows generated but I dont know.


----------



## Cookiegal (Aug 27, 2003)

This behaviour is part of the infection. Are you able to download a new copy of ComboFix and run it?


----------



## BQfromNY (Jan 10, 2008)

OK, I dled the new version of combofix and ran it. However, I forgot to disconnect from the internet. Everything ran fine except for the fact then when it came time for the program to reboot my system it got hung up, so, I rebooted for it. After it rebooted it gave me the following log.

Please note that I did not do your previous instructions. So, please advise as to what I should do next... run combofix again; this time disconnected from the internet? Do your previous instruction? or something new altogather?

This thing is much nastier then I have would of ever figured... We have been working it for quite sometime; Once agin, I appreciate all your help. 

I have attached the log.

BQ


----------



## BQfromNY (Jan 10, 2008)

New hijackthis log for yha

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:19 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ewnet.org/ubbthreads/ubbthreads.php?ubb=cfrm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4794 bytes


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and if there remove this rogue program:

*Advanced Spyware Remover Pro*

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\cqbfpblu.exe

Folder::
C:\Program Files\Advanced Spyware Remover Pro

Driver::
MSControlService

RenV::
C:\Documents and Settings\BQfromNY\Desktop\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\ctfmon .exe
C:\Program Files\PokerOffice\POEngine .exe
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## Cookiegal (Aug 27, 2003)

You don't have any anti-virus program running so you need to get one immediately. Please go to the following link and download AVG Free (click on the orange download button at the bottom of the third column):

http://free.grisoft.com/doc/download-free-anti-virus/us/frt/0


----------



## BQfromNY (Jan 10, 2008)

I removed the rougue program and dl the anti-virus program as directed. Here are the logs you asked for:

ComboFix 08-01-17.3 - BQfromNY 2008-01-17 21:40:13.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1644 [GMT -8:00]
Running from: C:\Documents and Settings\BQfromNY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BQfromNY\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE
C:\WINDOWS\system32\cqbfpblu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Advanced Spyware Remover Pro
C:\Program Files\Advanced Spyware Remover Pro\Common.ini
C:\WINDOWS\system32\cqbfpblu.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSCONTROLSERVICE
-------\MSControlService

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-12 14:33 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-09 21:48 . 2008-01-09 21:48 d--------	C:\Program Files\Trend Micro
2008-01-08 00:20 . 2008-01-08 00:20	164	--a------	C:\install.dat
2008-01-07 22:19 . 2008-01-07 22:19	10,046	--a------	C:\WINDOWS\system32\mspriv32.dll
2008-01-07 19:01 . 2008-01-07 19:01	67,072	--a------	C:\WINDOWS\system32\MSWINSCK.OCX
2008-01-07 07:45 . 2008-01-07 07:45	278,984	--a------	C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-07 07:45 . 2008-01-07 07:45	25,416	--a------	C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-07 07:08 . 2008-01-07 08:32 d--------	C:\Program Files\The Witcher
2008-01-01 02:37 . 2008-01-01 02:37 d--------	C:\Program Files\The Tournament Director 2
2008-01-01 00:45 . 2008-01-01 00:45 d--------	C:\Program Files\Common Files\Adobe
2007-12-29 01:44 . 2007-12-29 01:45 d--------	C:\Program Files\DivX
2007-12-25 21:18 . 2007-12-25 21:18 d--------	C:\Documents and Settings\BQfromNY\Application Data\dvdcss
2007-12-25 21:14 . 2007-12-25 21:14 d--------	C:\Documents and Settings\BQfromNY\Application Data\vlc
2007-12-25 21:13 . 2007-12-25 21:13 d--------	C:\Program Files\VideoLAN
2007-12-25 21:01 . 2007-12-25 21:01 d--------	C:\Program Files\Xvid
2007-12-25 21:01 . 2007-06-28 18:52	765,952	--a------	C:\WINDOWS\system32\xvidcore.dll
2007-12-25 21:01 . 2007-06-28 18:54	180,224	--a------	C:\WINDOWS\system32\xvidvfw.dll
2007-12-25 21:01 . 2007-06-28 18:55	77,824	--a------	C:\WINDOWS\system32\xvid.ax
2007-12-25 19:12 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-23 11:02 . 2007-12-23 11:02 d--------	C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2007-12-23 11:01 . 2007-12-23 11:01 d--------	C:\Program Files\JumpStart
2007-12-23 11:01 . 2007-12-23 11:01 d--------	C:\Program Files\Common Files\Knowledge Adventure
2007-12-23 11:01 . 2007-12-23 11:01	87	--a------	C:\WINDOWS\ka.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 05:40	---------	d-----w	C:\Program Files\PokerOffice
2008-01-17 06:38	---------	d-----w	C:\Program Files\DAEMON Tools
2008-01-14 15:39	---------	d-----w	C:\Program Files\PowerISO
2008-01-12 22:58	---------	d-----w	C:\Program Files\QuickTime
2008-01-08 08:19	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-07 16:31	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-06 20:36	---------	d-----w	C:\Program Files\PokerStars
2007-12-17 03:10	---------	d-----w	C:\Program Files\Hasbro
2007-12-02 05:44	22,328	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-30 02:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-23 14:21	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-23 14:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-23 14:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple
2007-11-21 02:02	---------	d-----w	C:\Documents and Settings\Catoria\Application Data\ATI
2007-11-21 00:14	---------	d-----w	C:\Documents and Settings\Jr\Application Data\ATI
2007-11-20 18:11	---------	d-----w	C:\Program Files\Futuremark
2007-11-19 04:10	---------	d-----w	C:\Documents and Settings\Mary Ellen\Application Data\ATI
2007-11-19 04:07	---------	d-----w	C:\Program Files\Creative
2007-11-19 04:06	---------	d-----w	C:\Documents and Settings\BQfromNY\Application Data\Creative
2007-11-19 03:52	---------	d-----w	C:\Documents and Settings\BQfromNY\Application Data\ATI
2007-11-19 03:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\ATI
2007-11-19 03:48	---------	d-----w	C:\Program Files\ATI Technologies
2007-11-19 03:47	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-11-19 01:40	---------	d--h--r	C:\Documents and Settings\Mary Ellen\Application Data\SecuROM
2007-11-18 19:20	---------	d-----w	C:\Program Files\Aspyr
.

((((((((((((((((((((((((((((( [email protected]_15.09.51.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-12 22:47:16	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 05:39:58	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 05:39:58	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-12 22:47:17	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 05:39:59	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 05:39:59	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-12 22:47:17	4,870,144	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-18 05:39:59	4,870,144	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-12 22:47:17	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 05:39:59	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-16 21:10 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-16 21:10 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-01-16 16:31 31016]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-16 21:10 90112]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-16 21:10 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
Trusted	1704

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c087de1d-b1f9-11dc-afa9-001a700fa44b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/keylauncher/?code=3654335592357576

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 18:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 21:46:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 21:48:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 05:48:12
ComboFix2.txt 2008-01-17 06:41:27
ComboFix3.txt 2008-01-13 06:31:59
ComboFix4.txt 2008-01-13 02:36:51
ComboFix5.txt 2008-01-12 23:10:06
.
2008-01-10 11:03:15	--- E O F --- 
---------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:26 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ewnet.org/ubbthreads/ubbthreads.php?ubb=cfrm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4722 bytes


----------



## BQfromNY (Jan 10, 2008)

I have a question... believe it or not I have never ran anti-virus programs before; atleastnot for a long period of time. After a threat is found in the program you suggested, what should I do with it? Remove it?


----------



## Cookiegal (Aug 27, 2003)

If a threat is found, it will either be deleted or quarantined. If given the option, quarantine is the better route in case of a false positive then you can restore the file.

Please install it and post a new HijackThis log so I can see it in the log. I don't understand why you would not have an anti-virus program, especially being involved in poker sites, which are known to be a great risk.


----------



## BQfromNY (Jan 10, 2008)

Cookiegal said:


> I don't understand why you would not have an anti-virus program, especially being involved in poker sites, which are known to be a great risk.


LOL because as I stated in my first post, "Iam an idiot"; leason learned - I will have one running from here on.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:05 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ewnet.org/ubbthreads/ubbthreads.php?ubb=cfrm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5532 bytes


----------



## BQfromNY (Jan 10, 2008)

Is the keylogger gone? Is ok if I log onto sensative website (ie poker site w/ real $$) or subscription based games (ie WoW)?


----------



## Cookiegal (Aug 27, 2003)

You had multiple infections on this computer and I cannot guarantee that it will ever be 100% clean. You would be well-advised to change passwords, accounts number for any financial transactions etc. that you do on-line.

I'd like to do a few more scans as I'm sure they'll pick up some leftovers.

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the Kaspersky scan*

Also, download GMER from: http://gmer.net/index.php

Save it somewhere on your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## BQfromNY (Jan 10, 2008)

*note* AVG appeared to get in the way of the online virus scan so I had to shut it down (when the online scan was at about 90% complete). You didnt tell me that was needed so I hope I did the right thing.

The online scan detected 10 threats. You asked me to save the Kaspersky scan but it just allowed me to save it as a website - you can view the results here: C:\Documents and Settings\BQfromNY\Desktop\kasperskyresults.html

Here are the other logs you asked for:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:15 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ewnet.org/ubbthreads/ubbthreads.php?ubb=cfrm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193528617312
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5698 bytes

-------


----------



## Cookiegal (Aug 27, 2003)

Please upload the link to the Kaspersky scan. I can't access it like that.


----------



## Cookiegal (Aug 27, 2003)

Also, can you do a search on your computer for the following. First unhide files. Let me know if you find anything with this name, even if there are additional letters and any type of file extension.

*ahf0u5qq*

To unhide files:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders".
Click "Apply" then "OK".

Go to Start > Search - All Files and Folders and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"


----------



## BQfromNY (Jan 10, 2008)

Cookiegal said:


> Please upload the link to the Kaspersky scan. I can't access it like that.


How do I do that?



Cookiegal said:


> Also, can you do a search on your computer for the following. First unhide files. Let me know if you find anything with this name, even if there are additional letters and any type of file extension.
> 
> *ahf0u5qq*
> 
> ...


Nothing found


----------



## Cookiegal (Aug 27, 2003)

BQfromNY said:


> How do I do that?


The same way you did to attach the ComboFix log in post no. 30.


----------



## BQfromNY (Jan 10, 2008)

Cookiegal said:


> The same way you did to attach the ComboFix log in post no. 30.


Its saved as an html and it wont let me upload that extension


----------



## Cookiegal (Aug 27, 2003)

Zip it up then and attach is as a zip file.


----------



## BQfromNY (Jan 10, 2008)

duh


----------



## Cookiegal (Aug 27, 2003)

You have download a keygen crack for Spyware Doctor and it looks like other programs as well and Kaspersky shows that you had a virut infection, which is in system restore. Virut injects malicious code in several parts of valid executable files and is not cleanable. 

Therefore, the best advice I could you at this point would be to stop your illegal activities, back up your important data, pictures, etc. then wipe and reformat the drive.

Do not back up any exe or scr files as these could very well be infected versions.


----------



## BQfromNY (Jan 10, 2008)

UGH!!! ok, I was afraid of that! Thxs for your help! Leason learned


----------



## BQfromNY (Jan 10, 2008)

Let me ask you this.... what risk am I running if I dont restore immediately? Is my security at risk? Is there a way to prevent it w/out reformatting?


----------



## Cookiegal (Aug 27, 2003)

Even if some of the malicious code is removed, many files are left corrupt.

Security wise, it opens a backdoor and communicates with a third party so you are at risk of having sensitive information stolen from your computer.

I would change all passwords, account numbers, etc. and wipe and reload windows. It's the only way to ensure complete eradication.


----------

