My computer has been infected with something today and I have no idea what it is. About every two minutes my computer seems to be automatically copying files of some sort on its own, like the little rectangular box that comes up and says "Copying...." with the picture of two folders that shows up when you copy a folder of documents. I am basically frantically clicking cancel every time it comes up because I have no idea what it is copying or doing. Additionally, there is a box that pops up about every 5 minutes that says "Warning! Potential Spyware Operation!" that I have to keep clicking no to not download the "remover" that it wants me to download. Also there is a spontaneous blank pop-up that never actually loads and seems to be correlated with the copying action. ALSO, my control panel/task bar has been disabled. Please HELP!!!! I have no idea what to do

Hello npc5

Welcome to G2Go.
=================
* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\Hijack This.
• Click on I agree
• Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

The virus is preventing me from running the Hijack program....what now?

Right click on the hijackthis icon and click on Rename.
Name it to kahdah.exe then try to run it again.

It still doesn't work

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:
  
  Do you want to skip supplementary searches?
  click NO
• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Yay, it worked, here it is!




"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [file not found]
"QdrModule9" = ""C:\Program Files\QdrModule\QdrModule9.exe"" [file not found]
"Sen" = ""C:\PROGRA~1\COMMON~1\SSTEM~1\regsvr32.exe" -vt ndrv" [file not found]
"Ewl" = ""C:\Documents and Settings\Nancyyy\My Documents\s*mbols\r*gsvr32.exe"" (unwritable string) [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"(Default)" = (empty string) [file not found]
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"EPSON Stylus Photo R200 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"ctfmona" = "C:\WINDOWS\system32\ctfmona.exe" [file not found]
"WinPerfMon" = "C:\DOCUME~1\Nancyyy\LOCALS~1\Temp\bfbbfbff.exe" [file not found]
"mvavcnkt" = "regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mvavcnkt.dll"" [MS]
"(Default)" = (unknown data type)
"NvMainApp" = ""C:\Documents and Settings\All Users\Application Data\nvapp.exe"" [null data]
"Medichi" = "medichi.exe" [null data]
"Medichi2" = "medichi2.exe" [null data]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{ad349798-1dd1-11b2-85dc-c5adcade60cb}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\xurkdsze.dll" [file not found]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow! Plus\shlext.dll" [null data]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [file not found]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {HKLM...CLSID} = "Eudora's Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll" ["Qualcomm Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {HKLM...CLSID} = "Eudora's Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll" ["Qualcomm Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "murka.dat" [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> cryptnet32\DLLName = "cryptnet32.dll" [file not found]
<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoWindowsUpdate" = (REG_DWORD) dword:0x00000001
{Remove links and access to Windows Update}

"NoControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) dword:0x00000001
{Remove Task Manager}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Opera\Opera\profile\skin\table_deco.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Nancyyy\Application Data\Opera\Opera\profile\skin\table_deco.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Nancyyy" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"NkbMonitor.exe" -> shortcut to: "C:\Program Files\Nikon\PictureProject\NkbMonitor.exe" ["Nikon Corporation"]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]


Enabled Scheduled Tasks:
------------------------

"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 4 domain names to IP addresses,
4 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
NkPtpEnumP2, NkPtpEnumP2, ""C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll"" ["Nikon Corporation"]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-12-22 15:48:17)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 122 seconds.
---------- (total run time: 177 seconds)

This post has been edited by npc5: Dec 23 2007, 12:02 AM

Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
3. Double click on combofix.exe & follow the prompts.
4. When finished, it will produce a report for you.
5. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

ComboFix log:

ComboFix 07-12-21.4 - Nancyyy 2007-12-22 7:32:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -5:00]
Running from: C:\Documents and Settings\Nancyyy\Desktop\Kadhah.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nancyyy\My Documents\SMBOLS~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\sstem~1\s?stem\
C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\s_scc.dat
C:\Program Files\MyWebSearch\bar\Settings\s_scc.dat.bak
C:\Program Files\QdrPack
C:\Program Files\QdrPack\QdrPack10.exe
C:\Temp\abW9
C:\WINDOWS\PerfInfo
C:\WINDOWS\system32\63394.exe
C:\WINDOWS\system32\90665.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\rMa13yy
C:\WINDOWS\system32\wl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_LANMANDRV
-------\LEGACY_NPF
-------\lanmandrv
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-22 17:23 . 2007-12-22 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-22 17:08 . 2007-12-22 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 15:36 . 2007-12-22 07:20 9,216 --a------ C:\WINDOWS\medichi2.exe
2007-12-22 15:36 . 2007-12-22 18:51 5,632 --a------ C:\WINDOWS\medichi.exe
2007-12-22 15:34 . 2007-12-22 15:34 53,248 --a------ C:\WINDOWS\system32\dllcache\beep.sys
2007-12-22 14:21 . 2007-12-22 14:21 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2007-12-22 03:44 . 2007-12-22 03:44 <DIR> d-------- C:\Program Files\Tweak Manager
2007-12-21 21:17 . 2007-12-22 16:10 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-18 11:18 . 2007-12-18 11:18 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-18 11:17 . 2007-12-22 00:08 <DIR> d-------- C:\Program Files\Funny Bubbles DEMO
2007-12-17 11:14 . 2007-12-17 11:14 6,144 --ahs---- C:\WINDOWS\system32\access.ctl
2007-12-15 23:18 . 2007-12-22 00:11 <DIR> d-------- C:\Program Files\Unity
2007-12-15 16:58 . 2007-12-15 16:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-15 16:58 . 2007-12-15 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-15 16:57 . 2007-12-15 16:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 00:08 . 2007-12-14 00:14 <DIR> d-------- C:\Program Files\Snood
2007-12-03 11:30 . 2007-12-03 11:30 <DIR> d-------- C:\Program Files\MSECache
2007-11-22 23:02 . 2007-11-22 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-22 16:47 . 2007-11-22 16:47 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-22 16:31 . 2007-11-24 15:50 <DIR> d-------- C:\Program Files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 20:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-22 20:34 53,248 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-22 05:09 --------- d-----w C:\Program Files\TreeAge
2007-12-13 22:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-09 17:51 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-12-03 16:34 95,224 ----a-w C:\Documents and Settings\Nancyyy\Application Data\GDIPFONTCACHEV1.DAT
2007-11-30 07:25 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-22 01:42 --------- d-----w C:\Program Files\FBQuick
2007-11-21 05:55 --------- d-----w C:\Program Files\QuickTime
2007-11-21 05:33 --------- d-----w C:\Program Files\AntiVirusPro
2007-11-21 03:18 123,905 ----a-w C:\Documents and Settings\All Users\Application Data\nvapp.exe
2007-11-21 03:18 --------- d-----w C:\Documents and Settings\Nancyyy\Application Data\Anti-Virus-Pro.com
2007-11-21 00:30 --------- d-----w C:\Documents and Settings\Nancyyy\Application Data\Move Networks
2007-11-19 21:52 --------- d-----w C:\Program Files\Google
2007-11-18 21:13 68 ----a-w C:\mshelp.bat
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 23:56 --------- d-----w C:\Program Files\PCPitstop
2005-11-30 03:24 418,806 --sh--w C:\WINDOWS\system32\xybeg.bak1
2005-12-09 06:37 425,545 --sh--w C:\WINDOWS\system32\xybeg.bak2
2005-12-09 06:44 422,222 --sh--w C:\WINDOWS\system32\xybeg.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad349798-1dd1-11b2-85dc-c5adcade60cb}]
C:\WINDOWS\xurkdsze.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"QdrModule9"="C:\Program Files\QdrModule\QdrModule9.exe" []
"Sen"="C:\PROGRA~1\COMMON~1\SSTEM~1\regsvr32.exe" []
"Ewl"="C:\Documents and Settings\Nancyyy\My Documents\s?mbols\r?gsvr32.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 16:35]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 21:10]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 19:31]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2004-10-06 16:56]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 21:45]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-30 04:40]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" []
"NvMainApp"="C:\Documents and Settings\All Users\Application Data\nvapp.exe" [2007-11-20 22:18]
"Medichi"="medichi.exe" [2007-12-22 18:51 C:\WINDOWS\medichi.exe]
"Medichi2"="medichi2.exe" [2007-12-22 07:20 C:\WINDOWS\medichi2.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-01-02 13:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-05-25 23:53:55]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-06-04 00:19:43]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)
"NoWindowsUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll [2002-10-18 17:45 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet32]
cryptnet32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" []
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 10:11]
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-01-28 23:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00753768-90bd-11dc-8a25-0012f081dfc8}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 18:57:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 07:38:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\medichi.exe [2792] 0x813B9830

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-22 7:39:47 - machine was rebooted
.
2007-12-22 07:53:31 --- E O F ---





SilentRunner log:


"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [file not found]
"QdrModule9" = ""C:\Program Files\QdrModule\QdrModule9.exe"" [file not found]
"Sen" = ""C:\PROGRA~1\COMMON~1\SSTEM~1\regsvr32.exe" -vt ndrv" [file not found]
"Ewl" = ""C:\Documents and Settings\Nancyyy\My Documents\s?mbols\r?gsvr32.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\\vptray.exe" ["Symantec Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"EPSON Stylus Photo R200 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"ctfmona" = "C:\WINDOWS\system32\ctfmona.exe" [file not found]
"NvMainApp" = ""C:\Documents and Settings\All Users\Application Data\nvapp.exe"" [null data]
"Medichi" = "medichi.exe" [null data]
"Medichi2" = "medichi2.exe" [null data]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{ad349798-1dd1-11b2-85dc-c5adcade60cb}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\xurkdsze.dll" [file not found]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow! Plus\shlext.dll" [null data]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [file not found]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {HKLM...CLSID} = "Eudora's Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll" ["Qualcomm Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {HKLM...CLSID} = "Eudora's Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll" ["Qualcomm Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> cryptnet32\DLLName = "cryptnet32.dll" [file not found]
<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Opera\Opera\profile\skin\table_deco.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Nancyyy\Application Data\Opera\Opera\profile\skin\table_deco.bmp"


Startup items in "Nancyyy" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"NkbMonitor.exe" -> shortcut to: "C:\Program Files\Nikon\PictureProject\NkbMonitor.exe" ["Nikon Corporation"]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]


Enabled Scheduled Tasks:
------------------------

"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
NkPtpEnumP2, NkPtpEnumP2, ""C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll"" ["Nikon Corporation"]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-12-22 07:40:24)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 76 seconds.
---------- (total run time: 128 seconds)



Thank you!

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

ComboFix log:

ComboFix 07-12-21.4 - Nancyyy 2007-12-23 2:21:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.163 [GMT -5:00]
Running from: C:\Documents and Settings\Nancyyy\Desktop\Kadhah.exe
Command switches used :: C:\Documents and Settings\Nancyyy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users\Application Data\nvapp.exe
C:\mshelp.bat
C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
C:\WINDOWS\medichi.exe
C:\WINDOWS\medichi2.exe
C:\WINDOWS\system32\cryptnet32.dll
C:\WINDOWS\system32\cryptnet32.exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.ini2
C:\WINDOWS\xurkdsze.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\nvapp.exe
C:\mshelp.bat
C:\Program Files\AntiVirusPro
C:\WINDOWS\medichi.exe
C:\WINDOWS\medichi2.exe
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.

2007-12-22 17:23 . 2007-12-22 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-22 17:08 . 2007-12-22 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 15:34 . 2007-12-22 15:34 53,248 --a------ C:\WINDOWS\system32\dllcache\beep.sys
2007-12-22 14:21 . 2007-12-22 14:21 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2007-12-22 03:44 . 2007-12-22 03:44 <DIR> d-------- C:\Program Files\Tweak Manager
2007-12-21 21:17 . 2007-12-22 16:10 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-18 11:18 . 2007-12-18 11:18 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-18 11:17 . 2007-12-22 00:08 <DIR> d-------- C:\Program Files\Funny Bubbles DEMO
2007-12-17 11:14 . 2007-12-17 11:14 6,144 --ahs---- C:\WINDOWS\system32\access.ctl
2007-12-15 23:18 . 2007-12-22 00:11 <DIR> d-------- C:\Program Files\Unity
2007-12-15 16:58 . 2007-12-15 16:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-15 16:58 . 2007-12-15 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-15 16:57 . 2007-12-15 16:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 00:08 . 2007-12-14 00:14 <DIR> d-------- C:\Program Files\Snood
2007-12-03 11:30 . 2007-12-03 11:30 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 07:26 9,216 ----a-w C:\WINDOWS\medichi2.exe
2007-12-23 07:26 5,632 ----a-w C:\WINDOWS\medichi.exe
2007-12-22 20:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-22 20:34 53,248 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-22 05:09 --------- d-----w C:\Program Files\TreeAge
2007-12-13 22:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-09 17:51 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-12-03 16:34 95,224 ----a-w C:\Documents and Settings\Nancyyy\Application Data\GDIPFONTCACHEV1.DAT
2007-11-30 07:25 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-24 20:50 --------- d-----w C:\Program Files\Opera
2007-11-23 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-11-22 01:42 --------- d-----w C:\Program Files\FBQuick
2007-11-21 05:55 --------- d-----w C:\Program Files\QuickTime
2007-11-21 03:18 --------- d-----w C:\Documents and Settings\Nancyyy\Application Data\Anti-Virus-Pro.com
2007-11-21 00:30 --------- d-----w C:\Documents and Settings\Nancyyy\Application Data\Move Networks
2007-11-19 21:52 --------- d-----w C:\Program Files\Google
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 23:56 --------- d-----w C:\Program Files\PCPitstop
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 16:35]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 21:10]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 19:31]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2004-10-06 16:56]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 21:45]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-30 04:40]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-01-02 13:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-05-25 23:53:55]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-06-04 00:19:43]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
"DisableTaskMgr"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
"DisableTaskMgr"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll [2002-10-18 17:45 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" []
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 10:11]
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-01-28 23:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00753768-90bd-11dc-8a25-0012f081dfc8}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 04:57:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 02:27:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-23 2:28:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-22 07:39
.
2007-12-22 07:53:31 --- E O F ---



SilentRunner Log:

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\\vptray.exe" ["Symantec Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"EPSON Stylus Photo R200 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow! Plus\shlext.dll" [null data]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [file not found]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {HKLM...CLSID} = "Eudora's Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll" ["Qualcomm Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {HKLM...CLSID} = "Eudora's Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll" ["Qualcomm Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoControlPanel" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoWindowsUpdate" = (REG_DWORD) dword:0x00000000
{Remove links and access to Windows Update}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoControlPanel" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{Remove Task Manager}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Opera\Opera\profile\skin\table_deco.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Nancyyy\Application Data\Opera\Opera\profile\skin\table_deco.bmp"


Startup items in "Nancyyy" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"NkbMonitor.exe" -> shortcut to: "C:\Program Files\Nikon\PictureProject\NkbMonitor.exe" ["Nikon Corporation"]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]


Enabled Scheduled Tasks:
------------------------

"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
NkPtpEnumP2, NkPtpEnumP2, ""C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll"" ["Nikon Corporation"]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-12-23 02:30:15)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 81 seconds.
---------- (total run time: 121 seconds)

Please download SUPERAntiSpyware Home Edition (free version).
–Install it and double-click the icon on your desktop to run it.

• It will ask if you want to update the program definitions, click Yes.
• Under Configuration and Preferences, click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked:
• Close browsers before scanning
• Scan for tracking cookies
• Scan for Alternate Data streams
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.

============================================
Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
  C:\WINDOWS\medichi2.exe
  C:\WINDOWS\medichi.exe
  C:\Documents and Settings\Nancyyy\Application Data\Anti-Virus-Pro.com
  
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
  Click "Exit" to close OTMoveIt.
  
  **When ready to Reply on the forum, please Paste the content of the latest log which is located at the root of the drive where the OTMoveIt folder is:
  C:\_OTMoveIt\MovedFiles\********_******.log
  (where "********_******" is the "date_time")

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Then run Superantispyware.

• Double click on the icon to start Superantispyware.
• On the main screen, under Scan for Harmful Software click Scan your computer.
• On the left check C:\Fixed Drive.
• On the right, under Complete Scan, choose Perform Complete Scan.
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK.
• Make sure everything in the white box has a check next to it, then click Next.
• It will quarantine what it found and if it asks if you want to reboot, click Yes.

1. To retrieve the removal information for me please do the following:
2. After reboot, double-click the SUPERAntispyware icon on your desktop.
3. Click Preferences. Click the Statistics/Logs tab.
4. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
5. It will open in your default text editor (such as Notepad/Wordpad).
6. Please highlight everything in the notepad, then right-click and choose copy.
7. Click close and close again to exit the program.
Save the log information. If needed (still infected) paste this info along with your HijackThis log and the OTMove it log.

AntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/23/2007 at 03:20 PM

Application Version : 3.9.1008

Core Rules Database Version : 3366
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 01:52:57

Memory items scanned : 430
Memory threats detected : 0
Registry items scanned : 5819
Registry threats detected : 0
File items scanned : 57585
File threats detected : 153

Adware.Tracking Cookie
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@atwola[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@advertising[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@html[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@doubleclick[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@atdmt[4].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@247realmedia[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@5.go.globaladsales[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ad.yieldmanager[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ad.yieldmanager[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ad.yieldmanager[4].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adbrite[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adbrite[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adecn[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adknowledge[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adlegend[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adlegend[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adopt.specificclick[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adopt.specificclick[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adprofile[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adrevolver[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adrevolver[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adrevolver[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adrevolver[5].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.adbrite[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.addynamix[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.bridgetrack[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.diet[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.evtv1[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.joinaxxess[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.pointroll[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.pubmatic[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.pubmatic[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads.realtechnetwork[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ads4.blastro[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adserver.easyad[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adserver.easyad[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adserver[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adsrevenue[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adtech[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@adultfriendfinder[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@advertising[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@advertising[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@aff.primaryads[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@affhit.namimedia[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ar.atwola[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@atdmt[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@atdmt[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@atlas.entrepreneur[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@atwola[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@atwola[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@bluestreak[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@brightcove.112.2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@bs.serving-sys[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@burstnet[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@casalemedia[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@casalemedia[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@classifiedventures1.112.2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@classifiedventures1.112.2o7[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@directtrack[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@doubleclick[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@doubleclick[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@eas.apm.emediate[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@edge.ru4[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@ehg-netquote.hitbox[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@enhance[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@enhance[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@entrepreneur[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@exitexchange[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@exitexchange[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@fastclick[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@fastclick[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@findwhat[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@goclick[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@h.starware[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@hairclub.122.2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@hitbox[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@homestore.122.2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@imrworldwide[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@interclick[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@interclick[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@kanoodle[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@keywordmax[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@linksynergy[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@lynxtrack[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@lynxtrack[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@maxim.122.2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@media.adrevolver[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@mediaplex[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@mediaplex[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@mediatraffic[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@mediatraffic[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@overture[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@partner2profit[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@perf.overture[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@pro-market[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@pro-market[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@publishers.clickbooth[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@questionmarket[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@questionmarket[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@realmedia[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@realmedia[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@reduxads.valuead[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@revsci[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@roiservice[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@rotator.adjuggler[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@rotator.dex.adjuggler[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@sales.liveperson[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@sales.liveperson[4].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@server.cpmstar[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@server.iad.liveperson[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@serving-sys[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@shopping.112.2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@spamblockerutility[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@specificclick[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@specificclick[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@stat.dealtime[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@statcounter[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@statcounter[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@stats.sellmosoft[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@stats2.reliablestats[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@statse.webtrendslive[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@statse.webtrendslive[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@tacoda[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@tacoda[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@thunderbolt.adjuggler[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@toseeka[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@tradedoubler[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@trafficmp[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@trafficmp[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@tremor.adbureau[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@tremor.adbureau[3].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@tribalfusion[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@valueclick[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@waterfrontmedia.112.2o7[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@www.advertyz[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@www.burstbeacon[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@www.burstnet[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@www.stopzilla[2].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@www.xctrk[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@zedo[1].txt
C:\Documents and Settings\Nancyyy\Cookies\nancyyy@zedo[2].txt

Adware.AdSponsor/ISM
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRPACK\QDRPACK10.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP565\A0129364.EXE

Trojan.Downloader-Gen/Suspicious
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\63394.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\90665.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP565\A0129362.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP565\A0129363.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
C:\WINDOWS\SYSTEM32\XYBEG.INI



Silent Runner Log:

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [file not found]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\\vptray.exe" ["Symantec Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"EPSON Stylus Photo R200 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"Medichi" = "medichi.exe" [null data]
"Medichi2" = "medichi2.exe" [null data]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow! Plus\shlext.dll" [null data]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [file not found]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {HKLM...CLSID} = "Eudora's Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll" ["Qualcomm Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {HKLM...CLSID} = "Eudora's Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll" ["Qualcomm Inc."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "murka.dat" [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoWindowsUpdate" = (REG_DWORD) dword:0x00000001
{Remove links and access to Windows Update}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000001
{Remove Task Manager}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Opera\Opera\profile\skin\table_deco.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Nancyyy\Application Data\Opera\Opera\profile\skin\table_deco.bmp"


Startup items in "Nancyyy" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"NkbMonitor.exe" -> shortcut to: "C:\Program Files\Nikon\PictureProject\NkbMonitor.exe" ["Nikon Corporation"]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]


Enabled Scheduled Tasks:
------------------------

"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
NkPtpEnumP2, NkPtpEnumP2, ""C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll"" ["Nikon Corporation"]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-12-23 20:25:46)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 117 seconds.
---------- (total run time: 161 seconds)






Before I followed the instructions in your last post, it seemed that the virus was gone, but after following the steps, it seems that the virus is back....

Please delete the previous CFScript that I had you make.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

===========================
After that Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

=========================
Please post these logs:
DR Web Cure it log
Combofix log
Silent Runners

ComboFix:

ComboFix 07-12-21.4 - Nancyyy 2007-12-23 21:23:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.156 [GMT -5:00]
Running from: C:\Documents and Settings\Nancyyy\Desktop\Kadhah.exe
Command switches used :: C:\Documents and Settings\Nancyyy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\medichi.exe
C:\WINDOWS\medichi2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\medichi.exe
C:\WINDOWS\medichi2.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 13:21 . 2007-12-23 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-23 13:20 . 2007-12-23 20:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-23 13:20 . 2007-12-23 13:20 <DIR> d-------- C:\Documents and Settings\Nancyyy\Application Data\SUPERAntiSpyware.com
2007-12-22 17:23 . 2007-12-22 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-22 17:08 . 2007-12-22 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 15:34 . 2007-12-22 15:34 53,248 --a------ C:\WINDOWS\system32\dllcache\beep.sys
2007-12-22 03:44 . 2007-12-22 03:44 <DIR> d-------- C:\Program Files\Tweak Manager
2007-12-21 21:17 . 2007-12-22 16:10 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-18 11:18 . 2007-12-18 11:18 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-18 11:17 . 2007-12-22 00:08 <DIR> d-------- C:\Program Files\Funny Bubbles DEMO
2007-12-17 11:14 . 2007-12-17 11:14 6,144 --ahs---- C:\WINDOWS\system32\access.ctl
2007-12-15 23:18 . 2007-12-22 00:11 <DIR> d-------- C:\Program Files\Unity
2007-12-15 16:58 . 2007-12-15 16:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-15 16:58 . 2007-12-15 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-15 16:57 . 2007-12-23 13:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 00:08 . 2007-12-14 00:14 <DIR> d-------- C:\Program Files\Snood
2007-12-03 11:30 . 2007-12-03 11:30 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 02:27 9,216 ----a-w C:\WINDOWS\medichi2.exe
2007-12-24 02:27 5,632 ----a-w C:\WINDOWS\medichi.exe
2007-12-22 20:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-22 20:34 53,248 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-22 05:09 --------- d-----w C:\Program Files\TreeAge
2007-12-13 22:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-09 17:51 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-12-03 16:34 95,224 ----a-w C:\Documents and Settings\Nancyyy\Application Data\GDIPFONTCACHEV1.DAT
2007-11-30 07:25 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-24 20:50 --------- d-----w C:\Program Files\Opera
2007-11-23 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-11-22 01:42 --------- d-----w C:\Program Files\FBQuick
2007-11-21 05:55 --------- d-----w C:\Program Files\QuickTime
2007-11-21 00:30 --------- d-----w C:\Documents and Settings\Nancyyy\Application Data\Move Networks
2007-11-19 21:52 --------- d-----w C:\Program Files\Google
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 23:56 --------- d-----w C:\Program Files\PCPitstop
.

((((((((((((((((((((((((((((( snapshot@2007-12-22_ 7.39.11.97 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-23 18:21:04 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-23 18:21:04 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-23 18:21:04 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 16:35]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 21:10]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 19:31]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2004-10-06 16:56]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 21:45]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-30 04:40]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-01-02 13:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-05-25 23:53:55]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-06-04 00:19:43]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
"DisableTaskMgr"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
"DisableTaskMgr"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\PROGRA~1\BEARAC~1\winba\eudora\EuShlExt.dll [2002-10-18 17:45 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" []
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 10:11]
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-01-28 23:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00753768-90bd-11dc-8a25-0012f081dfc8}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 19:57:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 21:28:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-23 21:30:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-23 02:28
C:\ComboFix3.txt ... 2007-12-22 07:39
.
2007-12-22 07:53:31 --- E O F ---



DrWeb:

GTDownDE_87.ocx;C:\i386;Adware.Gdown;Incurable.Deleted.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Deleted.;
MiniBugTransporter.dll;C:\Program Files\Common Files\Real\WeatherBug;Adware.Minibug;Incurable.Deleted.;
popcaploader.dll;c:\windows\downloaded program files;Program.PopcapLoader;Incurable.Deleted.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.1.3;Probably BACKDOOR.Trojan;Incurable.Deleted.;
Silent Runners.vbs;C:\Documents and Settings\Nancyyy\Desktop;Probably BATCH.Virus;Incurable.Deleted.;