Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

VIRUS ALERT! taskbar [RESOLVED]

Started by BlessTheFaLL , Sep 11 2008 01:41 AM

  • This topic is locked This topic is locked

#1
BlessTheFaLL
Posted 11 September 2008 - 01:41 AM

BlessTheFaLL

    Member

  • Member
  • PipPip
  • 32 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:19: VIRUS ALERT!, on 9/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Dragonfly\Special Force\DFLauncher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: QXK Olive - {7287293E-B0BE-4A31-B52B-EA15F57679E3} - C:\WINDOWS\vmgspntbnrp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: fqbewlna - {94E952A4-FAE1-40E5-BBE1-8199D8CF7FD0} - C:\WINDOWS\fqbewlna.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [\YUR83.exe] C:\Windows\system32\YUR83.exe
O4 - HKLM\..\Run: [\YUR84.exe] C:\Windows\system32\YUR84.exe
O4 - HKLM\..\Run: [\YUR85.exe] C:\Windows\system32\YUR85.exe
O4 - HKLM\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKLM\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKLM\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [\YUR83.exe] C:\Windows\system32\YUR83.exe
O4 - HKCU\..\Run: [\YUR84.exe] C:\Windows\system32\YUR84.exe
O4 - HKCU\..\Run: [\YUR85.exe] C:\Windows\system32\YUR85.exe
O4 - HKCU\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKCU\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKCU\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKCU\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O21 - SSODL: mgxfebsq - {3B23FC7B-8B11-4529-9822-13139E0DAFC0} - C:\WINDOWS\mgxfebsq.dll
O21 - SSODL: dtseqrxk - {F9EC9751-0CA1-436F-B153-F26D354047E9} - C:\WINDOWS\dtseqrxk.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9529 bytes
  • 0

Advertisements

#2
BlessTheFaLL
Posted 11 September 2008 - 02:06 AM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
WINDOWS SECURITY ALERT KEEPS ON POPING UP, VIRUS ALERT ON TASKBAR CANT ACCESS MY DESKTOP WITH WHITE BACKGROUND.. IT KIPS COMING BACK AFTER I RESTART MY PC.. PLZ HELP ME GUYZ
  • 0

#3
andrewuk
Posted 11 September 2008 - 02:08 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi BlessTheFaLL

welcome to geekstogo :)

just for future reference, and for anyone else reading this, dont bump your post - we look for posts with zero replies to start on.


if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


andrewuk
  • 0

#4
BlessTheFaLL
Posted 11 September 2008 - 02:53 AM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix 08-09-10.02 - user 2008-09-11 14:12:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1rfw8hjr.com
C:\1t6yxlxx.cmd
C:\2.cmd
C:\b3b9u.com
C:\c9hehpa.bat
C:\Documents and Settings\user\Application Data\Antivirus2008y
C:\Documents and Settings\user\Application Data\Antivirus2008y\antvrs.exe
C:\Documents and Settings\user\Desktop\Error Cleaner.url
C:\Documents and Settings\user\Desktop\Privacy Protector.url
C:\Documents and Settings\user\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\user\Favorites\Error Cleaner.url
C:\Documents and Settings\user\Favorites\Privacy Protector.url
C:\Documents and Settings\user\Favorites\Spyware&Malware Protection.url
C:\ov.cmd
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\1.ico
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\2.ico
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sc.html
C:\r1y1.bat
C:\svdioajm.cmd
C:\tyktjfww.exe
C:\WINDOWS\emnf.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdsspopup.dll
C:\WINDOWS\system32\tdsspopup1.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup3.url
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\YUR7.exe
C:\yssjnngm.cmd
D:\1rfw8hjr.com
D:\2.cmd
D:\b3b9u.com
D:\c9hehpa.bat
D:\ov.cmd
D:\svdioajm.cmd
D:\tyktjfww.exe
D:\yssjnngm.cmd

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-11 12:30 . 2008-09-11 12:30 88,878 --a------ C:\WINDOWS\system32\casino3.ico
2008-09-11 12:30 . 2008-09-11 12:30 88,878 --a------ C:\WINDOWS\system32\casino2.ico
2008-09-11 12:30 . 2008-09-11 12:30 88,878 --a------ C:\WINDOWS\system32\casino1.ico
2008-09-11 12:29 . 2008-09-11 14:14 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-09-11 12:29 . 2008-09-11 12:29 <DIR> d-------- C:\Program Files\MSA
2008-09-11 12:29 . 2008-09-11 11:40 344,064 --a------ C:\WINDOWS\vmgspntbnrp.dll
2008-09-11 12:29 . 2008-09-11 11:40 294,912 --a------ C:\WINDOWS\dtseqrxk.dll
2008-09-11 12:29 . 2008-09-11 11:40 270,336 --a------ C:\WINDOWS\mgxfebsq.dll
2008-09-11 12:29 . 2008-09-11 11:40 204,800 --a------ C:\WINDOWS\fqbewlna.dll
2008-09-11 12:29 . 2008-09-11 11:40 135,168 --a------ C:\WINDOWS\mqgldfvo.exe
2008-09-11 12:29 . 2008-09-08 17:32 31,232 --a------ C:\x
2008-09-11 12:02 . 2008-09-11 12:02 <DIR> d-------- C:\Program Files\Electronic Arts
2008-09-10 18:27 . 2008-09-11 08:00 115 --a------ C:\autorun.inf.vir
2008-09-09 11:06 . 2008-09-09 11:08 <DIR> d-------- C:\Program Files\DriverCleanerDotNET
2008-09-09 11:00 . 2008-09-09 11:00 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-09-09 11:00 . 2008-09-09 11:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-09-09 11:00 . 2006-03-29 08:50 671,744 --a------ C:\WINDOWS\system32\DolbyHph.dll
2008-09-09 11:00 . 2006-03-29 08:51 60,416 --a------ C:\WINDOWS\system32\DSETUP.dll
2008-09-09 11:00 . 2006-03-29 08:49 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-09-09 11:00 . 2006-05-05 19:21 4,608 --a------ C:\WINDOWS\system32\drivers\nvport.sys
2008-09-09 10:24 . 2008-09-09 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-09 08:34 . 2008-05-19 18:16 186,407 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-09-08 08:01 . 2008-09-08 08:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Simply Super Software
2008-09-08 08:01 . 2008-09-08 08:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-09-08 08:01 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-09-08 08:01 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-09-08 08:01 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-09-08 08:01 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-09-08 08:01 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Program Files\AskSBar
2008-09-07 10:29 . 2008-09-07 10:29 <DIR> d-------- C:\Program Files\Google
2008-09-07 10:29 . 2008-09-07 10:35 <DIR> d-------- C:\Program Files\DAP
2008-09-07 10:29 . 2008-09-07 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SpeedBit
2008-09-07 10:29 . 2008-09-07 10:29 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-09-07 10:29 . 2008-09-07 10:29 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-09-07 10:29 . 2008-09-07 10:29 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-09-07 05:32 . 2008-02-21 23:18 566,624 --a------ C:\WINDOWS\system32\d3d10.dll
2008-09-07 05:32 . 2007-04-19 01:59 519,912 --a------ C:\WINDOWS\system32\d3dx10d_33.dll
2008-09-07 05:32 . 2007-04-19 01:59 519,912 --a------ C:\WINDOWS\system32\d3dx10d.dll
2008-09-07 05:32 . 2008-02-21 23:18 519,912 --a------ C:\WINDOWS\system32\d3dx10.dll
2008-09-07 05:32 . 2008-02-21 23:18 494,557 --a------ C:\WINDOWS\system32\dxgi.dll
2008-09-07 05:32 . 2007-12-22 20:30 34,854 --a------ C:\WINDOWS\system32\directx10logo.bmp
2008-09-07 05:32 . 2008-02-22 00:10 25,037 --a------ C:\WINDOWS\system32\Nucleus.dll
2008-09-05 13:02 . 2008-09-05 13:02 <DIR> d-------- C:\Program Files\MagicDisc
2008-09-05 13:02 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-09-05 08:31 . 2008-09-05 08:31 <DIR> d-------- C:\Documents and Settings\user\Application Data\Leadertech
2008-09-04 12:55 . 2008-09-04 12:55 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-09-04 12:54 . 2008-09-05 19:21 <DIR> d-------- C:\Program Files\Xfire
2008-09-04 12:54 . 2008-09-11 08:29 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire
2008-09-04 05:37 . 2008-09-04 05:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-09-01 09:03 . 2008-09-02 07:54 <DIR> d-------- C:\Program Files\Download Direct
2008-08-28 15:40 . 2008-08-29 16:49 89,370 -r-hs---- C:\ph.com
2008-08-28 05:02 . 2008-08-28 05:02 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-08-27 14:12 . 2008-08-27 14:12 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-26 17:45 . 2008-08-26 17:40 89,420 -r-hs---- C:\n.com
2008-08-24 11:37 . 2008-08-24 11:37 <DIR> d-------- C:\Program Files\OpenAL
2008-08-24 11:37 . 2008-08-24 11:37 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-24 11:37 . 2008-08-24 11:37 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-21 19:01 . 2008-09-03 23:58 <DIR> d-------- C:\Documents and Settings\user\Application Data\OpenOffice.org2
2008-08-21 18:56 . 2008-09-04 06:25 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-08-21 08:33 . 2008-08-21 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-08-21 08:03 . 2008-08-21 08:33 <DIR> d-------- C:\Program Files\Uniblue
2008-08-21 07:57 . 2008-08-21 07:58 <DIR> d-------- C:\Program Files\Mp3 Audio Editor
2008-08-21 07:57 . 2005-03-29 07:57 2,084,864 --a------ C:\WINDOWS\system32\NCTAudioDesign2.dll
2008-08-21 07:57 . 2005-04-04 17:21 602,112 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll
2008-08-21 07:57 . 2005-03-28 15:54 479,232 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll
2008-08-21 07:57 . 2005-03-28 15:54 475,136 --a------ C:\WINDOWS\system32\NCTAudioVisualizationEx2.dll
2008-08-21 07:57 . 2005-04-25 13:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll
2008-08-21 07:57 . 2005-03-28 15:52 417,792 --a------ C:\WINDOWS\system32\NCTTextToAudio2.dll
2008-08-21 07:57 . 2005-03-28 15:56 417,792 --a------ C:\WINDOWS\system32\NCTAudioDisplay2.dll
2008-08-21 07:57 . 2005-02-24 11:51 348,160 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll
2008-08-21 07:57 . 2006-03-23 12:56 113,486 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-08-18 14:04 . 2008-08-18 14:04 <DIR> d-------- C:\Documents and Settings\user\Application Data\MSNInstaller
2008-08-17 06:25 . 2008-08-17 06:25 <DIR> d-------- C:\Program Files\NCH Software
2008-08-17 06:14 . 2008-08-17 06:15 <DIR> d-------- C:\Documents and Settings\user\Application Data\NCH Swift Sound
2008-08-17 06:14 . 2008-08-17 06:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-08-17 06:12 . 2008-08-17 06:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-08-17 05:29 . 2008-08-17 13:17 90,343 -r-hs---- C:\0.com
2008-08-16 11:56 . 2008-08-19 09:23 <DIR> d-------- C:\Documents and Settings\user\Application Data\Mp3 Audio Editor
2008-08-16 11:55 . 2005-05-17 12:37 1,986,560 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2008-08-16 11:55 . 2005-05-18 11:52 1,212,416 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2008-08-16 11:55 . 2005-04-15 12:08 880,640 --a------ C:\WINDOWS\system32\NCTAudioEditor2.dll
2008-08-16 11:55 . 2004-11-04 13:31 835,584 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
2008-08-16 11:55 . 2005-04-25 13:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2008-08-16 11:55 . 2002-01-05 16:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-08-15 13:02 . 2008-08-16 05:52 89,197 -r-hs---- C:\t1ypkh.exe
2008-08-11 07:19 . 2008-08-21 08:33 <DIR> d-------- C:\Documents and Settings\user\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 06:16 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-09-11 06:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 06:09 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-09-10 10:27 93,896 ----a-w C:\WINDOWS\system32\ckvo.exe.vir
2008-09-10 02:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-10 02:16 --------- d-----w C:\Program Files\EA GAMES
2008-09-09 11:49 --------- d-----w C:\Program Files\Free Music Zilla
2008-09-08 00:36 --------- d-----w C:\Program Files\YouTube Downloader
2008-09-04 03:10 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-09-04 03:09 --------- d-----w C:\Documents and Settings\user\Application Data\SystemRequirementsLab
2008-08-24 03:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-21 10:55 --------- d-----w C:\Program Files\Java
2008-08-21 00:38 --------- d-----w C:\Program Files\XoftSpySE
2008-08-21 00:26 --------- d-----w C:\Program Files\uTorrent
2008-08-10 13:42 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-08-10 10:00 --------- d-----w C:\Documents and Settings\user\Application Data\Autodesk
2008-08-10 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-08-09 07:58 --------- d-----w C:\Documents and Settings\user\Application Data\Disney Interactive Studios
2008-08-09 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-08 09:13 --------- d-----w C:\Program Files\easetech
2008-08-08 05:59 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-08-08 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-07 15:18 --------- d-----w C:\Program Files\Yahoo!
2008-08-07 00:10 --------- d-----w C:\Program Files\DivX
2008-08-04 01:11 89,885 --sh--r C:\xqf.com
2008-08-03 01:09 --------- d-----w C:\Documents and Settings\user\Application Data\Activision
2008-08-03 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision
2008-07-31 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-22 23:02 --------- d-----w C:\Program Files\WebEye
2008-07-22 22:41 --------- d-----w C:\Program Files\Vimicro
2008-07-22 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-22 03:24 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-22 03:24 --------- d-----w C:\Program Files\AutoCAD 2008
2008-07-22 02:55 --------- d-----w C:\Program Files\Autodesk
2008-07-22 02:51 247,866 ----a-w C:\WINDOWS\Alcohol_Toolbar_Uninstaller_8156.exe
2008-07-22 02:51 --------- d-----w C:\Program Files\Alcohol Toolbar
2008-07-22 02:50 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-07-22 02:50 --------- d-----w C:\Program Files\Alcohol Soft
2008-07-19 21:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-19 15:34 22,328 ----a-w C:\Documents and Settings\user\Application Data\PnkBstrK.sys
2008-07-19 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-18 06:19 --------- d-----w C:\Documents and Settings\user\Application Data\DivX
2008-07-16 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-07-13 22:47 --------- d-----w C:\Program Files\Lonely Cat Games
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2004-08-04 05:14: VIRUS ALERT! 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 05:14: VIRUS ALERT! 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-09-07 10:38: VIRUS ALERT! 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7287293E-B0BE-4A31-B52B-EA15F57679E3}]
2008-09-11 11:40: VIRUS ALERT! 344064 --a------ C:\WINDOWS\vmgspntbnrp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{94E952A4-FAE1-40E5-BBE1-8199D8CF7FD0}"= "C:\WINDOWS\fqbewlna.dll" [2008-09-11 204800]

[HKEY_CLASSES_ROOT\clsid\{94e952a4-fae1-40e5-bbe1-8199d8cf7fd0}]
[HKEY_CLASSES_ROOT\fqbewlna.1]
[HKEY_CLASSES_ROOT\TypeLib\{0955BCF0-2DB3-4926-B985-1ED8F0894D73}]
[HKEY_CLASSES_ROOT\fqbewlna]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-09-05 575488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
"NoDispCPL"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)
"NoSetFolders"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mgxfebsq"= {3B23FC7B-8B11-4529-9822-13139E0DAFC0} - C:\WINDOWS\mgxfebsq.dll [2008-09-11 270336]
"dtseqrxk"= {F9EC9751-0CA1-436F-B153-F26D354047E9} - C:\WINDOWS\dtseqrxk.dll [2008-09-11 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Dragonfly\\Special Force\\specialforce.exe"=
"C:\\Program Files\\AMPED\\WarRock Philippines Installer\\WRLauncher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"D:\\2142\\BF2142.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e841fe1-6272-11dd-b0a3-00138fedf29e}]
\Shell\AutoRun\command - F:\svdioajm.cmd
\Shell\explore\Command - F:\svdioajm.cmd
\Shell\open\Command - F:\svdioajm.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{345efeca-442b-11dd-b029-00138fedf29e}]
\Shell\AutoRun\command - J:\1t6yxlxx.cmd
\Shell\explore\Command - J:\1t6yxlxx.cmd
\Shell\open\Command - J:\1t6yxlxx.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51a73d61-5404-11dd-b06e-00138fedf29e}]
\Shell\AutoRun\command - F:\ffojc.com
\Shell\explore\Command - F:\ffojc.com
\Shell\open\Command - F:\ffojc.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df458ce-2191-11dd-af90-00138fedf29e}]
\Shell\AutoRun\command - G:\ph.com
\Shell\explore\Command - G:\ph.com
\Shell\open\Command - G:\ph.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81b28f01-44c8-11dd-b02b-00138fedf29e}]
\Shell\AutoRun\command - G:\xn1i9x.com
\Shell\explore\Command - G:\xn1i9x.com
\Shell\open\Command - G:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81c89c48-58b3-11dd-b080-00138fedf29e}]
\Shell\AutoRun\command - J:\bar311.exe %1
\Shell\Explore\command - J:\bar311.exe %1
\Shell\Open\command - J:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae898e3c-6f5d-11dd-b0d5-00138fedf29e}]
\Shell\AutoRun\command - F:\2.cmd
\Shell\explore\Command - F:\2.cmd
\Shell\open\Command - F:\2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b60e1e17-0ccf-11dd-af2e-00138fedf29e}]
\Shell\AutoRun\command - F:\kk3.bat
\Shell\explore\Command - F:\kk3.bat
\Shell\open\Command - F:\kk3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b60e1e26-0ccf-11dd-af2e-00138fedf29e}]
\Shell\AutoRun\command - G:\1t6yxlxx.cmd
\Shell\explore\Command - G:\1t6yxlxx.cmd
\Shell\open\Command - G:\1t6yxlxx.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeeb02f5-7ae0-11dd-b10b-00138fedf29e}]
\Shell\AutoRun\command - F:\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19f358c-7eb5-11dd-b11b-00138fedf29e}]
\Shell\Autoplay\Command - G:\xmss.exe
\Shell\AutoRun\command - G:\xmss.exe
\Shell\Explore\Command - G:\xmss.exe
\Shell\Open\Command - G:\xmss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa583259-2d47-11dd-afc6-00138fedf29e}]
\Shell\AutoRun\command - ufjtre.exe
\Shell\explore\Command - ufjtre.exe
\Shell\open\Command - ufjtre.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\b4pbta6a.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://search.speedbit.com/
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 14:16:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\user\Application Data\TmpRecentIcons
C:\Documents and Settings\user\Application Data\TmpRecentIcons\Chikka.lnk 1468 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\Free Music Zilla.lnk 733 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\Launch WarRock Philippines.lnk 809 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\Microsoft Office Word 2003.lnk 2497 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\Mp3 Audio Editor.lnk 1594 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\MS Antivirus.lnk 636 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\PC Satellite TV.lnk 798 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\Shortcut to games.lnk 402 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\Shortcut to music.lnk 1186 bytes
C:\Documents and Settings\user\Application Data\TmpRecentIcons\SWAT 4.lnk 659 bytes

scan completed successfully
hidden files: 11

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\abp480n5]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ACPIEC]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\adpu160m]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aec]
"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Aha154x]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aic78u2]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aic78xx]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AliIde]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\amsint]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\asc]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\asc3350p]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\asc3550]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ASP.NET_1.1.4322]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Autodesk Licensing Service]
"ImagePath"="\"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Avg7Alrt]
"ImagePath"="C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Avg7Core]
"ImagePath"="\SystemRoot\System32\Drivers\avg7core.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Avg7RsW]
"ImagePath"="\SystemRoot\System32\Drivers\avg7rsw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Avg7RsXP]
"ImagePath"="\SystemRoot\System32\Drivers\avg7rsxp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Avg7UpdSvc]
"ImagePath"="C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AvgClean]
"ImagePath"="\SystemRoot\System32\Drivers\avgclean.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AVGEMS]
"ImagePath"="C:\PROGRA~1\Grisoft\AVG7\avgemc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AvgTdi]
"ImagePath"="\SystemRoot\System32\Drivers\avgtdi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BITS]
"ServiceDll"="%systemroot%\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CmdIde]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\cmuda]
"ImagePath"="system32\drivers\cmuda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\COMSysApp]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EagleNT]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\EagleNT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EventSystem]
"ServiceDll"="C:\WINDOWS\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\FltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\gusvc]
"ImagePath"="\"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hamachi]
"ImagePath"="system32\DRIVERS\hamachi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HidServ]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ICSharing]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mcdbus]
"ImagePath"="system32\DRIVERS\mcdbus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mnmsrvc]
"ImagePath"="C:\WINDOWS\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSDTC]
"ImagePath"="C:\WINDOWS\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nm]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nmwcd]
"ImagePath"="system32\drivers\ccdcmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nmwcdc]
"ImagePath"="system32\drivers\ccdcmbo.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nv]
"ImagePath"="system32\DRIVERS\nv4_mini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nvport]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\nvport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NWCWorkstation]
"ServiceDll"="%SystemRoot%\System32\nwwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NwlnkIpx]
"ImagePath"="system32\DRIVERS\nwlnkipx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NwlnkNb]
"ImagePath"="system32\DRIVERS\nwlnknb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NwlnkSpx]
"ImagePath"="system32\DRIVERS\nwlnkspx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NWRDR]
"ImagePath"="system32\DRIVERS\nwrdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ose]
"ImagePath"="\"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Outlook]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pccsmcfd]
"ImagePath"="system32\DRIVERS\pccsmcfd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pfc]
"ImagePath"="system32\drivers\pfc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PortProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDSessMgr]
"ImagePath"="C:\WINDOWS\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\rtl8139]
"ImagePath"="system32\DRIVERS\R8139n51.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ServiceLayer]
"ImagePath"="\"C:\Program Files\PC Connectivity Solution\ServiceLayer.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sfloppy]
  • 0

#5
BlessTheFaLL
Posted 11 September 2008 - 02:53 AM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:52: VIRUS ALERT!, on 9/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: QXK Olive - {7287293E-B0BE-4A31-B52B-EA15F57679E3} - C:\WINDOWS\vmgspntbnrp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: fqbewlna - {94E952A4-FAE1-40E5-BBE1-8199D8CF7FD0} - C:\WINDOWS\fqbewlna.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [\YUR83.exe] C:\Windows\system32\YUR83.exe
O4 - HKLM\..\Run: [\YUR84.exe] C:\Windows\system32\YUR84.exe
O4 - HKLM\..\Run: [\YUR85.exe] C:\Windows\system32\YUR85.exe
O4 - HKLM\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKLM\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKLM\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [\YUR83.exe] C:\Windows\system32\YUR83.exe
O4 - HKCU\..\Run: [\YUR84.exe] C:\Windows\system32\YUR84.exe
O4 - HKCU\..\Run: [\YUR85.exe] C:\Windows\system32\YUR85.exe
O4 - HKCU\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKCU\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKCU\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKCU\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O21 - SSODL: mgxfebsq - {3B23FC7B-8B11-4529-9822-13139E0DAFC0} - C:\WINDOWS\mgxfebsq.dll
O21 - SSODL: dtseqrxk - {F9EC9751-0CA1-436F-B153-F26D354047E9} - C:\WINDOWS\dtseqrxk.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9244 bytes
  • 0

#6
andrewuk
Posted 11 September 2008 - 03:05 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
your combofix log was very long and so got cut off. however, you have plenty more infections on your machine to clear. so, instead of doing a large combofix script we will run a general scan and see what that clears, pull down another combofix log and then design a script for combofix to clear out the rest.


====STEP 1====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 3====
could you re-run combofix by double-clicking on the icon on your desktop.



In your next reply could i see:
1. the malwarebytes log
2. the combofix log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#7
BlessTheFaLL
Posted 11 September 2008 - 03:18 AM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\srservice]
"ServiceDll"="C:\WINDOWS\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\StarWindService]
"ImagePath"="C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SwPrv]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{AF7D04F0-AE43-48FC-8630-7A644BE7147A}"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip6]
"ImagePath"="system32\DRIVERS\tcpip6.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TlntSvr]
"ImagePath"="C:\WINDOWS\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tunmp]
"ImagePath"="system32\DRIVERS\tunmp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\upperdev]
"ImagePath"="system32\DRIVERS\usbser_lowerflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbser]
"ImagePath"="system32\DRIVERS\usbser.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usprserv]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vaxscsi]
"ImagePath"="\SystemRoot\System32\Drivers\vaxscsi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Wdf01000]
"ImagePath"="system32\DRIVERS\Wdf01000.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WmdmPmSN]
"ServiceDll"="C:\WINDOWS\system32\mspmsnsv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WmiApSrv]
"ImagePath"="C:\WINDOWS\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WS2IFSL]
"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wuauserv]
"ServiceDll"="C:\WINDOWS\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{5EF1BED1-E89E-4D68-938B-449F0BF43577}]
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-11 14:21:23 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-09-11 06:21:21

Pre-Run: 13,833,687,040 bytes free
Post-Run: 13,735,710,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

897
  • 0

#8
andrewuk
Posted 11 September 2008 - 03:19 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
could you follow the instructions in Post #6, i am hoping your next combofix log will be shorted.........

andrewuk
  • 0

#9
BlessTheFaLL
Posted 11 September 2008 - 04:25 AM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Malwarebytes' Anti-Malware 1.28
Database version: 1137
Windows 5.1.2600 Service Pack 2

9/11/2008 6:10:56 PM
mbam-log-2008-09-11 (18-10-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 112741
Time elapsed: 43 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 19
Registry Data Items Infected: 10
Folders Infected: 3
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\dtseqrxk.dll (Trojan.Zlob) -> Delete on reboot.
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f9ec9751-0ca1-436f-b153-f26d354047e9} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0955bcf0-2db3-4926-b985-1ed8f0894d73} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{279fb82e-05b3-4c47-ba77-05d0da7f5703} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{94e952a4-fae1-40e5-bbe1-8199d8cf7fd0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3b23fc7b-8b11-4529-9822-13139e0dafc0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{d15d736d-0f85-43f0-b9b7-440281a2f463} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3dd3c2ae-50f9-4606-a1c6-6866616dba1e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{971eed72-60a4-4c07-9c6c-8b7485b0f860} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7287293e-b0be-4a31-b52b-ea15f57679e3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7287293e-b0be-4a31-b52b-ea15f57679e3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.bldx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dtseqrxk (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur83.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur84.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur85.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur83.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur84.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur85.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{94e952a4-fae1-40e5-bbe1-8199d8cf7fd0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mgxfebsq (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarerefer...=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-642-4227893-23768) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\dtseqrxk.dll (Trojan.Zlob) -> Delete on reboot.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\0.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\1.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\3.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\7.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\emnf.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\YUR7.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP120\A0169927.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP120\A0169928.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP120\A0169929.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP120\A0169930.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP120\A0169931.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP120\A0169940.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP120\A0169997.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP121\A0170045.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP121\A0170046.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP121\A0170048.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP121\A0170050.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP121\A0170051.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP121\A0170052.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP121\A0170080.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FA849DA4-1692-49FD-B89F-D51BEA1F1EC6}\RP121\A0170081.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\MSA.ooo (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino3.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\fqbewlna.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\mqgldfvo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vmgspntbnrp.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\TmpRecentIcons\MS Antivirus.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
  • 0

#10
BlessTheFaLL
Posted 11 September 2008 - 04:26 AM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix 08-09-10.02 - user 2008-09-11 18:15:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.279 [GMT 8:00]
Running from: C:\Documents and Settings\user\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-11 17:22 . 2008-09-11 17:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 17:22 . 2008-09-11 17:22 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-09-11 17:22 . 2008-09-11 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 17:22 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 17:22 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-11 15:19 . 2008-09-11 15:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-11 12:29 . 2008-09-11 18:10 <DIR> d-------- C:\Program Files\MSA
2008-09-11 12:02 . 2008-09-11 12:02 <DIR> d-------- C:\Program Files\Electronic Arts
2008-09-10 18:27 . 2008-09-11 08:00 115 --a------ C:\autorun.inf.vir
2008-09-09 11:06 . 2008-09-09 11:08 <DIR> d-------- C:\Program Files\DriverCleanerDotNET
2008-09-09 11:00 . 2008-09-09 11:00 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-09-09 11:00 . 2008-09-09 11:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-09-09 11:00 . 2006-03-29 08:50 671,744 --a------ C:\WINDOWS\system32\DolbyHph.dll
2008-09-09 11:00 . 2006-03-29 08:51 60,416 --a------ C:\WINDOWS\system32\DSETUP.dll
2008-09-09 11:00 . 2006-03-29 08:49 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-09-09 11:00 . 2006-05-05 19:21 4,608 --a------ C:\WINDOWS\system32\drivers\nvport.sys
2008-09-09 10:24 . 2008-09-09 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-09 08:34 . 2008-05-19 18:16 186,407 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-09-08 08:01 . 2008-09-08 08:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Simply Super Software
2008-09-08 08:01 . 2008-09-08 08:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-09-08 08:01 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-09-08 08:01 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-09-08 08:01 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-09-08 08:01 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-09-08 08:01 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Program Files\AskSBar
2008-09-07 10:29 . 2008-09-07 10:29 <DIR> d-------- C:\Program Files\Google
2008-09-07 10:29 . 2008-09-07 10:35 <DIR> d-------- C:\Program Files\DAP
2008-09-07 10:29 . 2008-09-07 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SpeedBit
2008-09-07 10:29 . 2008-09-07 10:29 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-09-07 10:29 . 2008-09-07 10:29 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-09-07 10:29 . 2008-09-07 10:29 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-09-07 05:32 . 2008-02-21 23:18 566,624 --a------ C:\WINDOWS\system32\d3d10.dll
2008-09-07 05:32 . 2007-04-19 01:59 519,912 --a------ C:\WINDOWS\system32\d3dx10d_33.dll
2008-09-07 05:32 . 2007-04-19 01:59 519,912 --a------ C:\WINDOWS\system32\d3dx10d.dll
2008-09-07 05:32 . 2008-02-21 23:18 519,912 --a------ C:\WINDOWS\system32\d3dx10.dll
2008-09-07 05:32 . 2008-02-21 23:18 494,557 --a------ C:\WINDOWS\system32\dxgi.dll
2008-09-07 05:32 . 2007-12-22 20:30 34,854 --a------ C:\WINDOWS\system32\directx10logo.bmp
2008-09-07 05:32 . 2008-02-22 00:10 25,037 --a------ C:\WINDOWS\system32\Nucleus.dll
2008-09-05 13:02 . 2008-09-05 13:02 <DIR> d-------- C:\Program Files\MagicDisc
2008-09-05 13:02 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-09-05 08:31 . 2008-09-05 08:31 <DIR> d-------- C:\Documents and Settings\user\Application Data\Leadertech
2008-09-04 12:55 . 2008-09-04 12:55 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-09-04 12:54 . 2008-09-05 19:21 <DIR> d-------- C:\Program Files\Xfire
2008-09-04 12:54 . 2008-09-11 08:29 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire
2008-09-04 05:37 . 2008-09-04 05:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-09-01 09:03 . 2008-09-02 07:54 <DIR> d-------- C:\Program Files\Download Direct
2008-08-28 15:40 . 2008-08-29 16:49 89,370 -r-hs---- C:\ph.com
2008-08-28 05:02 . 2008-08-28 05:02 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-08-27 14:12 . 2008-08-27 14:12 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-26 17:45 . 2008-08-26 17:40 89,420 -r-hs---- C:\n.com
2008-08-24 11:37 . 2008-08-24 11:37 <DIR> d-------- C:\Program Files\OpenAL
2008-08-24 11:37 . 2008-08-24 11:37 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-24 11:37 . 2008-08-24 11:37 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-21 19:01 . 2008-09-03 23:58 <DIR> d-------- C:\Documents and Settings\user\Application Data\OpenOffice.org2
2008-08-21 18:56 . 2008-09-04 06:25 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-08-21 08:33 . 2008-08-21 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-08-21 08:03 . 2008-08-21 08:33 <DIR> d-------- C:\Program Files\Uniblue
2008-08-21 07:57 . 2008-08-21 07:58 <DIR> d-------- C:\Program Files\Mp3 Audio Editor
2008-08-21 07:57 . 2005-03-29 07:57 2,084,864 --a------ C:\WINDOWS\system32\NCTAudioDesign2.dll
2008-08-21 07:57 . 2005-04-04 17:21 602,112 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll
2008-08-21 07:57 . 2005-03-28 15:54 479,232 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll
2008-08-21 07:57 . 2005-03-28 15:54 475,136 --a------ C:\WINDOWS\system32\NCTAudioVisualizationEx2.dll
2008-08-21 07:57 . 2005-04-25 13:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll
2008-08-21 07:57 . 2005-03-28 15:52 417,792 --a------ C:\WINDOWS\system32\NCTTextToAudio2.dll
2008-08-21 07:57 . 2005-03-28 15:56 417,792 --a------ C:\WINDOWS\system32\NCTAudioDisplay2.dll
2008-08-21 07:57 . 2005-02-24 11:51 348,160 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll
2008-08-21 07:57 . 2006-03-23 12:56 113,486 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-08-18 14:04 . 2008-08-18 14:04 <DIR> d-------- C:\Documents and Settings\user\Application Data\MSNInstaller
2008-08-17 06:25 . 2008-08-17 06:25 <DIR> d-------- C:\Program Files\NCH Software
2008-08-17 06:14 . 2008-08-17 06:15 <DIR> d-------- C:\Documents and Settings\user\Application Data\NCH Swift Sound
2008-08-17 06:14 . 2008-08-17 06:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-08-17 06:12 . 2008-08-17 06:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-08-17 05:29 . 2008-08-17 13:17 90,343 -r-hs---- C:\0.com
2008-08-16 11:56 . 2008-08-19 09:23 <DIR> d-------- C:\Documents and Settings\user\Application Data\Mp3 Audio Editor
2008-08-16 11:55 . 2005-05-17 12:37 1,986,560 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2008-08-16 11:55 . 2005-05-18 11:52 1,212,416 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2008-08-16 11:55 . 2005-04-15 12:08 880,640 --a------ C:\WINDOWS\system32\NCTAudioEditor2.dll
2008-08-16 11:55 . 2004-11-04 13:31 835,584 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
2008-08-16 11:55 . 2005-04-25 13:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2008-08-16 11:55 . 2002-01-05 16:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-08-15 13:02 . 2008-08-16 05:52 89,197 -r-hs---- C:\t1ypkh.exe
2008-08-11 07:19 . 2008-08-21 08:33 <DIR> d-------- C:\Documents and Settings\user\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 09:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 08:32 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-09-11 06:09 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-09-10 10:27 93,896 ----a-w C:\WINDOWS\system32\ckvo.exe.vir
2008-09-10 02:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-10 02:16 --------- d-----w C:\Program Files\EA GAMES
2008-09-09 11:49 --------- d-----w C:\Program Files\Free Music Zilla
2008-09-08 00:36 --------- d-----w C:\Program Files\YouTube Downloader
2008-09-04 03:10 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-09-04 03:09 --------- d-----w C:\Documents and Settings\user\Application Data\SystemRequirementsLab
2008-08-24 03:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-21 10:55 --------- d-----w C:\Program Files\Java
2008-08-21 00:38 --------- d-----w C:\Program Files\XoftSpySE
2008-08-21 00:26 --------- d-----w C:\Program Files\uTorrent
2008-08-10 13:42 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-08-10 10:00 --------- d-----w C:\Documents and Settings\user\Application Data\Autodesk
2008-08-10 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-08-09 07:58 --------- d-----w C:\Documents and Settings\user\Application Data\Disney Interactive Studios
2008-08-09 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-08 09:13 --------- d-----w C:\Program Files\easetech
2008-08-08 05:59 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-08-08 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-07 15:18 --------- d-----w C:\Program Files\Yahoo!
2008-08-07 00:10 --------- d-----w C:\Program Files\DivX
2008-08-04 01:11 89,885 --sh--r C:\xqf.com
2008-08-03 01:09 --------- d-----w C:\Documents and Settings\user\Application Data\Activision
2008-08-03 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision
2008-07-31 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-22 23:02 --------- d-----w C:\Program Files\WebEye
2008-07-22 22:41 --------- d-----w C:\Program Files\Vimicro
2008-07-22 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-22 03:24 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-22 03:24 --------- d-----w C:\Program Files\AutoCAD 2008
2008-07-22 02:55 --------- d-----w C:\Program Files\Autodesk
2008-07-22 02:51 247,866 ----a-w C:\WINDOWS\Alcohol_Toolbar_Uninstaller_8156.exe
2008-07-22 02:51 --------- d-----w C:\Program Files\Alcohol Toolbar
2008-07-22 02:50 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-07-22 02:50 --------- d-----w C:\Program Files\Alcohol Soft
2008-07-19 21:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-19 15:34 22,328 ----a-w C:\Documents and Settings\user\Application Data\PnkBstrK.sys
2008-07-19 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-18 06:19 --------- d-----w C:\Documents and Settings\user\Application Data\DivX
2008-07-16 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-07-13 22:47 --------- d-----w C:\Program Files\Lonely Cat Games
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2004-08-04 05:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 05:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-09-07 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-09-07 10:38 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-09-07 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 580096]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-06-24 878672]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-17 219136]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-09-05 575488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Dragonfly\\Special Force\\specialforce.exe"=
"C:\\Program Files\\AMPED\\WarRock Philippines Installer\\WRLauncher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"D:\\2142\\BF2142.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e841fe1-6272-11dd-b0a3-00138fedf29e}]
\Shell\AutoRun\command - F:\svdioajm.cmd
\Shell\explore\Command - F:\svdioajm.cmd
\Shell\open\Command - F:\svdioajm.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{345efeca-442b-11dd-b029-00138fedf29e}]
\Shell\AutoRun\command - J:\1t6yxlxx.cmd
\Shell\explore\Command - J:\1t6yxlxx.cmd
\Shell\open\Command - J:\1t6yxlxx.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51a73d61-5404-11dd-b06e-00138fedf29e}]
\Shell\AutoRun\command - F:\ffojc.com
\Shell\explore\Command - F:\ffojc.com
\Shell\open\Command - F:\ffojc.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df458ce-2191-11dd-af90-00138fedf29e}]
\Shell\AutoRun\command - G:\ph.com
\Shell\explore\Command - G:\ph.com
\Shell\open\Command - G:\ph.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81b28f01-44c8-11dd-b02b-00138fedf29e}]
\Shell\AutoRun\command - G:\xn1i9x.com
\Shell\explore\Command - G:\xn1i9x.com
\Shell\open\Command - G:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81c89c48-58b3-11dd-b080-00138fedf29e}]
\Shell\AutoRun\command - J:\bar311.exe %1
\Shell\Explore\command - J:\bar311.exe %1
\Shell\Open\command - J:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae898e3c-6f5d-11dd-b0d5-00138fedf29e}]
\Shell\AutoRun\command - F:\2.cmd
\Shell\explore\Command - F:\2.cmd
\Shell\open\Command - F:\2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b60e1e17-0ccf-11dd-af2e-00138fedf29e}]
\Shell\AutoRun\command - F:\kk3.bat
\Shell\explore\Command - F:\kk3.bat
\Shell\open\Command - F:\kk3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b60e1e26-0ccf-11dd-af2e-00138fedf29e}]
\Shell\AutoRun\command - G:\1t6yxlxx.cmd
\Shell\explore\Command - G:\1t6yxlxx.cmd
\Shell\open\Command - G:\1t6yxlxx.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeeb02f5-7ae0-11dd-b10b-00138fedf29e}]
\Shell\AutoRun\command - F:\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19f358c-7eb5-11dd-b11b-00138fedf29e}]
\Shell\Autoplay\Command - G:\xmss.exe
\Shell\AutoRun\command - G:\xmss.exe
\Shell\Explore\Command - G:\xmss.exe
\Shell\Open\Command - G:\xmss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa583259-2d47-11dd-afc6-00138fedf29e}]
\Shell\AutoRun\command - ufjtre.exe
\Shell\explore\Command - ufjtre.exe
\Shell\open\Command - ufjtre.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\b4pbta6a.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://search.speedbit.com/
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 18:19:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-11 18:23:45 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-09-11 10:23:41
ComboFix2.txt 2008-09-11 06:21:24

Pre-Run: 13,685,288,960 bytes free
Post-Run: 13,674,737,664 bytes free

289
  • 0

Advertisements

#11
BlessTheFaLL
Posted 11 September 2008 - 04:27 AM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:24, on 9/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7801 bytes
  • 0

#12
andrewuk
Posted 11 September 2008 - 05:11 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
====STEP 1====
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
F:\svdioajm.cmd
J:\1t6yxlxx.cmd
F:\ffojc.com
G:\ph.com
G:\xn1i9x.com
J:\bar311.exe
F:\2.cmd
F:\kk3.bat
G:\1t6yxlxx.cmd
G:\xmss.exe
C:\t1ypkh.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e841fe1-6272-11dd-b0a3-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{345efeca-442b-11dd-b029-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51a73d61-5404-11dd-b06e-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df458ce-2191-11dd-af90-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81b28f01-44c8-11dd-b02b-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81c89c48-58b3-11dd-b080-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae898e3c-6f5d-11dd-b0d5-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b60e1e17-0ccf-11dd-af2e-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b60e1e26-0ccf-11dd-af2e-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeeb02f5-7ae0-11dd-b10b-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19f358c-7eb5-11dd-b11b-00138fedf29e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa583259-2d47-11dd-afc6-00138fedf29e}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



====STEP 3====
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


In your next reply could i see:
1. the combofix log
2. a new hijackthis log
3. the kjaspersky log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#13
BlessTheFaLL
Posted 11 September 2008 - 04:09 PM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix 08-09-10.02 - user 2008-09-12 5:53:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.214 [GMT 8:00]
Running from: C:\Documents and Settings\user\My Documents\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\t1ypkh.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-12 05:45 . 2008-09-12 05:45 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-09-12 05:30 . 2008-09-12 05:50 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-11 17:22 . 2008-09-11 17:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 17:22 . 2008-09-11 17:22 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-09-11 17:22 . 2008-09-11 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 17:22 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 17:22 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-11 15:19 . 2008-09-11 15:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-11 12:29 . 2008-09-11 18:10 <DIR> d-------- C:\Program Files\MSA
2008-09-11 12:02 . 2008-09-11 12:02 <DIR> d-------- C:\Program Files\Electronic Arts
2008-09-10 18:27 . 2008-09-11 08:00 115 --a------ C:\autorun.inf.vir
2008-09-09 11:06 . 2008-09-09 11:08 <DIR> d-------- C:\Program Files\DriverCleanerDotNET
2008-09-09 11:01 . 2008-09-12 05:46 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-09-09 11:00 . 2008-09-09 11:00 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-09-09 11:00 . 2008-09-09 11:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-09-09 11:00 . 2006-03-29 08:50 671,744 --a------ C:\WINDOWS\system32\DolbyHph.dll
2008-09-09 11:00 . 2006-03-29 08:51 60,416 --a------ C:\WINDOWS\system32\DSETUP.dll
2008-09-09 11:00 . 2006-03-29 08:49 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-09-09 11:00 . 2006-05-05 19:21 4,608 --a------ C:\WINDOWS\system32\drivers\nvport.sys
2008-09-09 10:24 . 2008-09-09 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-09 08:34 . 2008-05-19 18:16 186,407 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-09-08 08:01 . 2008-09-08 08:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Simply Super Software
2008-09-08 08:01 . 2008-09-08 08:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-09-08 08:01 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-09-08 08:01 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-09-08 08:01 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-09-08 08:01 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-09-08 08:01 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Program Files\AskSBar
2008-09-07 10:29 . 2008-09-07 10:29 <DIR> d-------- C:\Program Files\Google
2008-09-07 10:29 . 2008-09-07 10:35 <DIR> d-------- C:\Program Files\DAP
2008-09-07 10:29 . 2008-09-07 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SpeedBit
2008-09-07 10:29 . 2008-09-07 10:29 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-09-07 10:29 . 2008-09-07 10:29 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-09-07 10:29 . 2008-09-07 10:29 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-09-07 05:32 . 2008-02-21 23:18 566,624 --a------ C:\WINDOWS\system32\d3d10.dll
2008-09-07 05:32 . 2007-04-19 01:59 519,912 --a------ C:\WINDOWS\system32\d3dx10d_33.dll
2008-09-07 05:32 . 2007-04-19 01:59 519,912 --a------ C:\WINDOWS\system32\d3dx10d.dll
2008-09-07 05:32 . 2008-02-21 23:18 519,912 --a------ C:\WINDOWS\system32\d3dx10.dll
2008-09-07 05:32 . 2008-02-21 23:18 494,557 --a------ C:\WINDOWS\system32\dxgi.dll
2008-09-07 05:32 . 2007-12-22 20:30 34,854 --a------ C:\WINDOWS\system32\directx10logo.bmp
2008-09-07 05:32 . 2008-02-22 00:10 25,037 --a------ C:\WINDOWS\system32\Nucleus.dll
2008-09-05 13:02 . 2008-09-05 13:02 <DIR> d-------- C:\Program Files\MagicDisc
2008-09-05 13:02 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-09-05 08:31 . 2008-09-05 08:31 <DIR> d-------- C:\Documents and Settings\user\Application Data\Leadertech
2008-09-04 12:55 . 2008-09-04 12:55 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-09-04 12:54 . 2008-09-05 19:21 <DIR> d-------- C:\Program Files\Xfire
2008-09-04 12:54 . 2008-09-11 08:29 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire
2008-09-04 05:37 . 2008-09-04 05:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-09-01 09:03 . 2008-09-02 07:54 <DIR> d-------- C:\Program Files\Download Direct
2008-08-28 15:40 . 2008-08-29 16:49 89,370 -r-hs---- C:\ph.com
2008-08-28 05:02 . 2008-08-28 05:02 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-08-27 14:12 . 2008-08-27 14:12 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-26 17:45 . 2008-08-26 17:40 89,420 -r-hs---- C:\n.com
2008-08-24 11:37 . 2008-08-24 11:37 <DIR> d-------- C:\Program Files\OpenAL
2008-08-24 11:37 . 2008-08-24 11:37 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-24 11:37 . 2008-08-24 11:37 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-21 19:01 . 2008-09-03 23:58 <DIR> d-------- C:\Documents and Settings\user\Application Data\OpenOffice.org2
2008-08-21 18:56 . 2008-09-04 06:25 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-08-21 08:33 . 2008-08-21 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-08-21 08:03 . 2008-08-21 08:33 <DIR> d-------- C:\Program Files\Uniblue
2008-08-21 07:57 . 2008-08-21 07:58 <DIR> d-------- C:\Program Files\Mp3 Audio Editor
2008-08-21 07:57 . 2005-03-29 07:57 2,084,864 --a------ C:\WINDOWS\system32\NCTAudioDesign2.dll
2008-08-21 07:57 . 2005-04-04 17:21 602,112 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll
2008-08-21 07:57 . 2005-03-28 15:54 479,232 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll
2008-08-21 07:57 . 2005-03-28 15:54 475,136 --a------ C:\WINDOWS\system32\NCTAudioVisualizationEx2.dll
2008-08-21 07:57 . 2005-04-25 13:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll
2008-08-21 07:57 . 2005-03-28 15:52 417,792 --a------ C:\WINDOWS\system32\NCTTextToAudio2.dll
2008-08-21 07:57 . 2005-03-28 15:56 417,792 --a------ C:\WINDOWS\system32\NCTAudioDisplay2.dll
2008-08-21 07:57 . 2005-02-24 11:51 348,160 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll
2008-08-21 07:57 . 2006-03-23 12:56 113,486 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-08-18 14:04 . 2008-08-18 14:04 <DIR> d-------- C:\Documents and Settings\user\Application Data\MSNInstaller
2008-08-17 06:25 . 2008-08-17 06:25 <DIR> d-------- C:\Program Files\NCH Software
2008-08-17 06:14 . 2008-08-17 06:15 <DIR> d-------- C:\Documents and Settings\user\Application Data\NCH Swift Sound
2008-08-17 06:14 . 2008-08-17 06:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-08-17 06:12 . 2008-08-17 06:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-08-17 05:29 . 2008-08-17 13:17 90,343 -r-hs---- C:\0.com
2008-08-16 11:56 . 2008-08-19 09:23 <DIR> d-------- C:\Documents and Settings\user\Application Data\Mp3 Audio Editor
2008-08-16 11:55 . 2005-05-17 12:37 1,986,560 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2008-08-16 11:55 . 2005-05-18 11:52 1,212,416 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2008-08-16 11:55 . 2005-04-15 12:08 880,640 --a------ C:\WINDOWS\system32\NCTAudioEditor2.dll
2008-08-16 11:55 . 2004-11-04 13:31 835,584 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
2008-08-16 11:55 . 2005-04-25 13:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2008-08-16 11:55 . 2002-01-05 16:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-08-11 07:19 . 2008-08-21 08:33 <DIR> d-------- C:\Documents and Settings\user\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 21:50 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-09-11 21:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 06:09 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-09-10 10:27 93,896 ----a-w C:\WINDOWS\system32\ckvo.exe.vir
2008-09-10 02:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-10 02:16 --------- d-----w C:\Program Files\EA GAMES
2008-09-09 11:49 --------- d-----w C:\Program Files\Free Music Zilla
2008-09-08 00:36 --------- d-----w C:\Program Files\YouTube Downloader
2008-09-04 03:10 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-09-04 03:09 --------- d-----w C:\Documents and Settings\user\Application Data\SystemRequirementsLab
2008-08-24 03:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-21 10:55 --------- d-----w C:\Program Files\Java
2008-08-21 00:38 --------- d-----w C:\Program Files\XoftSpySE
2008-08-21 00:26 --------- d-----w C:\Program Files\uTorrent
2008-08-10 13:42 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-08-10 10:00 --------- d-----w C:\Documents and Settings\user\Application Data\Autodesk
2008-08-10 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-08-09 07:58 --------- d-----w C:\Documents and Settings\user\Application Data\Disney Interactive Studios
2008-08-09 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-08 09:13 --------- d-----w C:\Program Files\easetech
2008-08-08 05:59 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-08-08 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-07 15:18 --------- d-----w C:\Program Files\Yahoo!
2008-08-07 00:10 --------- d-----w C:\Program Files\DivX
2008-08-04 01:11 89,885 --sh--r C:\xqf.com
2008-08-03 01:09 --------- d-----w C:\Documents and Settings\user\Application Data\Activision
2008-08-03 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision
2008-07-31 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-22 23:02 --------- d-----w C:\Program Files\WebEye
2008-07-22 22:41 --------- d-----w C:\Program Files\Vimicro
2008-07-22 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-22 03:24 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-22 03:24 --------- d-----w C:\Program Files\AutoCAD 2008
2008-07-22 02:55 --------- d-----w C:\Program Files\Autodesk
2008-07-22 02:51 247,866 ----a-w C:\WINDOWS\Alcohol_Toolbar_Uninstaller_8156.exe
2008-07-22 02:51 --------- d-----w C:\Program Files\Alcohol Toolbar
2008-07-22 02:50 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-07-22 02:50 --------- d-----w C:\Program Files\Alcohol Soft
2008-07-19 21:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-19 15:34 22,328 ----a-w C:\Documents and Settings\user\Application Data\PnkBstrK.sys
2008-07-19 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-18 06:19 --------- d-----w C:\Documents and Settings\user\Application Data\DivX
2008-07-16 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-07-13 22:47 --------- d-----w C:\Program Files\Lonely Cat Games
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2008-06-20 18:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2gdr\tcpip.sys
2008-06-20 18:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2qfe\tcpip.sys
2008-06-20 19:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\tcpip.sys
2008-06-20 19:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3qfe\tcpip.sys
2004-08-04 05:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 05:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-11_14.20.57.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-11 21:45:52 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
- 2004-08-03 22:56:44 678,400 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2004-08-03 22:56:44 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2004-08-03 22:56:44 331,776 -c--a-w C:\WINDOWS\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 -c--a-w C:\WINDOWS\system32\dllcache\msadce.dll
- 2001-08-23 11:00:00 200,064 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2004-08-03 22:56:48 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2001-08-23 11:00:00 200,064 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2004-08-03 22:56:44 678,400 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2004-08-03 22:56:44 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2003-04-18 16:46:22 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-08 07:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
- 2006-12-04 06:37:58 1,317,648 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2007-05-15 07:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
- 2006-10-08 13:51:14 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2004-08-03 22:56:48 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-05-08 07:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
  • 0

#14
BlessTheFaLL
Posted 11 September 2008 - 04:09 PM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-09-07 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-09-07 10:38 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-09-07 171448]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-08-14 267056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 580096]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-06-24 878672]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-17 219136]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-09-05 575488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Dragonfly\\Special Force\\specialforce.exe"=
"C:\\Program Files\\AMPED\\WarRock Philippines Installer\\WRLauncher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"D:\\2142\\BF2142.exe"=

.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-12 05:58:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
.
**************************************************************************
.
Completion time: 2008-09-12 6:03:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-11 22:02:57
ComboFix2.txt 2008-09-11 10:23:47
ComboFix3.txt 2008-09-11 06:21:24

Pre-Run: 13,344,919,552 bytes free
Post-Run: 13,353,594,880 bytes free

272 --- E O F --- 2008-09-11 21:46:18
  • 0

#15
BlessTheFaLL
Posted 11 September 2008 - 04:11 PM

BlessTheFaLL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:10, on 9/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7919 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP