Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus Alert System Tray, Task Manager Disabled, Registry Editing Disab


  • This topic is locked This topic is locked

#1
MossGeek

MossGeek

    Member

  • Member
  • PipPip
  • 32 posts
I will post my HiJack log but first I have to relate some details as my machine restarts itself approximately every 5 minutes.
I have to do it every time it restarts, but have successfully been able to open my task manager, get my control panel back in my Start Menu, edit my registry
I don't know the name of the virus, how I was infected but do know it is a pain in the @ss. Hoping someone can help me out with this problem, here comes the HiJack log...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:21: VIRUS ALERT!, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {37AC8F48-9783-4A8F-8911-B43FB53BEAC3} - C:\WINDOWS\nfavxwdbxpw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: fdkowvbp - {7EB73DDA-FC6B-4064-8B30-89E6AE779699} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://notoriousguk....ad/MsnPUpld.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.co...006_regular.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O21 - SSODL: wnslvxtf - {69A16D22-F18E-4310-BB51-72579A617CBA} - C:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {87AC6373-4E4C-4A1D-BF2E-F40AD47038F6} - C:\WINDOWS\eqvwamkl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5701 bytes


Well finished posting only to receive the msg that my hijack was out of date, as i tried to dl the newest version here, my puter restarted and I found out yes I have to redo the propereties as well to get Control Panel, My Computer and what not back on start menu...

Please some help would be greatly appreciated.

Cheers All.
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

If your computer wants to shutdown, go to start,run (windows key + R) and type in shutdown -a quickly.

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.
  • 0

#3
MossGeek

MossGeek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks for the reply. I am currently on another puter printing out the tutorial from the other page and will reply a little bit later on tonight when I get back home. I already see a few registry edits that need to be deleted but will wait for your response since i'm not an expert, just from what I know typically they spell out trouble to me.

Thanks again and will reply back soon.
  • 0

#4
MossGeek

MossGeek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I want to Say Tanx very much for your help. And yes I am bout to post my HiJack log plus my ComboFix log:) But I want to say I sort of screwed up...I guess the recovery console didn't properely install so I redid it, but it deleted all the extra information such as what it removed...:) Sorry, I know this doesn't help...but here are the logs that I do have, since I replaced over the old logs...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://notoriousguk....ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4832 bytes


ComboFix 08-07-29.1 - Administrator 2008-07-30 19:18:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-30 01:21 . 2008-07-30 01:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-29 23:16 . 2008-07-29 23:16 1,606 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-07-29 18:19 . 2008-07-29 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-07-29 18:15 . 2008-07-29 18:16 <DIR> d-------- C:\WINDOWS\nview
2008-07-29 18:15 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-29 18:15 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-29 18:11 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-29 18:10 . 2008-07-29 18:10 <DIR> d-------- C:\NVIDIA
2008-07-29 18:00 . 2008-07-29 18:01 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-07-29 18:00 . 2008-07-29 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
2008-07-18 22:56 . 2008-07-18 22:56 <DIR> d-------- C:\Program Files\Gabest
2008-07-17 18:21 . 2008-07-17 21:20 <DIR> d-------- C:\Program Files\Audacity
2008-07-09 18:18 . 2008-07-28 19:13 <DIR> d-------- C:\Program Files\SpeedFan
2008-07-09 18:18 . 2008-07-09 18:18 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-06-26 10:46 . 2008-06-26 10:50 <DIR> d-------- C:\Program Files\Mypops
2008-06-26 00:15 . 2008-06-26 00:15 <DIR> d-------- C:\Program Files\MSTpscre
2008-06-26 00:15 . 2008-06-26 00:17 <DIR> d-------- C:\Program Files\E.M. Youtube Video Download Tool
2008-06-26 00:02 . 2008-07-01 15:32 412 --a------ C:\WINDOWS\system32\Infob.dat
2008-06-26 00:02 . 2008-07-01 15:32 0 --a------ C:\WINDOWS\system32\Infoa.dat
2008-06-25 23:59 . 2008-06-25 23:59 <DIR> d-------- C:\Y.D.T
2008-06-25 23:59 . 2008-06-26 00:03 354 --a------ C:\WINDOWS\system32\treeinfo.dat
2008-06-25 23:32 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-06-22 23:55 . 2008-06-22 23:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-22 23:55 . 2008-06-22 23:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 10:41 . 2008-06-20 10:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 03:44 . 2008-06-20 03:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 15:46 . 2008-06-19 15:46 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-06-19 15:43 . 2008-06-19 15:57 <DIR> d-------- C:\Program Files\DVD2SVCD
2008-06-18 21:01 . 2008-06-18 21:01 <DIR> d-------- C:\Program Files\Custom Technology
2008-06-18 21:01 . 2005-07-28 08:18 685,056 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2008-06-18 21:01 . 2008-07-30 19:09 0 --a------ C:\WINDOWS\TempFile
2008-06-16 19:58 . 2008-06-16 19:58 <DIR> d-------- C:\Program Files\Xvid
2008-06-16 19:58 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-16 19:58 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-16 19:58 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-16 18:52 . 2008-06-16 18:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Pegasys Inc
2008-06-16 18:51 . 2008-06-16 18:51 <DIR> d-------- C:\Program Files\Pegasys Inc
2008-06-10 17:22 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 22:42 . 2008-06-08 22:42 <DIR> d-------- C:\Program Files\VSO
2008-06-08 19:14 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-08 19:14 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-08 19:13 . 2008-06-08 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-08 13:04 . 2008-06-08 13:06 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-03 18:35 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-06-03 14:46 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-06-03 14:46 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-06-03 14:46 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 06:18 --------- d-----w C:\Program Files\PeerGuardian2
2008-07-30 03:16 --------- d-----w C:\Program Files\mIRC
2008-07-23 02:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 08:19 --------- d-----w C:\Program Files\MSN Messenger
2008-06-09 05:42 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-09 05:42 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-06-09 02:13 --------- d-----w C:\Program Files\ESET
2008-06-06 06:01 --------- d-----w C:\Program Files\Google
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2006-11-16 03:09 32,320 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-08-15 05:26 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-08-15 05:26 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-06-03 23:46 5724184]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 03:15 106496]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 22:10 335872]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 19:50 155648]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2004-10-27 16:07 987136]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"Tpscrex"="C:\Program Files\MSTpscre\Tpscrex.exe" [2008-06-26 00:15 110080]
"ypops"="C:\Program Files\Mypops\ypops.exe" [2008-06-26 10:50 88896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Rapidown.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Rapidown.lnk
backup=C:\WINDOWS\pss\Rapidown.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2004-10-14 10:17 45056 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2006-10-06 13:04 492032 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2006-07-11 03:06 3144800 C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 13:16 185896 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 SiSRaid1;SiSRaid1;C:\WINDOWS\system32\DRIVERS\SiSRaid1.sys [2003-12-09 00:50]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 05:00]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2004-10-06 10:39]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-03-15 18:11]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]
.
Contents of the 'Scheduled Tasks' folder

2004-10-29 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O8 -: &ICQ Toolbar Search
O8 -: &Search - http://edits.mywebse...arch.jhtml?p=ZK
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 19:19:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-30 19:21:10
ComboFix-quarantined-files.txt 2008-07-31 02:20:52
ComboFix2.txt 2008-07-31 02:16:39

Pre-Run: 9,226,149,888 bytes free
Post-Run: 9,195,831,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /noguiboot
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

185 --- E O F --- 2008-07-08 23:47:45


And yes I am part Idiot, as in the first placed I caused this error on my own behalf. But thanks again and yes I will check the thread a little later and tomorrow to see if anyone has any more suggestions or help for me. I am not the best user, but not quite a n00b...

Cheers.
  • 0

#5
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Please do the following in order :)

Stay away from cracks!

Please Uninstall the Following:
ESET
NOD32FiX


Now,

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\nod32restoretemdono.reg
C:\WINDOWS\nod32fixtemdono.reg

Folder::
C:\program files\ESET
C:\Documents and Settings\All Users\Application Data\ESET

DirLook::
C:\Y.D.T

Registry::
O8 -: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Then,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Finally,

You will need an antivirus, Take a look at AntiVir
it's free.

As for the first run with ComboFix, go to C:\Qoobox\Combofix3.txt and attach the contents of file here please.
To attach a file, do the following:* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse for the attachment file you want to upload, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* Click on Posted Image to insert the attachment into your post

Edited by Mike, 31 July 2008 - 07:10 AM.

  • 0

#6
MossGeek

MossGeek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hey Mike,

Thanks again for the help, following will be the next combofix log plus after the anti malware log and I will as well attach the other combofix log as requested...

I don't think all cracks are that bad...I had no problems with the one for Eset, and I had it installed for a bit. But I do know most are considered mal/spyware.

Anyhow here are my logs starting with Combo Fix + CF Script:
ComboFix 08-07-29.1 - Administrator 2008-07-31 23:47:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.530 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\nod32fixtemdono.reg
C:\WINDOWS\nod32restoretemdono.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ESET
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\EHttpSrv.xml
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\EpfwUser.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\httpblk.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Installer\16a3.msi
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\eScan\ndl14318.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\eScan\ndl22769.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\eScan\ndl4467.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\base_nonnups\0_3_0_nod24D0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\continuous\nod0962.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\continuous\nod0A07.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\continuous\nod198E.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\continuous\nod2D9C.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\continuous\nod4367.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em003_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em003_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em004_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em004_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em005_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em005_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em005_32_l2.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_89.202.157.135\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_89.202.157.137\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_89.202.157.138\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_89.202.157.139\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u21.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u24.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u30.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u31.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u32.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u33.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u34.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u35.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u36.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u37.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u38.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u39.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u40.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u41.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u42.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u43.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u44.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u45.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u46.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u47.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u48.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\http_u49.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\lastupd.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\nod1B85.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\nod361C.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\nod4097.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\nod4A34.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\nod50AE.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\nod5DA2.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\nod620D.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\nod6931.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\reverse\nod7FA8.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\upd.ver
C:\program files\ESET
C:\program files\ESET\ESET NOD32 Antivirus\callmsi.exe
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\eamon\eamon.cat
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\eamon\eamon.inf
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\eamon\eamon.sys
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\easdrv\easdrv.cat
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\easdrv\easdrv.inf
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\easdrv\easdrv.sys
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\epfwtdir\epfwtdir.cat
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\epfwtdir\epfwtdir.inf
C:\program files\ESET\ESET NOD32 Antivirus\Drivers\epfwtdir\epfwtdir.sys
C:\program files\ESET\ESET NOD32 Antivirus\ecls.exe
C:\program files\ESET\ESET NOD32 Antivirus\ecmd.exe
C:\program files\ESET\ESET NOD32 Antivirus\egui.exe
C:\program files\ESET\ESET NOD32 Antivirus\eguiAmon.dll
C:\program files\ESET\ESET NOD32 Antivirus\eguiEmon.dll
C:\program files\ESET\ESET NOD32 Antivirus\eguiEpfw.dll
C:\program files\ESET\ESET NOD32 Antivirus\eguiMailPlugins.dll
C:\program files\ESET\ESET NOD32 Antivirus\eguiProduct.dll
C:\program files\ESET\ESET NOD32 Antivirus\eguiScan.dll
C:\program files\ESET\ESET NOD32 Antivirus\eguiUpdate.dll
C:\program files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
C:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\program files\ESET\ESET NOD32 Antivirus\ekrnAmon.dll
C:\program files\ESET\ESET NOD32 Antivirus\ekrnEmon.dll
C:\program files\ESET\ESET NOD32 Antivirus\ekrnEpfw.dll
C:\program files\ESET\ESET NOD32 Antivirus\ekrnMailPlugins.dll
C:\program files\ESET\ESET NOD32 Antivirus\ekrnScan.dll
C:\program files\ESET\ESET NOD32 Antivirus\ekrnUpdate.dll
C:\program files\ESET\ESET NOD32 Antivirus\em000_32.dat
C:\program files\ESET\ESET NOD32 Antivirus\em001_32.dat
C:\program files\ESET\ESET NOD32 Antivirus\em002_32.dat
C:\program files\ESET\ESET NOD32 Antivirus\em003_32.dat
C:\program files\ESET\ESET NOD32 Antivirus\em004_32.dat
C:\program files\ESET\ESET NOD32 Antivirus\em005_32.dat
C:\program files\ESET\ESET NOD32 Antivirus\em006_32.dat
C:\program files\ESET\ESET NOD32 Antivirus\eplgHooks.dll
C:\program files\ESET\ESET NOD32 Antivirus\eplgOE.dll
C:\program files\ESET\ESET NOD32 Antivirus\eplgOEEmon.dll
C:\program files\ESET\ESET NOD32 Antivirus\eplgOutlook.dll
C:\program files\ESET\ESET NOD32 Antivirus\eplgOutlookEmon.dll
C:\program files\ESET\ESET NOD32 Antivirus\eset.chm
C:\program files\ESET\ESET NOD32 Antivirus\eula.rtf
C:\program files\ESET\ESET NOD32 Antivirus\http_dll.dll
C:\program files\ESET\ESET NOD32 Antivirus\mfc80.dll
C:\program files\ESET\ESET NOD32 Antivirus\mfc80u.dll
C:\program files\ESET\ESET NOD32 Antivirus\Microsoft.VC80.CRT.manifest
C:\program files\ESET\ESET NOD32 Antivirus\Microsoft.VC80.MFC.manifest
C:\program files\ESET\ESET NOD32 Antivirus\Microsoft.VC80.MFCLOC.manifest
C:\program files\ESET\ESET NOD32 Antivirus\mod_comp.dat
C:\program files\ESET\ESET NOD32 Antivirus\msvcp80.dll
C:\program files\ESET\ESET NOD32 Antivirus\msvcr80.dll
C:\program files\ESET\ESET NOD32 Antivirus\shellExt.dll
C:\program files\ESET\ESET NOD32 Antivirus\unins000.dat
C:\program files\ESET\ESET NOD32 Antivirus\unins000.exe
C:\program files\ESET\ESET NOD32 Antivirus\updater.dll
C:\program files\ESET\Install\advheur.nup
C:\program files\ESET\Install\archs.nup
C:\program files\ESET\Install\charon.nup
C:\program files\ESET\Install\engine.nup
C:\program files\ESET\Install\main.dll
C:\program files\ESET\Install\mfc42.dll
C:\program files\ESET\Install\mfc42u.dll
C:\program files\ESET\Install\msvcrt.dll
C:\program files\ESET\Install\ntbaseen.nup
C:\program files\ESET\Install\ntineten.nup
C:\program files\ESET\Install\ntstden.nup
C:\program files\ESET\Install\pwscan.nup
C:\program files\ESET\Install\readme.txt
C:\program files\ESET\Install\setup.exe
C:\program files\ESET\Install\setup.xml
C:\program files\ESET\Install\utilmod.nup
C:\WINDOWS\nod32fixtemdono.reg
C:\WINDOWS\nod32restoretemdono.reg

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-07-30 01:21 . 2008-07-30 01:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-29 23:16 . 2008-07-31 18:06 1,606 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-07-29 18:19 . 2008-07-29 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-07-29 18:15 . 2008-07-29 18:16 <DIR> d-------- C:\WINDOWS\nview
2008-07-29 18:15 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-29 18:15 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-29 18:11 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-29 18:10 . 2008-07-29 18:10 <DIR> d-------- C:\NVIDIA
2008-07-29 18:00 . 2008-07-29 18:01 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-07-29 18:00 . 2008-07-29 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
2008-07-18 22:56 . 2008-07-18 22:56 <DIR> d-------- C:\Program Files\Gabest
2008-07-17 18:21 . 2008-07-17 21:20 <DIR> d-------- C:\Program Files\Audacity
2008-07-09 18:18 . 2008-07-28 19:13 <DIR> d-------- C:\Program Files\SpeedFan
2008-07-09 18:18 . 2008-07-09 18:18 45 --a------ C:\WINDOWS\system32\initdebug.nfo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 06:24 --------- d-----w C:\Program Files\PeerGuardian2
2008-07-31 04:59 --------- d-----w C:\Program Files\E.M. Youtube Video Download Tool
2008-07-30 03:16 --------- d-----w C:\Program Files\mIRC
2008-07-23 02:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-06-26 17:50 --------- d-----w C:\Program Files\Mypops
2008-06-26 07:15 --------- d-----w C:\Program Files\MSTpscre
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 22:57 --------- d-----w C:\Program Files\DVD2SVCD
2008-06-19 22:46 --------- d-----w C:\Program Files\AviSynth 2.5
2008-06-19 04:01 --------- d-----w C:\Program Files\Custom Technology
2008-06-17 02:58 --------- d-----w C:\Program Files\Xvid
2008-06-17 01:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Pegasys Inc
2008-06-17 01:51 --------- d-----w C:\Program Files\Pegasys Inc
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 08:19 --------- d-----w C:\Program Files\MSN Messenger
2008-06-09 05:42 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-09 05:42 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-06-09 05:42 --------- d-----w C:\Program Files\VSO
2008-06-06 06:01 --------- d-----w C:\Program Files\Google
2006-11-16 03:09 32,320 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-08-15 05:26 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-08-15 05:26 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Y.D.T ----

2008-06-26 00:03 5079015 --a------ C:\Y.D.T\Downloaded\YouTube - Fatt Snak - Beer Day (situations).flv


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-06-03 23:46 5724184]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 03:15 106496]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 22:10 335872]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 19:50 155648]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2004-10-27 16:07 987136]
"Tpscrex"="C:\Program Files\MSTpscre\Tpscrex.exe" [2008-06-26 00:15 110080]
"ypops"="C:\Program Files\Mypops\ypops.exe" [2008-06-26 10:50 88896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Rapidown.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Rapidown.lnk
backup=C:\WINDOWS\pss\Rapidown.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2004-10-14 10:17 45056 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2006-10-06 13:04 492032 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2006-07-11 03:06 3144800 C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 13:16 185896 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 SiSRaid1;SiSRaid1;C:\WINDOWS\system32\DRIVERS\SiSRaid1.sys [2003-12-09 00:50]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 05:00]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2004-10-06 10:39]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-03-15 18:11]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]
.
Contents of the 'Scheduled Tasks' folder

2004-10-29 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-egui - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 23:50:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-07-31 23:58:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 06:58:09
ComboFix2.txt 2008-07-31 02:21:10
ComboFix3.txt 2008-07-31 02:16:39

Pre-Run: 9,203,908,608 bytes free
Post-Run: 9,157,263,360 bytes free

295 --- E O F --- 2008-07-08 23:47:45

and now the malware log
Malwarebytes' Anti-Malware 1.24
Database version: 1014
Windows 5.1.2600 Service Pack 2

12:16:34 AM 8/1/2008
mbam-log-8-1-2008 (00-16-34).txt

Scan type: Quick Scan
Objects scanned: 38049
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 101
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\istx.installer (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.bvar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\sais (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and now time to attach the other file or combo log from previous scan...



Cheers thanks for all the help, comp is running much better than previous:)

Attached Files


  • 0

#7
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

I don't think all cracks are that bad...I had no problems with the one for Eset, and I had it installed for a bit. But I do know most are considered mal/spyware.


That's not the problem - it's illegal, plain and simple.

Same goes for youtube downloader - the tool itself is legal, but downloading videos from Youtube is against their Terms of use and against the law.

I'm removing some last tidbits from NOD32 and let's get an online scan to see if anything is left.. You need to install an antivirus, have you looked at AntiVir free yet?


Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\system32\DRIVERS\epfwtdir.sys

Driver::
epfwtdir
NOD32FiXTemDono
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Then,


Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Post back with the logs and a new Hijack This log please.

Edited by Mike, 01 August 2008 - 03:32 AM.

  • 0

#8
MossGeek

MossGeek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Ok that is an understandable reason for me to stay away from cracks.

I now have another problem...as I am on a relatives computer since mine won't quite boot into windows. It doesn't get to the desktop without looping into a Restart. Tried using the recovery console but that doesn't do anything. As well tried rebooting in safe mode. Tried then booting last time the computer was in working order and it does the same thing as far as the loop is concerned.

Here is where I got to as I was trying to go in order. And yes I installed the Free AntiVir....but as far as steps to go I got as far as...

"Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs."

I am pretty sure where I went wrong when I arrived at this part, I downloaded the run time enviroment 6 update 7. But before I installed it, I uninstalled my other ones. After that it asked me to restart the puter and then the loop started.

:) This is a mass inconvenience and hopefully like my other pc I haven't fried anything like the motherboard.
  • 0

#9
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Do you get to the windows login screen, i.e the screen where you choose your account? Does it restart every time you click on your account?

The Java installation should never cause this, did you do something else - like try and delete a file or something?

Do you have your windows CD handy?

Just some questions before I can help :)

Edited by Mike, 02 August 2008 - 02:16 AM.

  • 0

#10
MossGeek

MossGeek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
No I didn't do anything else but follow the instructions in the order that you gave me to follow. I am slow like I said, but followed those directions as they were given to me. Printed out on seperate peice of paper and then done in the order.

I don't have a login...I am only one user on the comp..no other logins to choose from. Boots up straight to the desktop.


Yes I have my windows cd handy...I saw another thread about repairing xp. Is this my next try?


Been through the forum post and threads, searched for some research knowledge to add to what little I do remember from back when. But won't go ahead until I get feedback. Not too sure whether I will be able to login in the next couple of days due to family stuff.

But I do appreciate all the help you have given to me so far Mike.

Cheers.
  • 0

Advertisements


#11
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Good let's try getting you into windows :)

Please follow the instructions to boot into the recovery console here: http://www.geekstogo...amp;hl=Recovery

If you need help at any point please stop and ask.

Once there at the prompt please do the following:

Type the bolded command copy D:\i386\userinit.ex_ C:\windows\system32\userinit.exe

Some notes D: refers to the drive where your CD is located, this could be different on your PC - Normally its either D: E: or F:

Also take note that between the .exe_ and C:\ there is a space present.

After doing that press enter. Then type in the following bolded command: copy D:\i386\winlogon.ex_ C:\windows\system32\winlogon.exe

The same notes apply.


Once again press enter. Then type in Exit and press Enter on last time.

See if you can get into windows now.

We have other options so don't be discouraged if it doesn't work, also try and stick to the advice I give you here and don't try anything else in the meanwhile as it can just make this process confusing.

Tell me how it goes :)

Mike

Edited by Mike, 03 August 2008 - 04:54 AM.

  • 0

#12
MossGeek

MossGeek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
This PC is getting stranger and stranger by the day. Since my last post of the tower restarting itself before windows I just turned it off and kept it off due to frustration. Yesterday I went and logged in at a relatives house to see if u had replied, which you did. So I wrote down all the instructions and now was getting ready to try to enter the recovery console and such.

Today when I booted up the computer, np straight into windows onto the desktop.....:) = almost even more frustration....

but I mean I am happy its running again. But wondering now do I continue where I left off...

I uninstalled the java and enviroments...should I carry back on now with installing Java 6 update 7 enviroment...?

I don't want to do anything until I am told so....i just don't want to do anything shouldn't do in this case.


As well the next step after the java was to go to the Kapersky website and do an online scan. I read somewhere else on the forum that Kapersky may only work with IE? Is this true, I preferabbly use firefox myself. If this is true, should I use IE with it for this purpose or task? Or should I use another online scan? Or am I just horribly blind and misread the post where I saw this in the first place?

Edited by MossGeek, 04 August 2008 - 02:22 PM.

  • 0

#13
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Glad to hear it :)

Unfortunately that could mean that you are experiencing some hardware issues, I would recommend you backup your personal and important data since it is so unstable.

Go ahead and install the new java version, Kaspersky now works with FireFox (just tested it to make sure :)) so go ahead and run it and post the results here.

I would also like the combofix report, you will find it at C:\qoobox\combofix.txt
  • 0

#14
MossGeek

MossGeek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hey Mike,

So I got part way...haha...I am thinking ur correct with the hardware problems...as I was able to fully install java np.

I went onto the Kapersky and started the scan, I was unsure on what to scan so I started from the top. I left my puter at about 6% through the scan and wanted it to sit, but when I came back I noticed I was in a never ending loop of restarts. I do not know how long it was doing this, and I don't know how far the scan went through.

I waited for about 45 minutes and then turned on the computer and it booted back to windows. I am wondering if the computer is heating up too much inside, I do have the normal cpu fan plus two other fans. I have speedfan installed and right now it is at ....

HDO: 27C Temp 2: 43C Temp 3: 19C Temp 1: 59C *not good* Temp1: 40 C

I don't really understand the two Temp 1s

As well I remembered the harddrives were different before hand and I went to Run and typed in MSCONFIG to get into startup. The reason I did this is because when I originally bought the computer I know it was from an advanced user whom partitioned the drives. I tried reformatting so I could start from new but it said no.

I took the 1 of 2 original drives out, put it into a different puter, reformatted it. Took my older hd from another pc and put it in but never changed the boot.ini or anything.

So when it boots up now it has a Modified boot...here it is from the Boot.ini off of MSConfig..I don't know if this would make a difference but I thought I might notify u of it.

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS='Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /noguiboot
C:\CMDCONS\BOOTSEC.DAT="Microsoft Windows Recovery Console" /cmdcons

I also freed up some space on my C: as I had just over 7 gigs free...now I have close to 12.

I am not going to lie, if it would help, I would and prob need to reformat my drives. I know this sounds like an easy way out for most people. But its been a while since I last did that...I defragged probably about a month month and a half ago. As well ran a few other apps to help clean and ran through the reg cleaning out older keys from software I used to have installed and what not. As well cleared out alot of the apps not being used.

Just wondering if I should try kapersky again or not?


Quick Edit = Added to original Post...

I tried Kapersky later on, as I tried to restart my puter but it loops, and will continue to loop. Usually I have to leave it for about half hr, I usually give it longer though. I think the longer the time is more meant for me to calm down than the computer.

As for the backup of the information, i believe it is a 80gb drive, but in all honestly the information on it, if I have to lose it like i mention above...haha not too worried:) I did some searching and what u mentioned way above, those "things" that I should try to stay away from. There are several ...from what it looks like. So if I have to lose everything, so be it.

But on the more serious side here, I retried Kapersky, had those boxes all checked and tried scanning "My Computer". Once the computer had cooled tried it again and again it started the restarting loop so I gave the puter and myself some time to chill and here I am again.

Now will wait till tomorrow am before trying anything again as I am all worked up over this puter. The hardware other than my harddrive inside all was purchased over Craigslist. Pretty nice system for the price paid.

Edited by MossGeek, 04 August 2008 - 10:12 PM.

  • 0

#15
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Try this scan instead, also can I get the combofix report from C:\qoobox\combofix.txt ?

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

If it is really hardware problems and you are going to reformat, no malware will be on your PC and we can just stop here :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP