Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

XP Problems [RESOLVED]

Started by syco26 , Sep 20 2008 06:53 PM

  • This topic is locked This topic is locked

#1
syco26
Posted 20 September 2008 - 06:53 PM

syco26

    Member

  • Member
  • PipPip
  • 40 posts
I really need some help.

I posted this in the XP forum but I have posted it here also now as I think that must have been the wrong place for it.

Any way - I some how picked up a virus called Micro Antivirus 2009 today. It deleted about half of my desktop shortcuts and added a heap of it's own, has blocked my accesibility on my desktop - says that I can't access the display settings as the administrator has blocked it, it removed my All Programs from my start menu and also won't allow me to do a system restore. I also get a "Reported Insecure Browsing" window open when ever I try to access any web page.

I have deleted all traces of the program (I think) using Adaware, SuperAntispyware, tune up and Malwarebytes scan also, and my PC seems to be running not too bad now but the PC has been left in shambles after this intrusion. I regained the All programs lik through deleting some stuff from my registry which I found in an online tut.


The Report Insicure browsing link which also says Insecure Internet activity. Threat of virus attack goes to http://smartantiviru...uy.php?aff=1006
And I'm also getting another pop up on the top of my screen stating I may have a virus or another nasty and to click to fix which goes to this site http://protect.trust...heltaya_hernya/
But I havn't clicked either as I don't want to catch any thing else.

Also I was reading through other posts and I had another pop up that said something about letting expertSecureCleaners clean my registry then when I clicked "NO" link this site loaded. http://bestsecureexp.../...28055&rdr=1

Any help would be greatly appreciated. Thanks
  • 0

Advertisements

#2
andrewuk
Posted 20 September 2008 - 06:56 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi syco26

welcome to the malware forums :)

ok, lets get a hijackthis scan to give me an idea of where to start.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
andrewuk
  • 0

#3
syco26
Posted 20 September 2008 - 07:08 PM

syco26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Cheers Andrewuk - here ya go

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:04, on 21/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ninemsn.com.au/"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\xucfp8tq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\xucfp8tq.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: QXK Olive - {8B93A89B-7332-4B4B-830C-72EB6323D0DB} - C:\WINDOWS\vmgspntbvlw.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: (no name) - {E9356FBC-480D-4CA5-943D-ACA32C2C4A0C} - (no file)
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [W2acecad.Wtxpload] C:\WINDOWS\W2acecad\Wtxpload.exe acecad
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen Pro] "C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" /nosplash
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O15 - Trusted Zone: http://www.airbrush.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160400379609
O16 - DPF: {B33E9AC8-169E-4346-BCD9-C98A8BE3F1E9} - http://www.piclens.c...ed/plinstll.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19....ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F6CD93-82B0-4D39-80CE-E9DD36A5DE4A}: Domain = sa.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: geBroPGW - geBroPGW.dll (file missing)
O20 - Winlogon Notify: vturr - C:\WINDOWS\System32\vturr.dll (file missing)
O21 - SSODL: mgxfebsq - {4171B221-C3CF-4DB8-B0B7-104FC40198B5} - C:\WINDOWS\mgxfebsq.dll (file missing)
O21 - SSODL: dtseqrxk - {A14A61EA-79CB-49CD-8190-5AD15638E1D8} - C:\WINDOWS\dtseqrxk.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 16836 bytes
  • 0

#4
andrewuk
Posted 20 September 2008 - 07:36 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

andrewuk
  • 0

#5
syco26
Posted 20 September 2008 - 08:13 PM

syco26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Ok did the comboFix and I must say it is already looking up - all my desktop items have returned. Here is the log for combo

ComboFix 08-09-20.05 - CARL 2008-09-21 11:28:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.501 [GMT 9.5:30]
Running from: C:\Documents and Settings\CARL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CARL\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\CARL\Cookies\carl@adsfac[1].txt
C:\Documents and Settings\CARL\Cookies\[email protected][1].txt
C:\Documents and Settings\CARL\Cookies\[email protected][2].txt
C:\Documents and Settings\CARL\Cookies\[email protected][2].txt
C:\empa.exe
C:\Program Files\BulletProofSoft.com
C:\Program Files\BulletProofSoft.com\Youtube Video Grabber\Clip.exe
C:\Program Files\BulletProofSoft.com\Youtube Video Grabber\Help.chm
C:\Program Files\BulletProofSoft.com\Youtube Video Grabber\Main.swf
C:\Program Files\BulletProofSoft.com\Youtube Video Grabber\unins000.dat
C:\Program Files\BulletProofSoft.com\Youtube Video Grabber\unins000.exe
C:\Program Files\BulletProofSoft.com\Youtube Video Grabber\YG VideoGrabber.exe
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\1.ico
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\2.ico
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sc.html
C:\WINDOWS\BMeb3ea6c3.txt
C:\WINDOWS\BMeb3ea6c3.xml
C:\WINDOWS\eflx.exe
C:\WINDOWS\mqgldfvo.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\krblkfwr.dll
C:\WINDOWS\system32\NnUFNqru.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\vbuvgqfs.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wxadtihh.ini
C:\WINDOWS\vmgspntbvlw.dll
C:\x

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.

2008-09-21 10:37 . 2008-09-21 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 03:06 . 2008-09-21 03:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-21 02:47 . 2008-09-21 03:06 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-20 22:55 . 2008-09-19 03:06 25,088 --a------ C:\WINDOWS\system32\YURA.exe
2008-09-20 22:55 . 2008-09-19 03:06 24,064 --a------ C:\WINDOWS\system32\YURB.exe
2008-09-20 22:38 . 2008-09-19 03:06 74,752 --a------ C:\WINDOWS\system32\YUR6C4.exe
2008-09-20 22:34 . 2008-09-20 22:34 77,824 --a------ C:\WINDOWS\system32\TDSSdbfc.dll
2008-09-20 22:34 . 2008-09-20 22:34 11,264 --a------ C:\WINDOWS\system32\TDSShpue.dll
2008-09-20 22:34 . 2008-09-20 22:34 9,728 --a------ C:\WINDOWS\system32\TDSSevri.dll
2008-09-20 22:33 . 2008-09-20 22:33 57,344 --a------ C:\WINDOWS\system32\drivers\TDSSjcxe.sys
2008-09-20 22:33 . 2008-09-20 22:33 37,376 --a------ C:\WINDOWS\system32\TDSSjjsm.dll
2008-09-20 22:32 . 2008-09-21 11:34 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-09-20 17:24 . 2008-09-20 22:51 <DIR> d-------- C:\Program Files\ScreenGardens Living Pond
2008-09-14 21:33 . 2008-09-14 21:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-14 21:33 . 2008-09-14 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-23 19:18 . 2008-08-23 19:18 <DIR> d-------- C:\HAPPY_FEET_DISC1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 17:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-20 17:17 --------- d-----w C:\Documents and Settings\CARL\Application Data\Lavasoft
2008-09-20 13:21 --------- d-----w C:\Documents and Settings\CARL\Application Data\uTorrent
2008-09-20 11:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-19 02:30 --------- d-----w C:\Program Files\Morpheus
2008-09-19 00:11 --------- d-----w C:\Documents and Settings\CARL\Application Data\SiteAdvisor
2008-09-15 09:06 --------- d-----w C:\Program Files\PicLensIE
2008-09-12 16:43 --------- d-----w C:\Program Files\McAfee
2008-09-02 12:25 --------- d-----w C:\Documents and Settings\CARL\Application Data\BitTorrent
2008-08-17 14:09 --------- d-----w C:\Documents and Settings\CARL\Application Data\Vso
2008-08-17 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-08-17 10:29 --------- d-----w C:\Program Files\SlySoft
2008-08-08 14:01 --------- d-----w C:\Documents and Settings\CARL\Application Data\DataLayer
2008-08-01 13:27 99,648 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-07-30 14:20 --------- d-----w C:\Program Files\DVDlabPro2
2008-07-27 10:30 --------- d-----w C:\Program Files\Xilisoft
2008-07-25 00:46 --------- d-----w C:\Program Files\Apple Software Update
2008-07-25 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 11:11 --------- d-----w C:\Program Files\Common Files\DAZ
2008-07-23 10:50 --------- d-----w C:\Program Files\Pixologic
2008-07-21 12:11 24,392 ----a-w C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2008-07-18 12:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-15 17:12 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-26 11:06 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 08:42 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-07-06 13:20 49 ----a-w C:\Documents and Settings\CARL\Application Data\internaldb41.dat
2007-06-12 06:48 72,680 ----a-w C:\Documents and Settings\CARL\Application Data\GDIPFONTCACHEV1.DAT
2007-05-03 10:35 6,144 ----a-w C:\Documents and Settings\LocalService\Application Data\internaldb2954.dat
2007-02-21 18:56 87,608 ----a-w C:\Documents and Settings\CARL\Application Data\ezpinst.exe
2007-02-21 18:56 47,360 ----a-w C:\Documents and Settings\CARL\Application Data\pcouffin.sys
2006-11-17 06:13 299 ----a-w C:\Documents and Settings\CARL\Application Data\internaldb1942.dat
2006-11-03 12:04 9,216 ----a-w C:\Documents and Settings\CARL\Application Data\internaldb4858.dat
2006-11-03 12:04 0 ----a-w C:\Documents and Settings\CARL\Application Data\internaldb764.dat
2004-01-29 06:20 17,280 ----a-w C:\Program Files\SETUP.LST
2004-01-29 06:10 1,533,663 ----a-w C:\Program Files\dogwaffle.ex_
2004-01-27 08:19 47,473 ----a-w C:\Program Files\Splash.jp_
2004-01-07 01:30 5,718 ----a-w C:\Program Files\Grid_pm.ex_
2004-01-03 02:58 3,276 ----a-w C:\Program Files\ExploreTempDir_pm.ex_
2004-01-02 13:29 23,230 ----a-w C:\Program Files\Drpaint.dl_
2003-12-20 05:19 4,287 ----a-w C:\Program Files\Sepia_pf.ex_
2003-12-20 03:18 389 ----a-w C:\Program Files\Def_Res.tx_
2003-11-29 06:17 23,514 ----a-w C:\Program Files\Store_Alpha_pm.ex_
2003-11-25 03:55 16,674 ----a-w C:\Program Files\Zoom_pf.ex_
2003-11-13 03:45 5,053 ----a-w C:\Program Files\Key_Shrink_pb.ex_
2003-11-13 03:18 5,545 ----a-w C:\Program Files\Key_Grow_pb.ex_
2003-11-04 02:52 17,663 ----a-w C:\Program Files\drbrush.dl_
2003-11-04 01:15 45,953 ----a-w C:\Program Files\drfilter.dl_
2003-10-27 22:13 4,058 ----a-w C:\Program Files\antique2.gr_
2003-10-27 22:12 3,942 ----a-w C:\Program Files\antique1.gr_
2003-10-26 23:23 1,363 ----a-w C:\Program Files\DogWeb.ht_
2003-10-26 01:06 2,467 ----a-w C:\Program Files\Keyboard_Document.rt_
2003-10-26 00:45 13,880 ----a-w C:\Program Files\drFloodfill.dl_
2003-10-25 01:45 512 ----a-w C:\Program Files\TabletSupport.rt_
2003-10-17 01:19 25,398 ----a-w C:\Program Files\Thumb_Book.gi_
2003-10-06 08:37 23,758 ----a-w C:\Program Files\screenshot2-300.jp_
2003-09-26 22:47 82,398 ----a-w C:\Program Files\register.ex_
2003-09-26 22:27 353,173 ----a-w C:\Program Files\KnotWorker.ex_
2003-06-23 10:19 13,491 ----a-w C:\Program Files\WinterBranches.op_
2003-06-23 10:12 12,712 ----a-w C:\Program Files\Grass.op_
2003-06-22 08:40 12,008 ----a-w C:\Program Files\Garland.op_
2003-06-22 06:03 12,575 ----a-w C:\Program Files\DogWillow.op_
2003-06-05 10:31 97,631 ----a-w C:\Program Files\VBTablet.dl_
2003-05-01 12:20 12,113 ----a-w C:\Program Files\Fancyful.op_
2003-05-01 12:14 12,118 ----a-w C:\Program Files\Hivey.op_
2003-05-01 12:10 12,121 ----a-w C:\Program Files\Brainy.op_
2003-05-01 12:07 12,178 ----a-w C:\Program Files\Spiro.op_
2003-02-11 09:51 2,147 ----a-w C:\Program Files\Tipofday.tx_
2002-12-29 04:59 3,913 ----a-w C:\Program Files\ChangeDPI_px.ex_
2002-11-13 07:04 243 ----a-w C:\Program Files\ReadMe.tx_
2002-11-10 04:43 5,499 ----a-w C:\Program Files\Clipboard_Import_pb.ex_
2002-11-03 03:03 6,796 ----a-w C:\Program Files\Paint_on_alpha_pm.ex_
2002-11-03 02:54 3,826 ----a-w C:\Program Files\printerPrefs_generic_px.ex_
2002-11-01 04:43 3,676 ----a-w C:\Program Files\KeyToLuminance_pb.ex_
2002-11-01 04:41 3,383 ----a-w C:\Program Files\KeyInvert_pb.ex_
2002-11-01 04:40 3,675 ----a-w C:\Program Files\KeyToBlack_pb.ex_
2002-10-08 04:36 3,188 ----a-w C:\Program Files\Skys.gr_
2002-10-08 04:23 4,885 ----a-w C:\Program Files\Reds.gr_
2002-10-08 04:16 3,435 ----a-w C:\Program Files\Vents.gr_
2002-10-08 04:12 2,895 ----a-w C:\Program Files\Warnings.gr_
2002-10-08 04:03 3,969 ----a-w C:\Program Files\GunMetals.gr_
2002-09-23 00:59 10,655 ----a-w C:\Program Files\MotionBlur_pf.ex_
2002-09-19 18:10 10,701 ----a-w C:\Program Files\print_generic_px.ex_
2002-09-19 17:41 4,207 ----a-w C:\Program Files\ScaleAlpha_pm.ex_
2002-09-04 17:31 7,260 ----a-w C:\Program Files\Store_Brush_pb.ex_
2002-09-04 16:14 12,899 ----a-w C:\Program Files\Store_Buffer_pm.ex_
2002-09-02 17:57 5,735 ----a-w C:\Program Files\Clipboard_Export_pb.ex_
2002-08-22 17:34 66,779 ----a-w C:\Program Files\def_mdiform_bitmap.jp_
2002-08-20 22:11 17,460 ----a-w C:\Program Files\Def_Wallpaper.bm_
2006-03-31 07:05 56 --sh--r C:\WINDOWS\system32\753FDCB0D6.sys
2008-06-16 03:38 517,780 --sha-w C:\WINDOWS\system32\NnUFNqru.ini2
2005-10-27 14:09 161,795 --sh--w C:\WINDOWS\system32\rrutv.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{D73F49B6-B51B-4d32-A3B7-BD04B8342F53}"= "C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL" [2008-06-22 57344]

[HKEY_CLASSES_ROOT\clsid\{d73f49b6-b51b-4d32-a3b7-bd04b8342f53}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-02-20 3330048]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Gadwin PrintScreen Pro"="C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" [2008-05-17 516096]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-03 2161600]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"W2acecad.Wtxpload"="C:\WINDOWS\W2acecad\Wtxpload.exe" [2000-05-21 45056]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-05-28 163840]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 32768]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 5058560]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2003-07-17 147456]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-25 36640]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-04 78848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2004-03-22 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-16 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-06-16 16:29 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk
backup=C:\WINDOWS\pss\SnagIt 8.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^CARL^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\CARL\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen Pro]
--a------ 2008-05-17 22:48 516096 C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
--a------ 2003-06-24 12:09 568096 C:\Program Files\Netscape\Netscape\Netscp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 01:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 17:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"TVersityMediaServer"=2 (0x2)
"KodakCCS"=3 (0x3)
"iPod Service"=3 (0x3)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)
"Diskeeper"=2 (0x2)
"Dcfssvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Telstra\\unpw\\unpwclient.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;C:\WINDOWS\system32\Drivers\BtHidBus.sys [2008-01-21 21512]
R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys [2001-04-09 8138]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 28672]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2003-02-26 9728]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2005-12-26 34848]
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys [2001-08-08 14308]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys [2002-09-02 16640]
S3 DCamUSBMke2;Panasonic USB Video Camera;C:\WINDOWS\system32\Drivers\Mkeusbi2.sys [2002-11-06 15872]
S3 DCamUSBUVT;ICM532A;C:\WINDOWS\system32\Drivers\usbuvt.sys [ ]
S3 IvtBtBUs;IVT Bluetooth Bus Service;C:\WINDOWS\system32\Drivers\IvtBtBus.sys [2008-01-21 26248]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{8B93A89B-7332-4B4B-830C-72EB6323D0DB} - C:\WINDOWS\vmgspntbvlw.dll
BHO-{E9356FBC-480D-4CA5-943D-ACA32C2C4A0C} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKU-Default-Run-Symantec Network Driver Update Warning - C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
HKU-Default-Run-Symantec NetDriver Warning - C:\PROGRA~1\SYMNET~1\SNDWarn.exe
SSODL-mgxfebsq-{4171B221-C3CF-4DB8-B0B7-104FC40198B5} - C:\WINDOWS\mgxfebsq.dll
SSODL-dtseqrxk-{A14A61EA-79CB-49CD-8190-5AD15638E1D8} - C:\WINDOWS\dtseqrxk.dll
Notify-vturr - C:\WINDOWS\System32\vturr.dll
Notify-geBroPGW - geBroPGW.dll
MSConfigStartUp-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\CARL\Application Data\Mozilla\Firefox\Profiles\khvsxubm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://ninemsn.com.au/homepage.asp
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 11:35:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6172\saHook.dll
-> C:\Program Files\XemiComputers\Active Desktop Calendar\MouseHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Netropa\Onscreen Display\osd.exe
C:\Program Files\Netropa\Inetkb\inetkb.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonNT.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-09-21 11:40:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-21 02:10:20

Pre-Run: 45,499,158,528 bytes free
Post-Run: 46,124,290,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /TUTag=BMNF6V /NoExecute=OptIn

387 --- E O F --- 2008-09-12 13:02:53


And here is the new log for Highjack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:03, on 21/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\CF25707.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\regedit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ninemsn.com.au/"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\xucfp8tq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\xucfp8tq.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [W2acecad.Wtxpload] C:\WINDOWS\W2acecad\Wtxpload.exe acecad
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen Pro] "C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" /nosplash
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O15 - Trusted Zone: http://www.airbrush.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160400379609
O16 - DPF: {B33E9AC8-169E-4346-BCD9-C98A8BE3F1E9} - http://www.piclens.c...ed/plinstll.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19....ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F6CD93-82B0-4D39-80CE-E9DD36A5DE4A}: Domain = sa.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 15881 bytes


Thanks heaps for this help
  • 0

#6
andrewuk
Posted 20 September 2008 - 10:15 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
first, some questions:

1. should this be your start page? http://ninemsn.com/

2. should this site be in your trusted zone (that is where minimal security is applied when on that site)? www.airbrush.com

3. does this mean anything to you? Domain = sa.bigpond.net.au


and then.....

====STEP 1====
Jotti File Submission:

i am pretty sure all these files are bad, but lets be sure:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\YUR6C4.exe

Click on the submit button

Please also do the same with the following 5 files:
C:\WINDOWS\system32\TDSSdbfc.dll
C:\WINDOWS\system32\TDSShpue.dll
C:\WINDOWS\system32\TDSSevri.dll
C:\WINDOWS\system32\drivers\TDSSjcxe.sys
C:\WINDOWS\system32\TDSSjjsm.dll


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal




====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\YURA.exe
C:\WINDOWS\system32\YURB.exe
C:\Documents and Settings\CARL\Application Data\internaldb41.dat
C:\Documents and Settings\LocalService\Application Data\internaldb2954.dat
C:\Documents and Settings\CARL\Application Data\internaldb1942.dat
C:\Documents and Settings\CARL\Application Data\internaldb4858.dat
C:\Documents and Settings\CARL\Application Data\internaldb764.dat

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with GetRight]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open with GetRight Browser]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{B33E9AC8-169E-4346-BCD9-C98A8BE3F1E9}]
[-HKEY_CLASSES_ROOT\CLSID\{B33E9AC8-169E-4346-BCD9-C98A8BE3F1E9}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



In your next reply could i see:
1. the six jotti logs
2. the combofix log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#7
syco26
Posted 21 September 2008 - 02:13 AM

syco26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Yes ninemsn is my home page, I added airbrush.com to my safes as the security wouldn't allow me to log in properly and sa.bigpond is my broadband supplier.

I'll do the next step then post back again.

Thanks Carl
  • 0

#8
syco26
Posted 21 September 2008 - 02:28 AM

syco26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Here is the Jotti's results for the files in order of which you give them to me.

1/
Scan taken on 21 Sep 2008 08:16:26 (GMT)
A-Squared Found Backdoor.Win32.Frauder.fb!ik
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.Exchanger.Gen.2
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Packed.638
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.Frauder.fb
Ikarus Found Backdoor.Win32.Frauder.fb
Kaspersky Anti-Virus Found Backdoor.Win32.Frauder.fb
NOD32 Found Win32/TrojanDownloader.FakeAlert.JT
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-EU
VirusBuster Found nothing
VBA32 Found nothing

2/
Scan taken on 21 Sep 2008 08:18:57 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

3/
Scan taken on 21 Sep 2008 08:21:47 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found Win32:Bravix
AVG Antivirus Found nothing
BitDefender Found Packer.Malware.Lighty.C
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Packed.612
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.UltimateDefender.gen
Ikarus Found Backdoor.Win32.UltimateDefender
Kaspersky Anti-Virus Found Backdoor.Win32.UltimateDefender.gen
NOD32 Found nothing
Norman Virus Control Found W32/Lighty.C
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-EQ
VirusBuster Found nothing
VBA32 Found nothing

4/
Scan taken on 21 Sep 2008 08:23:26 (GMT)
A-Squared Found Trojan.Win32.Alureon.N!ik
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found Win32:Bravix
AVG Antivirus Found nothing
BitDefender Found Packer.Malware.Lighty.C
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Packed.612
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found Trojan.Win32.Alureon.N
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Lighty.C
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-EQ
VirusBuster Found nothing
VBA32 Found nothing

5/
Scan taken on 21 Sep 2008 08:25:10 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Rootkit.TDss.A (probable variant)
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Tibs.gen240
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

6/
Scan taken on 21 Sep 2008 08:26:40 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Edited by syco26, 21 September 2008 - 02:28 AM.

  • 0

#9
syco26
Posted 21 September 2008 - 02:38 AM

syco26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Combo Log

ComboFix 08-09-20.05 - CARL 2008-09-21 18:01:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.496 [GMT 9.5:30]
Running from: C:\Documents and Settings\CARL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CARL\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\CARL\Application Data\internaldb1942.dat
C:\Documents and Settings\CARL\Application Data\internaldb41.dat
C:\Documents and Settings\CARL\Application Data\internaldb4858.dat
C:\Documents and Settings\CARL\Application Data\internaldb764.dat
C:\Documents and Settings\LocalService\Application Data\internaldb2954.dat
C:\WINDOWS\system32\YURA.exe
C:\WINDOWS\system32\YURB.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\CARL\Application Data\internaldb1942.dat
C:\Documents and Settings\CARL\Application Data\internaldb41.dat
C:\Documents and Settings\CARL\Application Data\internaldb4858.dat
C:\Documents and Settings\CARL\Application Data\internaldb764.dat
C:\Documents and Settings\LocalService\Application Data\internaldb2954.dat
C:\Program Files\PCHealthCenter
C:\WINDOWS\system32\YURA.exe
C:\WINDOWS\system32\YURB.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.

2008-09-21 10:37 . 2008-09-21 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 03:06 . 2008-09-21 03:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-21 02:47 . 2008-09-21 03:06 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-20 22:38 . 2008-09-19 03:06 74,752 --a------ C:\WINDOWS\system32\YUR6C4.exe
2008-09-20 22:34 . 2008-09-20 22:34 77,824 --a------ C:\WINDOWS\system32\TDSSdbfc.dll
2008-09-20 22:34 . 2008-09-20 22:34 11,264 --a------ C:\WINDOWS\system32\TDSShpue.dll
2008-09-20 22:34 . 2008-09-20 22:34 9,728 --a------ C:\WINDOWS\system32\TDSSevri.dll
2008-09-20 22:33 . 2008-09-20 22:33 57,344 --a------ C:\WINDOWS\system32\drivers\TDSSjcxe.sys
2008-09-20 22:33 . 2008-09-20 22:33 37,376 --a------ C:\WINDOWS\system32\TDSSjjsm.dll
2008-09-20 17:24 . 2008-09-20 22:51 <DIR> d-------- C:\Program Files\ScreenGardens Living Pond
2008-09-14 21:33 . 2008-09-14 21:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-14 21:33 . 2008-09-14 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-23 19:18 . 2008-08-23 19:18 <DIR> d-------- C:\HAPPY_FEET_DISC1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 17:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-20 17:17 --------- d-----w C:\Documents and Settings\CARL\Application Data\Lavasoft
2008-09-20 13:21 --------- d-----w C:\Documents and Settings\CARL\Application Data\uTorrent
2008-09-20 11:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-19 02:30 --------- d-----w C:\Program Files\Morpheus
2008-09-19 00:11 --------- d-----w C:\Documents and Settings\CARL\Application Data\SiteAdvisor
2008-09-15 09:06 --------- d-----w C:\Program Files\PicLensIE
2008-09-12 16:43 --------- d-----w C:\Program Files\McAfee
2008-09-02 12:25 --------- d-----w C:\Documents and Settings\CARL\Application Data\BitTorrent
2008-08-17 14:09 --------- d-----w C:\Documents and Settings\CARL\Application Data\Vso
2008-08-17 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-08-17 10:29 --------- d-----w C:\Program Files\SlySoft
2008-08-08 14:01 --------- d-----w C:\Documents and Settings\CARL\Application Data\DataLayer
2008-08-01 13:27 99,648 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-07-30 14:20 --------- d-----w C:\Program Files\DVDlabPro2
2008-07-27 10:30 --------- d-----w C:\Program Files\Xilisoft
2008-07-25 00:46 --------- d-----w C:\Program Files\Apple Software Update
2008-07-25 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 11:11 --------- d-----w C:\Program Files\Common Files\DAZ
2008-07-23 10:50 --------- d-----w C:\Program Files\Pixologic
2008-07-21 12:11 24,392 ----a-w C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2008-07-18 12:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-15 17:12 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-26 11:06 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 08:42 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-06-12 06:48 72,680 ----a-w C:\Documents and Settings\CARL\Application Data\GDIPFONTCACHEV1.DAT
2007-02-21 18:56 87,608 ----a-w C:\Documents and Settings\CARL\Application Data\ezpinst.exe
2007-02-21 18:56 47,360 ----a-w C:\Documents and Settings\CARL\Application Data\pcouffin.sys
2004-01-29 06:20 17,280 ----a-w C:\Program Files\SETUP.LST
2004-01-29 06:10 1,533,663 ----a-w C:\Program Files\dogwaffle.ex_
2004-01-27 08:19 47,473 ----a-w C:\Program Files\Splash.jp_
2004-01-07 01:30 5,718 ----a-w C:\Program Files\Grid_pm.ex_
2004-01-03 02:58 3,276 ----a-w C:\Program Files\ExploreTempDir_pm.ex_
2004-01-02 13:29 23,230 ----a-w C:\Program Files\Drpaint.dl_
2003-12-20 05:19 4,287 ----a-w C:\Program Files\Sepia_pf.ex_
2003-12-20 03:18 389 ----a-w C:\Program Files\Def_Res.tx_
2003-11-29 06:17 23,514 ----a-w C:\Program Files\Store_Alpha_pm.ex_
2003-11-25 03:55 16,674 ----a-w C:\Program Files\Zoom_pf.ex_
2003-11-13 03:45 5,053 ----a-w C:\Program Files\Key_Shrink_pb.ex_
2003-11-13 03:18 5,545 ----a-w C:\Program Files\Key_Grow_pb.ex_
2003-11-04 02:52 17,663 ----a-w C:\Program Files\drbrush.dl_
2003-11-04 01:15 45,953 ----a-w C:\Program Files\drfilter.dl_
2003-10-27 22:13 4,058 ----a-w C:\Program Files\antique2.gr_
2003-10-27 22:12 3,942 ----a-w C:\Program Files\antique1.gr_
2003-10-26 23:23 1,363 ----a-w C:\Program Files\DogWeb.ht_
2003-10-26 01:06 2,467 ----a-w C:\Program Files\Keyboard_Document.rt_
2003-10-26 00:45 13,880 ----a-w C:\Program Files\drFloodfill.dl_
2003-10-25 01:45 512 ----a-w C:\Program Files\TabletSupport.rt_
2003-10-17 01:19 25,398 ----a-w C:\Program Files\Thumb_Book.gi_
2003-10-06 08:37 23,758 ----a-w C:\Program Files\screenshot2-300.jp_
2003-09-26 22:47 82,398 ----a-w C:\Program Files\register.ex_
2003-09-26 22:27 353,173 ----a-w C:\Program Files\KnotWorker.ex_
2003-06-23 10:19 13,491 ----a-w C:\Program Files\WinterBranches.op_
2003-06-23 10:12 12,712 ----a-w C:\Program Files\Grass.op_
2003-06-22 08:40 12,008 ----a-w C:\Program Files\Garland.op_
2003-06-22 06:03 12,575 ----a-w C:\Program Files\DogWillow.op_
2003-06-05 10:31 97,631 ----a-w C:\Program Files\VBTablet.dl_
2003-05-01 12:20 12,113 ----a-w C:\Program Files\Fancyful.op_
2003-05-01 12:14 12,118 ----a-w C:\Program Files\Hivey.op_
2003-05-01 12:10 12,121 ----a-w C:\Program Files\Brainy.op_
2003-05-01 12:07 12,178 ----a-w C:\Program Files\Spiro.op_
2003-02-11 09:51 2,147 ----a-w C:\Program Files\Tipofday.tx_
2002-12-29 04:59 3,913 ----a-w C:\Program Files\ChangeDPI_px.ex_
2002-11-13 07:04 243 ----a-w C:\Program Files\ReadMe.tx_
2002-11-10 04:43 5,499 ----a-w C:\Program Files\Clipboard_Import_pb.ex_
2002-11-03 03:03 6,796 ----a-w C:\Program Files\Paint_on_alpha_pm.ex_
2002-11-03 02:54 3,826 ----a-w C:\Program Files\printerPrefs_generic_px.ex_
2002-11-01 04:43 3,676 ----a-w C:\Program Files\KeyToLuminance_pb.ex_
2002-11-01 04:41 3,383 ----a-w C:\Program Files\KeyInvert_pb.ex_
2002-11-01 04:40 3,675 ----a-w C:\Program Files\KeyToBlack_pb.ex_
2002-10-08 04:36 3,188 ----a-w C:\Program Files\Skys.gr_
2002-10-08 04:23 4,885 ----a-w C:\Program Files\Reds.gr_
2002-10-08 04:16 3,435 ----a-w C:\Program Files\Vents.gr_
2002-10-08 04:12 2,895 ----a-w C:\Program Files\Warnings.gr_
2002-10-08 04:03 3,969 ----a-w C:\Program Files\GunMetals.gr_
2002-09-23 00:59 10,655 ----a-w C:\Program Files\MotionBlur_pf.ex_
2002-09-19 18:10 10,701 ----a-w C:\Program Files\print_generic_px.ex_
2002-09-19 17:41 4,207 ----a-w C:\Program Files\ScaleAlpha_pm.ex_
2002-09-04 17:31 7,260 ----a-w C:\Program Files\Store_Brush_pb.ex_
2002-09-04 16:14 12,899 ----a-w C:\Program Files\Store_Buffer_pm.ex_
2002-09-02 17:57 5,735 ----a-w C:\Program Files\Clipboard_Export_pb.ex_
2002-08-22 17:34 66,779 ----a-w C:\Program Files\def_mdiform_bitmap.jp_
2002-08-20 22:11 17,460 ----a-w C:\Program Files\Def_Wallpaper.bm_
2002-08-20 12:49 328 ----a-w C:\Program Files\readme.txt
2002-08-08 20:14 520 ----a-w C:\Program Files\Test1.w_
2002-06-14 10:43 345 ----a-w C:\Program Files\Trace Sleek 8-Bit.kn_
2002-03-29 02:30 520 ----a-w C:\Program Files\Study.w_
2002-03-29 02:15 469 ----a-w C:\Program Files\Earthy.w_
2006-03-31 07:05 56 --sh--r C:\WINDOWS\system32\753FDCB0D6.sys
2008-06-16 03:38 517,780 --sha-w C:\WINDOWS\system32\NnUFNqru.ini2
2005-10-27 14:09 161,795 --sh--w C:\WINDOWS\system32\rrutv.bak1
.

((((((((((((((((((((((((((((( snapshot@2008-09-21_11.39.30.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-21 01:26:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-21 06:19:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-21 01:26:59 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-21 06:19:36 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{D73F49B6-B51B-4d32-A3B7-BD04B8342F53}"= "C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL" [2008-06-22 57344]

[HKEY_CLASSES_ROOT\clsid\{d73f49b6-b51b-4d32-a3b7-bd04b8342f53}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-02-20 3330048]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Gadwin PrintScreen Pro"="C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" [2008-05-17 516096]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-03 2161600]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"W2acecad.Wtxpload"="C:\WINDOWS\W2acecad\Wtxpload.exe" [2000-05-21 45056]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-05-28 163840]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 32768]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 5058560]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2003-07-17 147456]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-25 36640]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-04 78848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2004-03-22 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-16 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-06-16 16:29 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk
backup=C:\WINDOWS\pss\SnagIt 8.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^CARL^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\CARL\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen Pro]
--a------ 2008-05-17 22:48 516096 C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
--a------ 2003-06-24 12:09 568096 C:\Program Files\Netscape\Netscape\Netscp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 01:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 17:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"TVersityMediaServer"=2 (0x2)
"KodakCCS"=3 (0x3)
"iPod Service"=3 (0x3)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)
"Diskeeper"=2 (0x2)
"Dcfssvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Telstra\\unpw\\unpwclient.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;C:\WINDOWS\system32\Drivers\BtHidBus.sys [2008-01-21 21512]
R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys [2001-04-09 8138]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 28672]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2003-02-26 9728]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2005-12-26 34848]
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys [2001-08-08 14308]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys [2002-09-02 16640]
S3 DCamUSBMke2;Panasonic USB Video Camera;C:\WINDOWS\system32\Drivers\Mkeusbi2.sys [2002-11-06 15872]
S3 DCamUSBUVT;ICM532A;C:\WINDOWS\system32\Drivers\usbuvt.sys [ ]
S3 IvtBtBUs;IVT Bluetooth Bus Service;C:\WINDOWS\system32\Drivers\IvtBtBus.sys [2008-01-21 26248]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 18:05:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-21 18:06:18
ComboFix-quarantined-files.txt 2008-09-21 08:36:14
ComboFix2.txt 2008-09-21 02:10:30

Pre-Run: 47,257,186,304 bytes free
Post-Run: 47,245,824,000 bytes free

307 --- E O F --- 2008-09-12 13:02:53


HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:06:56, on 21/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\CF4611.exe
C:\WINDOWS\system32\CF4611.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ninemsn.com.au/"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\xucfp8tq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\xucfp8tq.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [W2acecad.Wtxpload] C:\WINDOWS\W2acecad\Wtxpload.exe acecad
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen Pro] "C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" /nosplash
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O15 - Trusted Zone: http://www.airbrush.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160400379609
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19....ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F6CD93-82B0-4D39-80CE-E9DD36A5DE4A}: Domain = sa.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 15602 bytes
  • 0

#10
andrewuk
Posted 21 September 2008 - 07:46 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will remove those files and upload them for further analysis, and do an online scan to see what else sneaked onto your machine.

we will also update your java, which is out of date.

the scans will likely take 1.5 hours, quite possibly much longer. so just let them run.


====STEP 1====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Collect::
C:\WINDOWS\system32\YUR6C4.exe
C:\WINDOWS\system32\TDSSdbfc.dll
C:\WINDOWS\system32\TDSShpue.dll
C:\WINDOWS\system32\TDSSevri.dll
C:\WINDOWS\system32\drivers\TDSSjcxe.sys
C:\WINDOWS\system32\TDSSjjsm.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




====STEP 2====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 3====
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log), please post the contents of this log on the forum.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


====STEP 4====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply could i see:
1. the combofix log
2. the javara log
3. a new hijackthis log
4. the kaspersky log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

Advertisements

#11
syco26
Posted 22 September 2008 - 05:40 AM

syco26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Heres the new Combo log

ComboFix 08-09-20.05 - CARL 2008-09-22 20:56:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.466 [GMT 9.5:30]
Running from: C:\Documents and Settings\CARL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CARL\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\TDSSjcxe.sys
C:\WINDOWS\system32\TDSSdbfc.dll
C:\WINDOWS\system32\TDSSevri.dll
C:\WINDOWS\system32\TDSShpue.dll
C:\WINDOWS\system32\TDSSjjsm.dll
C:\WINDOWS\system32\YUR6C4.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-21 10:37 . 2008-09-21 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 03:06 . 2008-09-21 03:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-21 02:47 . 2008-09-21 03:06 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-20 17:24 . 2008-09-20 22:51 <DIR> d-------- C:\Program Files\ScreenGardens Living Pond
2008-09-14 21:33 . 2008-09-14 21:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-14 21:33 . 2008-09-14 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-23 19:18 . 2008-08-23 19:18 <DIR> d-------- C:\HAPPY_FEET_DISC1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 00:38 --------- d-----w C:\Documents and Settings\CARL\Application Data\SiteAdvisor
2008-09-20 17:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-20 17:17 --------- d-----w C:\Documents and Settings\CARL\Application Data\Lavasoft
2008-09-20 13:21 --------- d-----w C:\Documents and Settings\CARL\Application Data\uTorrent
2008-09-20 11:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-19 02:30 --------- d-----w C:\Program Files\Morpheus
2008-09-15 09:06 --------- d-----w C:\Program Files\PicLensIE
2008-09-12 16:43 --------- d-----w C:\Program Files\McAfee
2008-09-02 12:25 --------- d-----w C:\Documents and Settings\CARL\Application Data\BitTorrent
2008-08-17 14:09 --------- d-----w C:\Documents and Settings\CARL\Application Data\Vso
2008-08-17 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-08-17 10:29 --------- d-----w C:\Program Files\SlySoft
2008-08-08 14:01 --------- d-----w C:\Documents and Settings\CARL\Application Data\DataLayer
2008-08-01 13:27 99,648 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-07-30 14:20 --------- d-----w C:\Program Files\DVDlabPro2
2008-07-27 10:30 --------- d-----w C:\Program Files\Xilisoft
2008-07-25 00:46 --------- d-----w C:\Program Files\Apple Software Update
2008-07-25 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 11:11 --------- d-----w C:\Program Files\Common Files\DAZ
2008-07-23 10:50 --------- d-----w C:\Program Files\Pixologic
2008-07-18 12:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-15 17:12 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-26 11:06 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 08:42 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-06-12 06:48 72,680 ----a-w C:\Documents and Settings\CARL\Application Data\GDIPFONTCACHEV1.DAT
2007-02-21 18:56 87,608 ----a-w C:\Documents and Settings\CARL\Application Data\ezpinst.exe
2007-02-21 18:56 47,360 ----a-w C:\Documents and Settings\CARL\Application Data\pcouffin.sys
2004-01-29 06:20 17,280 ----a-w C:\Program Files\SETUP.LST
2004-01-29 06:10 1,533,663 ----a-w C:\Program Files\dogwaffle.ex_
2004-01-27 08:19 47,473 ----a-w C:\Program Files\Splash.jp_
2004-01-07 01:30 5,718 ----a-w C:\Program Files\Grid_pm.ex_
2004-01-03 02:58 3,276 ----a-w C:\Program Files\ExploreTempDir_pm.ex_
2004-01-02 13:29 23,230 ----a-w C:\Program Files\Drpaint.dl_
2003-12-20 05:19 4,287 ----a-w C:\Program Files\Sepia_pf.ex_
2003-12-20 03:18 389 ----a-w C:\Program Files\Def_Res.tx_
2003-11-29 06:17 23,514 ----a-w C:\Program Files\Store_Alpha_pm.ex_
2003-11-25 03:55 16,674 ----a-w C:\Program Files\Zoom_pf.ex_
2003-11-13 03:45 5,053 ----a-w C:\Program Files\Key_Shrink_pb.ex_
2003-11-13 03:18 5,545 ----a-w C:\Program Files\Key_Grow_pb.ex_
2003-11-04 02:52 17,663 ----a-w C:\Program Files\drbrush.dl_
2003-11-04 01:15 45,953 ----a-w C:\Program Files\drfilter.dl_
2003-10-27 22:13 4,058 ----a-w C:\Program Files\antique2.gr_
2003-10-27 22:12 3,942 ----a-w C:\Program Files\antique1.gr_
2003-10-26 23:23 1,363 ----a-w C:\Program Files\DogWeb.ht_
2003-10-26 01:06 2,467 ----a-w C:\Program Files\Keyboard_Document.rt_
2003-10-26 00:45 13,880 ----a-w C:\Program Files\drFloodfill.dl_
2003-10-25 01:45 512 ----a-w C:\Program Files\TabletSupport.rt_
2003-10-17 01:19 25,398 ----a-w C:\Program Files\Thumb_Book.gi_
2003-10-06 08:37 23,758 ----a-w C:\Program Files\screenshot2-300.jp_
2003-09-26 22:47 82,398 ----a-w C:\Program Files\register.ex_
2003-09-26 22:27 353,173 ----a-w C:\Program Files\KnotWorker.ex_
2003-06-23 10:19 13,491 ----a-w C:\Program Files\WinterBranches.op_
2003-06-23 10:12 12,712 ----a-w C:\Program Files\Grass.op_
2003-06-22 08:40 12,008 ----a-w C:\Program Files\Garland.op_
2003-06-22 06:03 12,575 ----a-w C:\Program Files\DogWillow.op_
2003-06-05 10:31 97,631 ----a-w C:\Program Files\VBTablet.dl_
2003-05-01 12:20 12,113 ----a-w C:\Program Files\Fancyful.op_
2003-05-01 12:14 12,118 ----a-w C:\Program Files\Hivey.op_
2003-05-01 12:10 12,121 ----a-w C:\Program Files\Brainy.op_
2003-05-01 12:07 12,178 ----a-w C:\Program Files\Spiro.op_
2003-02-11 09:51 2,147 ----a-w C:\Program Files\Tipofday.tx_
2002-12-29 04:59 3,913 ----a-w C:\Program Files\ChangeDPI_px.ex_
2002-11-13 07:04 243 ----a-w C:\Program Files\ReadMe.tx_
2002-11-10 04:43 5,499 ----a-w C:\Program Files\Clipboard_Import_pb.ex_
2002-11-03 03:03 6,796 ----a-w C:\Program Files\Paint_on_alpha_pm.ex_
2002-11-03 02:54 3,826 ----a-w C:\Program Files\printerPrefs_generic_px.ex_
2002-11-01 04:43 3,676 ----a-w C:\Program Files\KeyToLuminance_pb.ex_
2002-11-01 04:41 3,383 ----a-w C:\Program Files\KeyInvert_pb.ex_
2002-11-01 04:40 3,675 ----a-w C:\Program Files\KeyToBlack_pb.ex_
2002-10-08 04:36 3,188 ----a-w C:\Program Files\Skys.gr_
2002-10-08 04:23 4,885 ----a-w C:\Program Files\Reds.gr_
2002-10-08 04:16 3,435 ----a-w C:\Program Files\Vents.gr_
2002-10-08 04:12 2,895 ----a-w C:\Program Files\Warnings.gr_
2002-10-08 04:03 3,969 ----a-w C:\Program Files\GunMetals.gr_
2002-09-23 00:59 10,655 ----a-w C:\Program Files\MotionBlur_pf.ex_
2002-09-19 18:10 10,701 ----a-w C:\Program Files\print_generic_px.ex_
2002-09-19 17:41 4,207 ----a-w C:\Program Files\ScaleAlpha_pm.ex_
2002-09-04 17:31 7,260 ----a-w C:\Program Files\Store_Brush_pb.ex_
2002-09-04 16:14 12,899 ----a-w C:\Program Files\Store_Buffer_pm.ex_
2002-09-02 17:57 5,735 ----a-w C:\Program Files\Clipboard_Export_pb.ex_
2002-08-22 17:34 66,779 ----a-w C:\Program Files\def_mdiform_bitmap.jp_
2002-08-20 22:11 17,460 ----a-w C:\Program Files\Def_Wallpaper.bm_
2002-08-20 12:49 328 ----a-w C:\Program Files\readme.txt
2002-08-08 20:14 520 ----a-w C:\Program Files\Test1.w_
2002-06-14 10:43 345 ----a-w C:\Program Files\Trace Sleek 8-Bit.kn_
2002-03-29 02:30 520 ----a-w C:\Program Files\Study.w_
2002-03-29 02:15 469 ----a-w C:\Program Files\Earthy.w_
2002-02-11 19:15 1,745 ----a-w C:\Program Files\readme.rt_
2006-03-31 07:05 56 --sh--r C:\WINDOWS\system32\753FDCB0D6.sys
2008-06-16 03:38 517,780 --sha-w C:\WINDOWS\system32\NnUFNqru.ini2
2005-10-27 14:09 161,795 --sh--w C:\WINDOWS\system32\rrutv.bak1
.

((((((((((((((((((((((((((((( snapshot@2008-09-21_11.39.30.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-21 01:26:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-22 09:32:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-21 01:26:59 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-22 09:32:48 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{D73F49B6-B51B-4d32-A3B7-BD04B8342F53}"= "C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL" [2008-06-22 57344]

[HKEY_CLASSES_ROOT\clsid\{d73f49b6-b51b-4d32-a3b7-bd04b8342f53}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-02-20 3330048]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Gadwin PrintScreen Pro"="C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" [2008-05-17 516096]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-03 2161600]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"W2acecad.Wtxpload"="C:\WINDOWS\W2acecad\Wtxpload.exe" [2000-05-21 45056]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-05-28 163840]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 32768]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 5058560]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2003-07-17 147456]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-25 36640]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-04 78848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2004-03-22 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-16 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-06-16 16:29 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk
backup=C:\WINDOWS\pss\SnagIt 8.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^CARL^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\CARL\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen Pro]
--a------ 2008-05-17 22:48 516096 C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
--a------ 2003-06-24 12:09 568096 C:\Program Files\Netscape\Netscape\Netscp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 01:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 17:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"TVersityMediaServer"=2 (0x2)
"KodakCCS"=3 (0x3)
"iPod Service"=3 (0x3)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)
"Diskeeper"=2 (0x2)
"Dcfssvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Telstra\\unpw\\unpwclient.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;C:\WINDOWS\system32\Drivers\BtHidBus.sys [2008-01-21 21512]
R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys [2001-04-09 8138]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 28672]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2003-02-26 9728]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2005-12-26 34848]
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys [2001-08-08 14308]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys [2002-09-02 16640]
S3 DCamUSBMke2;Panasonic USB Video Camera;C:\WINDOWS\system32\Drivers\Mkeusbi2.sys [2002-11-06 15872]
S3 DCamUSBUVT;ICM532A;C:\WINDOWS\system32\Drivers\usbuvt.sys [ ]
S3 IvtBtBUs;IVT Bluetooth Bus Service;C:\WINDOWS\system32\Drivers\IvtBtBus.sys [2008-01-21 26248]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 20:59:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-22 21:01:07
ComboFix-quarantined-files.txt 2008-09-22 11:31:03
ComboFix2.txt 2008-09-21 08:36:20
ComboFix3.txt 2008-09-21 02:10:30

Pre-Run: 47,189,135,360 bytes free
Post-Run: 47,208,591,360 bytes free

292 --- E O F --- 2008-09-12 13:02:53


I also submitted a file to http://www.bleepingcomputer.com the file path was C:\QooBox\Quarantine\[4][email protected] (not sure if you need to know that or not)
the site said.... Malware Submission
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

Edited by syco26, 22 September 2008 - 05:43 AM.

  • 0

#12
andrewuk
Posted 22 September 2008 - 05:47 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

I also submitted a file to http://www.bleepingcomputer.com the file path was C:\QooBox\Quarantine\[4][email protected] (not sure if you need to know that or not)
the site said.... Malware Submission
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

thanks for that, the files were also removed from your machine :)

i will await the rest of the logs.
  • 0

#13
syco26
Posted 22 September 2008 - 07:45 AM

syco26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
I'm trying that scan at Kaspersky but it keeps getting to 8024 files scanned and finds one bady then it freezes there at 0%. Any ideas of what I can do to get this finished?
  • 0

#14
syco26
Posted 22 September 2008 - 08:11 AM

syco26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
It has done it again. This is what the screen looks like.......

Scan statistics

Files scanned 8026

Threat names 1

Infected objects 1

Suspicious objects 0

Duration of the scan 00:14:30
Start scan
Scan is running (0%)

Click the area that you want to scan in left part of the window. The scan will start automatically as soon as you select a scan area.

Last start:
Status:
Please wait, the scan may take a long time depending on the size of the selected scan area. You can continue browsing in a new Web browser window.

Now scanning: Deleted Items.dbx
Location: C:\Documents and ...soft\Outlook Express

Settings | View scan report | Stop scan
Attention: Kaspersky Online Scanner 7.0 may not run successfully while any other antivirus program is running. If you have another antivirus program installed, please turn it off before running Kaspersky Online Scanner 7.0.

Can I find and delete that file manualy?
  • 0

#15
andrewuk
Posted 22 September 2008 - 11:20 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

I'm trying that scan at Kaspersky but it keeps getting to 8024 files scanned and finds one bady then it freezes there at 0%. Any ideas of what I can do to get this finished?

try turning off all your antivirus programs, perhaps there is a conflict.

failing that, we can try this one:

Please go HERE to run Panda's TotalScan
  • Select the bubble for Scan now
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report
andrewuk
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP