Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

computer keeps restarting and getting eror message [RESOLVED]

Started by alex_pof , Aug 25 2007 07:14 PM

  • This topic is locked This topic is locked

#1
alex_pof
Posted 25 August 2007 - 07:14 PM

alex_pof

    New Member

  • Member
  • Pip
  • 6 posts
basicly what is happening is my computer keeps restarting and when i restart i get an error message saying that ...csrss.exe isnt found but its a running process.



Logfile of HijackThis v1.99.1
Scan saved at 8:12:51 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAP\DAP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....earch/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TP&M=GT4022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: (no name) - {03A108AB-AE3B-464F-A26F-EEAC22224575} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08A2D2DD-CDD4-4264-8F01-FCDE3A451A5A} - (no file)
O2 - BHO: (no name) - {1BA11907-8168-4BB5-84D0-45C8128F9222} - (no file)
O2 - BHO: (no name) - {2FC62C2A-A9B2-44DC-A717-58E7F74ACABE} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5D57DC08-A1D3-43C6-B105-71D4F1B3D628} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A0AD691-3C6A-40C9-B47C-CB5921320CBD} - (no file)
O2 - BHO: (no name) - {8B3F8A93-933C-4DDA-B24C-AEB0697C132A} - C:\WINDOWS\system32\iifefdb.dll (file missing)
O2 - BHO: (no name) - {BC35F8FA-F237-4027-B1F8-0B30C24315F8} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\weaskxgc.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {CBC0B6CB-CF1D-4EFF-9E19-D3D3973B0544} - C:\WINDOWS\system32\mlljj.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
O2 - BHO: (no name) - {DEEEDA41-1F35-41E1-B683-33B62C2807E4} - (no file)
O2 - BHO: (no name) - {F92CE281-68D9-4B5F-8839-FC1CB00B9381} - C:\WINDOWS\system32\mlljj.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [DRam prosessor] niva.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by106w.bay106...es/MsnPUpld.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - http://www.worldwinn...luxor/luxor.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: ddayw - C:\WINDOWS\
O20 - Winlogon Notify: iifefdb - iifefdb.dll (file missing)
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\
O20 - Winlogon Notify: jkkklkl - jkkklkl.dll (file missing)
O20 - Winlogon Notify: jkklm - C:\WINDOWS\
O20 - Winlogon Notify: mljjg - C:\WINDOWS\
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll (file missing)
O20 - Winlogon Notify: opnlifg - opnlifg.dll (file missing)
O20 - Winlogon Notify: tuvvwwv - tuvvwwv.dll (file missing)
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\
O20 - Winlogon Notify: vtuts - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O20 - Winlogon Notify: xxyyxyx - xxyyxyx.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Mobile Service (AppMSVC) - Unknown owner - C:\WINDOWS\system32\mui\apisvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)



thanks in advance
  • 0

Advertisements

#2
Trevuren
Posted 25 August 2007 - 09:01 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi alex_pof and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.


A. Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

* Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
* Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
* Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.



B. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back to a Notepad text file and save it on your desktop. I will be asking for it later.



C. Please download this file - combofix.exe by sUBs
  • You must download it to and run it from your Desktop
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.


D. Reports/logs to Post:
  • Report from SDFix
  • ComboFix.txt
  • Fresh HijackThis log made after both previous tools have been run
Regards,

Trevuren
  • 0

#3
alex_pof
Posted 26 August 2007 - 10:06 AM

alex_pof

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
first off i want to thank you for helping me out.


thankfully this is just a "fun" computer so i don't use it for banking or anything like that.

i also have one more question. i am currently running

spybot search and destroy
avg free edition
lavasoft ad-adware

are these sufficient to protect me or should i have more and if so what should i have?

i uploaded all of the files that you asked for.

thanks.

Attached Files


  • 0

#4
Trevuren
Posted 26 August 2007 - 01:01 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Thank you for all the reports. It would make it a lot easier for me and for others following the topic if you posted your logs instead of attaching them. It saves us so much time when they are copy/pasted. Thanks.

We will start by doing a big cleanup. Once that is done, we will have to investigate the possible presence of a "rootkit".


A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {03A108AB-AE3B-464F-A26F-EEAC22224575} - (no file)
    O2 - BHO: (no name) - {08A2D2DD-CDD4-4264-8F01-FCDE3A451A5A} - (no file)
    O2 - BHO: (no name) - {1BA11907-8168-4BB5-84D0-45C8128F9222} - (no file)
    O2 - BHO: (no name) - {2FC62C2A-A9B2-44DC-A717-58E7F74ACABE} - (no file)
    O2 - BHO: (no name) - {5D57DC08-A1D3-43C6-B105-71D4F1B3D628} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {8B3F8A93-933C-4DDA-B24C-AEB0697C132A} - C:\WINDOWS\system32\iifefdb.dll (file missing)
    O2 - BHO: (no name) - {BC35F8FA-F237-4027-B1F8-0B30C24315F8} - (no file)
    O2 - BHO: (no name) - {CBC0B6CB-CF1D-4EFF-9E19-D3D3973B0544} - C:\WINDOWS\system32\mlljj.dll (file missing)
    O2 - BHO: (no name) - {DEEEDA41-1F35-41E1-B683-33B62C2807E4} - (no file)
    O2 - BHO: (no name) - {F92CE281-68D9-4B5F-8839-FC1CB00B9381} - C:\WINDOWS\system32\mlljj.dll (file missing)
    O20 - Winlogon Notify: ddayw - C:\WINDOWS\
    O20 - Winlogon Notify: iifefdb - iifefdb.dll (file missing)
    O20 - Winlogon Notify: jkhhf - C:\WINDOWS\
    O20 - Winlogon Notify: jkhhi - C:\WINDOWS\
    O20 - Winlogon Notify: jkkklkl - jkkklkl.dll (file missing)
    O20 - Winlogon Notify: jkklm - C:\WINDOWS\
    O20 - Winlogon Notify: mljjg - C:\WINDOWS\
    O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll (file missing)
    O20 - Winlogon Notify: opnlifg - opnlifg.dll (file missing)
    O20 - Winlogon Notify: tuvvwwv - tuvvwwv.dll (file missing)
    O20 - Winlogon Notify: vtsqr - C:\WINDOWS\
    O20 - Winlogon Notify: vtuts - C:\WINDOWS\
    O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
    O20 - Winlogon Notify: xxyyxyx - xxyyxyx.dll (file missing)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\pqtss.bak1
C:\DOCUME~1\OWNER~1.BAS\Applic~1\inst.exe
C:\WINDOWS\system32\drivers\Jfj37.sys
C:\WINDOWS\system32\cdg.dll
C:\WINDOWS\system32\cdga.dll
C:\WINDOWS\system32\A_reg.reg
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\drivers\Sosf51.sys
C:\ziton.exe
C:\WINDOWS\system32\iifefdb.dll

Folder::
C:\DOCUME~1\ALLUSE~1\Applic~1\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8B3F8A93-933C-4DDA-B24C-AEB0697C132A}"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
alex_pof
Posted 26 August 2007 - 03:30 PM

alex_pof

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
alright i have all that you asked for.

heres the hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 4:27:46 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAP\DAP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....earch/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TP&M=GT4022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by106w.bay106...es/MsnPUpld.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - http://www.worldwinn...luxor/luxor.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Mobile Service (AppMSVC) - Unknown owner - C:\WINDOWS\system32\mui\apisvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)





and heres the combo fix log.


ComboFix 07-08-26.3 - "Owner" 2007-08-28 16:17:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.876 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner.BASEMENT\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\pqtss.bak1
C:\DOCUME~1\OWNER~1.BAS\Applic~1\inst.exe
C:\WINDOWS\system32\drivers\Jfj37.sys
C:\WINDOWS\system32\cdg.dll
C:\WINDOWS\system32\cdga.dll
C:\WINDOWS\system32\A_reg.reg
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\drivers\Sosf51.sys
C:\ziton.exe
C:\WINDOWS\system32\iifefdb.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\Applic~1\Viewpoint
C:\DOCUME~1\OWNER~1.BAS\Applic~1\inst.exe
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\A_reg.reg
C:\WINDOWS\system32\cdg.dll
C:\WINDOWS\system32\cdga.dll
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\drivers\Jfj37.sys
C:\WINDOWS\system32\drivers\Sosf51.sys
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wyadd.bak1
C:\ziton.exe


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-28 )))))))))))))))))))))))))))))))


2007-08-28 08:40 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 08:17 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-27 19:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-27 19:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 19:36 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Uniblue
2007-08-27 10:46 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-08-27 10:19 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2007-08-26 07:35 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-08-26 07:31 <DIR> d-------- C:\Program Files\AdVantage
2007-08-26 07:29 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-08-25 18:05 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-25 15:08 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Thunderbird
2007-08-25 13:23 <DIR> d-------- C:\Program Files\YCUBED
2007-08-25 10:21 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-08-25 10:21 47,360 --a------ C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\pcouffin.sys
2007-08-25 10:21 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Vso
2007-08-25 10:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\1Click DVD Copy Pro
2007-08-25 10:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-08-25 08:48 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\SampleView
2007-08-24 18:19 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-08-24 17:59 <DIR> d-------- C:\TypeRecorder
2007-08-24 17:59 <DIR> d-------- C:\Program Files\TypeAgent
2007-08-22 22:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\WinRAR
2007-08-22 22:11 <DIR> d-------- C:\Program Files\Blender Foundation
2007-08-22 22:11 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Blender Foundation
2007-08-22 22:04 <DIR> d-------- C:\zCEP_Uninstaller
2007-08-22 22:04 <DIR> d-------- C:\TSData
2007-08-22 22:03 <DIR> d-------- C:\Program Files\SimPE
2007-08-22 13:42 <DIR> d-------- C:\Program Files\StarshipTycoonDemo
2007-08-22 13:16 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\SiteAdvisor
2007-08-19 10:59 967 --a------ C:\WINDOWS\ScUnin.pif
2007-08-19 10:59 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-08-19 10:59 12,620 --a------ C:\WINDOWS\scunin.dat
2007-08-19 10:58 <DIR> d-------- C:\Program Files\Starcraft
2007-08-19 10:25 <DIR> d-------- C:\Program Files\Starcraft Shareware(ED)
2007-08-18 23:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-18 23:06 <DIR> d-------- C:\Program Files\Bonjour
2007-08-18 22:53 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-18 16:52 <DIR> d-------- C:\Program Files\Ideal File Sorter
2007-08-18 16:52 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Ideal File Sorter
2007-08-18 15:17 <DIR> d-------- C:\Program Files\Ideal Music Sorter
2007-08-18 15:17 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Ideal Mp3 Music Sorter
2007-08-05 18:29 <DIR> d-------- C:\Program Files\ReplAll
2007-08-02 15:02 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\gtk-2.0
2007-08-02 15:02 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\.thumbnails
2007-08-02 14:59 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\.gimp-2.2
2007-08-02 12:24 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-08-02 12:23 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-08-01 21:52 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-08-01 14:17 <DIR> d-------- C:\Program Files\Paint Shop Pro
2007-07-30 12:24 32,768 --a------ C:\WINDOWS\system32\FrogASPI.DLL


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-27 19:47 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-27 19:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-27 11:30 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Azureus
2007-08-27 10:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-27 10:19 --------- d-------- C:\Program Files\Microsoft Visual Studio 8
2007-08-26 08:07 --------- d-------- C:\Program Files\EA Games
2007-08-25 20:07 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-25 15:07 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-25 10:19 --------- d-------- C:\Program Files\DAP
2007-08-19 11:19 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\LimeWire
2007-08-19 03:01 --------- d-------- C:\Program Files\Magic MP3 Tagger
2007-08-17 19:44 --------- d-------- C:\Program Files\LimeWire
2007-08-17 11:55 --------- d-------- C:\Program Files\America Online 9.0
2007-08-17 11:55 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\AOL
2007-08-17 11:55 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-16 23:23 --------- d-------- C:\DOCUME~1\Zach\APPLIC~1\Apple Computer
2007-08-08 19:19 --------- d-------- C:\DOCUME~1\Zach\APPLIC~1\Chessmaster Challenge
2007-08-06 23:47 --------- d-------- C:\Program Files\Game_Maker7
2007-08-06 22:48 --------- d-------- C:\Program Files\Game_Maker6
2007-08-06 18:31 --------- d-------- C:\Program Files\Mp3 My Mp3 2.0
2007-08-06 11:57 --------- d-------- C:\Program Files\iTunes
2007-08-06 11:56 --------- d-------- C:\Program Files\iPod
2007-08-04 07:20 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\IBP
2007-08-02 21:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-02 07:59 --------- d-------- C:\Program Files\Cucusoft
2007-08-02 01:19 --------- d-------- C:\Program Files\SwiftSwitch
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 08:45 --------- d-------- C:\Program Files\Alwil Software
2007-07-27 00:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-25 22:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-07-25 22:02 --------- d-------- C:\Program Files\Shockwave.com
2007-07-24 08:10 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Apple Computer
2007-07-22 22:45 --------- d-------- C:\Program Files\ReflexiveArcade
2007-07-21 08:46 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\uTorrent
2007-07-17 10:39 --------- d-------- C:\DOCUME~1\Zach\APPLIC~1\Screaming Bee
2007-07-17 10:39 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Screaming Bee
2007-07-17 10:38 --------- d-------- C:\Program Files\Screaming Bee
2007-07-15 23:00 355 --a------ C:\mobile.exe
2007-07-15 20:33 --------- d-------- C:\Program Files\QuickTime
2007-07-15 20:28 --------- d-------- C:\Program Files\Apple Software Update
2007-07-09 20:08 --------- d-------- C:\DOCUME~1\Zach\APPLIC~1\SpinTop
2007-07-08 19:08 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-08 19:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-08 19:00 --------- d-------- C:\Program Files\Hasbro Interactive
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 22:30 86016 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-14 23:36 10 --a------ C:\WINDOWS\system32\wfxhelp22.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-05-31 01:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 01:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 01:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 01:44 740442 --a------ C:\WINDOWS\system32\DivX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 10:32]
"nwiz"="nwiz.exe" [2005-09-18 10:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 10:32]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 C:\WINDOWS\system32\HdAShCut.exe]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 13:38 C:\WINDOWS\RTHDCPL.EXE]
"D-Link AirPlus Xtreme G"="C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 17:00]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 16:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-08-24 18:19]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-27 10:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2006-12-03 12:02]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-05-08 17:25]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-08-22 21:15]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

C:\DOCUME~1\OWNER~1.BAS\STARTM~1\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

C:\DOCUME~1\Zach\STARTM~1\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
backup=C:\WINDOWS\pss\Extender Resource Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk]
backup=C:\WINDOWS\pss\TMMonitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Program Files\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1\1&1 EasyLogin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe]
"1&1 EasyLogin" HIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1147376554\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TM Control]
C:\WINDOWS\system32\TMController.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 AV88BASE;Cx2388x Base Driver;C:\WINDOWS\system32\drivers\av88base.sys
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
S2 AppMSVC;Application Mobile Service;"C:\WINDOWS\system32\mui\apisvc.exe"
S3 DrvFltIp;DrvFltIp;\??\C:\Program Files\MRBDG\DrvFltIp.sys
S3 EraserUtilDrvI3;EraserUtilDrvI3;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe -k QWAVE
S3 QWAVEDRV;QWAVE driver;C:\WINDOWS\system32\DRIVERS\qwavedrv.sys
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE


Contents of the 'Scheduled Tasks' folder
2007-08-20 16:48:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2006-07-20 01:20:57 C:\WINDOWS\Tasks\ISP signup reminder 2.job - C:\WINDOWS\system32\OOBE\oobebaln.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-28 16:23:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-28 16:26:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-28 16:26
C:\ComboFix2.txt ... 2007-08-28 08:48

--- E O F ---
  • 0

#6
Trevuren
Posted 26 August 2007 - 04:17 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Part1:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\wfxhelp22.dll
C:\WINDOWS\system32\mui\apisvc.exe

Driver::
AppMSVC


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Part 2:

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log
  • 0

#7
alex_pof
Posted 27 August 2007 - 07:59 AM

alex_pof

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
alright i have all the tests done.


ComboFix 07-08-26.3 - "Owner" 2007-08-28 23:11:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.728 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner.BASEMENT\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\wfxhelp22.dll
C:\WINDOWS\system32\mui\apisvc.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wfxhelp22.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_APPMSVC
-------\AppMSVC


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-29 )))))))))))))))))))))))))))))))


2007-08-28 20:27 <DIR> d-------- C:\My Games
2007-08-28 20:27 <DIR> d-------- C:\My Download Files
2007-08-28 20:26 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-08-28 18:05 25,043 --a------ C:\WINDOWS\system32\drivers\FG.SYS
2007-08-28 18:05 <DIR> d-------- C:\WINDOWS\FG
2007-08-28 17:59 <DIR> d-------- C:\WINDOWS\ZF
2007-08-28 17:57 3,445 --a------ C:\WINDOWS\system32\drivers\U3SHLPDR.SYS
2007-08-28 17:57 <DIR> d-------- C:\Program Files\AuthenTec
2007-08-28 08:40 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 08:17 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-27 19:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-27 19:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 19:36 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Uniblue
2007-08-27 10:46 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-08-27 10:19 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2007-08-26 07:35 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-08-26 07:31 <DIR> d-------- C:\Program Files\AdVantage
2007-08-26 07:29 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-08-25 18:05 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-25 15:08 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Thunderbird
2007-08-25 13:23 <DIR> d-------- C:\Program Files\YCUBED
2007-08-25 10:21 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-08-25 10:21 47,360 --a------ C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\pcouffin.sys
2007-08-25 10:21 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Vso
2007-08-25 10:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\1Click DVD Copy Pro
2007-08-25 10:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-08-25 08:48 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\SampleView
2007-08-24 18:19 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-08-24 17:59 <DIR> d-------- C:\TypeRecorder
2007-08-24 17:59 <DIR> d-------- C:\Program Files\TypeAgent
2007-08-22 22:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\WinRAR
2007-08-22 22:11 <DIR> d-------- C:\Program Files\Blender Foundation
2007-08-22 22:11 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Blender Foundation
2007-08-22 22:04 <DIR> d-------- C:\zCEP_Uninstaller
2007-08-22 22:04 <DIR> d-------- C:\TSData
2007-08-22 22:03 <DIR> d-------- C:\Program Files\SimPE
2007-08-22 13:42 <DIR> d-------- C:\Program Files\StarshipTycoonDemo
2007-08-22 13:16 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\SiteAdvisor
2007-08-19 10:59 967 --a------ C:\WINDOWS\ScUnin.pif
2007-08-19 10:59 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-08-19 10:59 12,620 --a------ C:\WINDOWS\scunin.dat
2007-08-19 10:58 <DIR> d-------- C:\Program Files\Starcraft
2007-08-19 10:25 <DIR> d-------- C:\Program Files\Starcraft Shareware(ED)
2007-08-18 23:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-18 23:06 <DIR> d-------- C:\Program Files\Bonjour
2007-08-18 22:53 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-18 16:52 <DIR> d-------- C:\Program Files\Ideal File Sorter
2007-08-18 16:52 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Ideal File Sorter
2007-08-18 15:17 <DIR> d-------- C:\Program Files\Ideal Music Sorter
2007-08-18 15:17 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Ideal Mp3 Music Sorter
2007-08-05 18:29 <DIR> d-------- C:\Program Files\ReplAll
2007-08-02 15:02 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\gtk-2.0
2007-08-02 15:02 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\.thumbnails
2007-08-02 14:59 <DIR> d-------- C:\DOCUME~1\OWNER~1.BAS\.gimp-2.2
2007-08-02 12:24 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-08-02 12:23 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-08-01 21:52 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-08-01 14:17 <DIR> d-------- C:\Program Files\Paint Shop Pro
2007-07-30 12:24 32,768 --a------ C:\WINDOWS\system32\FrogASPI.DLL


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-28 20:26 --------- d-------- C:\Program Files\Real
2007-08-27 19:47 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-27 19:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-27 11:30 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Azureus
2007-08-27 10:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-27 10:19 --------- d-------- C:\Program Files\Microsoft Visual Studio 8
2007-08-26 08:07 --------- d-------- C:\Program Files\EA Games
2007-08-25 20:07 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-25 15:07 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-25 10:19 --------- d-------- C:\Program Files\DAP
2007-08-19 11:19 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\LimeWire
2007-08-19 03:01 --------- d-------- C:\Program Files\Magic MP3 Tagger
2007-08-17 19:44 --------- d-------- C:\Program Files\LimeWire
2007-08-17 11:55 --------- d-------- C:\Program Files\America Online 9.0
2007-08-17 11:55 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\AOL
2007-08-17 11:55 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-16 23:23 --------- d-------- C:\DOCUME~1\Zach\APPLIC~1\Apple Computer
2007-08-08 19:19 --------- d-------- C:\DOCUME~1\Zach\APPLIC~1\Chessmaster Challenge
2007-08-06 23:47 --------- d-------- C:\Program Files\Game_Maker7
2007-08-06 22:48 --------- d-------- C:\Program Files\Game_Maker6
2007-08-06 18:31 --------- d-------- C:\Program Files\Mp3 My Mp3 2.0
2007-08-06 11:57 --------- d-------- C:\Program Files\iTunes
2007-08-06 11:56 --------- d-------- C:\Program Files\iPod
2007-08-04 07:20 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\IBP
2007-08-02 21:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-02 07:59 --------- d-------- C:\Program Files\Cucusoft
2007-08-02 01:19 --------- d-------- C:\Program Files\SwiftSwitch
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 08:45 --------- d-------- C:\Program Files\Alwil Software
2007-07-27 00:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-25 22:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-07-25 22:02 --------- d-------- C:\Program Files\Shockwave.com
2007-07-24 08:10 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\Apple Computer
2007-07-22 22:45 --------- d-------- C:\Program Files\ReflexiveArcade
2007-07-21 08:46 --------- d-------- C:\DOCUME~1\OWNER~1.BAS\APPLIC~1\uTorrent
2007-07-17 10:39 --------- d-------- C:\DOCUME~1\Zach\APPLIC~1\Screaming Bee
2007-07-17 10:39 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Screaming Bee
2007-07-17 10:38 --------- d-------- C:\Program Files\Screaming Bee
2007-07-15 23:00 355 --a------ C:\mobile.exe
2007-07-15 20:33 --------- d-------- C:\Program Files\QuickTime
2007-07-15 20:28 --------- d-------- C:\Program Files\Apple Software Update
2007-07-09 20:08 --------- d-------- C:\DOCUME~1\Zach\APPLIC~1\SpinTop
2007-07-08 19:08 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-08 19:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-08 19:00 --------- d-------- C:\Program Files\Hasbro Interactive
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 22:30 86016 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-05-31 01:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 01:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 01:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 01:44 740442 --a------ C:\WINDOWS\system32\DivX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 10:32]
"nwiz"="nwiz.exe" [2005-09-18 10:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 10:32]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 C:\WINDOWS\system32\HdAShCut.exe]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 13:38 C:\WINDOWS\RTHDCPL.EXE]
"D-Link AirPlus Xtreme G"="C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 17:00]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 16:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-08-24 18:19]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-27 10:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2006-12-03 12:02]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-05-08 17:25]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-08-22 21:15]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

C:\DOCUME~1\OWNER~1.BAS\STARTM~1\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

C:\DOCUME~1\Zach\STARTM~1\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
backup=C:\WINDOWS\pss\Extender Resource Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk]
backup=C:\WINDOWS\pss\TMMonitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Program Files\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1\1&1 EasyLogin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe]
"1&1 EasyLogin" HIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1147376554\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TM Control]
C:\WINDOWS\system32\TMController.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

R1 FG;FG;C:\WINDOWS\system32\drivers\FG.sys
R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 U3SHLPDR;U3SHLPDR;\??\C:\WINDOWS\System32\Drivers\U3SHLPDR.SYS
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 AV88BASE;Cx2388x Base Driver;C:\WINDOWS\system32\drivers\av88base.sys
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
S3 DrvFltIp;DrvFltIp;\??\C:\Program Files\MRBDG\DrvFltIp.sys
S3 EraserUtilDrvI3;EraserUtilDrvI3;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe -k QWAVE
S3 QWAVEDRV;QWAVE driver;C:\WINDOWS\system32\DRIVERS\qwavedrv.sys
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE


Contents of the 'Scheduled Tasks' folder
2007-08-20 16:48:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2006-07-20 01:20:57 C:\WINDOWS\Tasks\ISP signup reminder 2.job - C:\WINDOWS\system32\OOBE\oobebaln.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-28 23:18:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-28 23:21:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-28 23:21
C:\ComboFix2.txt ... 2007-08-28 16:26
C:\ComboFix3.txt ... 2007-08-28 08:48

--- E O F ---







-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 29, 2007 8:55:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/08/2007
Kaspersky Anti-Virus database records: 391873
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 224261
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 2
Duration of the scan process: 02:28:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19238199cb99bdab324fc72b58464a75_d5b84b35-3512-451b-98ac-33e5b717c88f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject4.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_2554592182_7602176_108493 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{E5B6C1DA-D4B7-457E-B497-AC27A105A2CC}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_56c.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\foxmarks.log Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Mozilla\Firefox\Profiles\8g7enm8w.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Application Data\Yahoo\Widget Engine\Widgets DB\widgets.db Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\History\History.IE5\MSHist012007082820070829\index.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\Local Settings\Temporary Internet Files\Content.IE5\R79U62T5\1132[1].flv Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\My Documents\My Completed Downloads\SDFix\SDFix\backups\backups.zip/backups/aol.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\Documents and Settings\Owner.BASEMENT\My Documents\My Completed Downloads\SDFix\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner.BASEMENT\My Documents\My Pictures\sprites\Hard Vacuum\Buildings\Thumbs.db Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.BASEMENT\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DAP\History\Owner\_lasthist.dat Object is locked skipped
C:\Program Files\DAP\History\Zach\_lasthist.dat Object is locked skipped
C:\Program Files\DAP\Log\DAP_REPORT.LOG Object is locked skipped
C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\setup.ilg Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_96.trc Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP533\A0086076.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP587\A0097226.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP587\A0097229.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP595\A0103864.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP598\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2C64B0C6-0C9C-45AD-B8D9-AC2D5429D981}.crmlog Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_79c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP598\change.log Object is locked skipped

Scan process completed.








Logfile of HijackThis v1.99.1
Scan saved at 8:55:30 AM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....earch/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TP&M=GT4022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by106w.bay106...es/MsnPUpld.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - http://www.worldwinn...luxor/luxor.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
  • 0

#8
Trevuren
Posted 27 August 2007 - 10:13 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
All of the remaining malware is in Quarantined areas and will be removed in due course. Some in this post, most of it in the final cleanup procedures.

A. Please delete the following:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject4.zip<==File
C:\Documents and Settings\Owner.BASEMENT\My Documents\My Completed Downloads\SDFix<==Folder and all its content.


B. Please tell me how your system is running. If there is no more evidence of malware activity, just give me the go ahead and we will proceed with the final but essential cleanup procedures and recommendations.

Trevuren
  • 0

#9
alex_pof
Posted 27 August 2007 - 12:00 PM

alex_pof

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
right now its working good. no annoying popups or random shutdowns!!

thanks a bunch
  • 0

#10
Trevuren
Posted 27 August 2007 - 12:42 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log looks CLEAN

There are a few things you must do once you are completely clean:

1. Time for some housekeeping

Please download the OTMoveIt by OldTimer
  • Save it to your desktop.
  • Run the tool by clicking on the icon.
  • Click the Cleanup button.
  • The tools that we used as well as this one will be removed from your system.

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place?

Regards,

Trevuren
  • 0

#11
alex_pof
Posted 27 August 2007 - 05:56 PM

alex_pof

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
thank you so much Trevuren. my computer works perfectly again. i really appreciate what you have done for me!

thanks

alex
  • 0

#12
Trevuren
Posted 27 August 2007 - 06:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
My Pleasure Alex
  • 0

#13
Trevuren
Posted 27 August 2007 - 06:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP