Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't get rid of awvvu.dll and byxywts.dll [CLOSED]

Started by xaero_cool , Jan 27 2008 06:21 PM

  • This topic is locked This topic is locked

#1
xaero_cool
Posted 27 January 2008 - 06:21 PM

xaero_cool

    New Member

  • Member
  • Pip
  • 7 posts
Hi

I have been trying to get rid of awvvu.dll and byxywts.dll, I have followed the instructions in the posts, run AVG, panda soft, Superantispyware and my system is fully up to date with the microsoft website running XP SP2.

The files are removed but after a reboot or even sometimes without a reboot they come back.

I'm not sure if everything is being caused by these, but the symptoms are

POP ups
svchost running 100% CPU
rundll.exe running 100% CPU
task bar crashing
Explorer crashing

Now when my system starts it has a pop up saying that the path for awvvu.dll couldn't be found, but its still appears to be running.

Below are logs, from Activescan, Hijack this and super antispyware

Please help I really don't want to rebuild my computer again I just did it before Chistmas.

SUPER ANTI SPYWARE

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/27/2008 at 04:41 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:50:06

Memory items scanned : 295
Memory threats detected : 3
Registry items scanned : 6685
Registry threats detected : 5
File items scanned : 112182
File threats detected : 20

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\AWVVU.DLL
C:\WINDOWS\SYSTEM32\AWVVU.DLL
HKLM\Software\Classes\CLSID\{605A4EEB-8C6F-4E4D-AB72-D896768812C6}
HKCR\CLSID\{605A4EEB-8C6F-4E4D-AB72-D896768812C6}
HKCR\CLSID\{605A4EEB-8C6F-4E4D-AB72-D896768812C6}\InprocServer32
HKCR\CLSID\{605A4EEB-8C6F-4E4D-AB72-D896768812C6}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{605A4EEB-8C6F-4E4D-AB72-D896768812C6}

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\OUCOUKMH.DLL
C:\WINDOWS\SYSTEM32\OUCOUKMH.DLL

Adware.ClickSpring/Resident
C:\WINDOWS\MANTEC~1\SRSS~1.EXE
C:\WINDOWS\MANTEC~1\SRSS~1.EXE

Adware.Adservs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._

Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\FF\chrome.manifest
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\Outerinfo\FF\components
C:\Program Files\Outerinfo\FF\install.rdf
C:\Program Files\Outerinfo\FF
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\Guru\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Guru\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Guru\Start Menu\Programs\Outerinfo

Adware.ClickSpring-Variant
C:\DOCUMENTS AND SETTINGS\GURU\LOCAL SETTINGS\TEMP\TMP5.TMP
C:\DOCUMENTS AND SETTINGS\GURU\LOCAL SETTINGS\TEMP\TMP6.TMP
C:\PROGRAM FILES\TSKS~1\RUNDLL .EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{49BE436C-BE2F-45C6-ADF0-AC7DD182E860}\RP89\A0023493.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{49BE436C-BE2F-45C6-ADF0-AC7DD182E860}\RP89\A0023512.EXE


--------------------------------------------------------------

Activescan


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\byxywts.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\byxywts.dll( 1)
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guru\Cookies\guru@atdmt[2].txt
Virus:Trj/Downloader.SGB Disinfected C:\WINDOWS\mrofinu1000106.exe
Virus:Trj/Downloader.SCO Disinfected C:\WINDOWS\mrofinu572.exe
Virus:Trj/Downloader.SCO Disinfected C:\WINDOWS\mrofinu572.exe.tmp
Virus:Trj/Dropper.ZN Disinfected C:\WINDOWS\system32\awvvu.exe
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\system32\bvdaoerb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\byxywts.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\lvyklnx.dll
Virus:Trj/Downloader.PLF Disinfected C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qomjgfg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qomkkji.dll


--------------------------------------------------------------------------------------------------------

HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 00:07:12, on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvvu.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1769F418-4A8B-1121-F8BE-61A394FCAB99} - C:\WINDOWS\system32\lvyklnx.dll
O2 - BHO: (no name) - {552FA423-7972-4A0C-92C6-1123BDD40AE7} - C:\Program Files\MSN\hokevof83122.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BDF5FE6-81D7-4345-9DAE-13411FEB7D5F} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: {78616b3c-1085-1c09-a5d4-f5e6007627c8} - {8c726700-6e5f-4d5a-90c1-5801c3b61687} - C:\WINDOWS\system32\oucoukmh.dll (file missing)
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - C:\WINDOWS\system32\byxywts.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {AEE58817-27C3-40BF-83BC-86760C27A322} - C:\Program Files\MSN\hokevof4444.dll (file missing)
O2 - BHO: (no name) - {B25DCF81-0E47-42A3-98A8-6C2A7D60CD9C} - C:\Program Files\MSN\hokevof455101.dll (file missing)
O2 - BHO: 0 - {EE4F4543-E392-48EC-2FB4-5A7A52A172DE} - C:\Program Files\Outlook Express\lavupagoz251.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [ActivFilter] C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter.exe
O4 - HKLM\..\Run: [ActivControl] C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe
O4 - HKLM\..\Run: [BFC5C9C1C9CAC8CD] D6DCE0D8E0E1DF.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Rpbn] "C:\PROGRA~1\TSKS~1\rundll.exe" -vt ndrv
O4 - HKCU\..\Run: [Tgnuxi] C:\WINDOWS\??mantec\?srss.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201454236125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxywts - byxywts.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

Advertisements

#2
Rorschach112
Posted 30 January 2008 - 01:04 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
xaero_cool
Posted 02 February 2008 - 02:20 PM

xaero_cool

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi

Please find below Combo fix and Hijack this log as requested.

Cheers

Combo FIX
------------------------

ComboFix 08-02.03.1 - Guru 2008-02-02 20:01:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.150 [GMT 0:00]
Running from: C:\Documents and Settings\Guru\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\ppatch~1
C:\Program Files\Temporary
C:\Program Files\tsks~1
C:\Program Files\tsks~1\T?sks\
C:\Program Files\WinAble
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\WINDOWS\b143.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mantec~1
C:\WINDOWS\system32\jkkkhec.dll
C:\WINDOWS\system32\khfcyvs.dll
C:\WINDOWS\system32\lvyklnx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qomjgfg.dll
C:\WINDOWS\system32\qomkkji.dll
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-27 23:30 . 2008-02-02 19:52 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\AVG7
2008-01-27 23:29 . 2008-01-27 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-27 23:29 . 2008-01-27 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-27 20:50 . 2008-01-27 20:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-27 20:09 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-27 17:35 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\creplbdiwthm.sys
2008-01-27 17:31 . 2008-01-27 17:33 721,473,536 --a------ C:\CE.tmp
2008-01-27 17:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-27 17:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-27 17:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-27 17:12 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\yqfcpquwnfmp.sys
2008-01-27 16:56 . 2008-01-27 18:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-27 16:56 . 2008-01-27 17:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-27 16:56 . 2008-01-27 17:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-27 16:56 . 2008-01-27 17:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-27 14:47 . 2008-01-27 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 14:46 . 2008-01-27 22:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 14:46 . 2008-01-27 14:46 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\SUPERAntiSpyware.com
2008-01-24 21:27 . 2008-01-24 21:27 <DIR> d-------- C:\WINDOWS\system32\0C12160E161715
2008-01-20 22:20 . 2008-01-26 15:18 <DIR> d-------- C:\WINDOWS\system32\pip2
2008-01-20 22:20 . 2008-01-26 15:18 <DIR> d-------- C:\WINDOWS\system32\eck8
2008-01-20 22:13 . 2008-01-27 18:18 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-16 13:15 . 2008-01-16 13:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 13:15 . 2008-01-16 13:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-11 19:49 . 2008-01-11 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Activ Software
2008-01-11 19:48 . 2008-01-11 19:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-11 19:48 . 2008-01-11 19:50 <DIR> d-------- C:\Program Files\Common Files\ACTIV Software
2008-01-11 19:48 . 2008-01-11 19:50 <DIR> d-------- C:\Program Files\ACTIV Software
2008-01-10 23:23 . 2008-01-20 11:57 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2008-01-07 23:44 . 2008-01-07 23:44 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-07 23:42 . 2008-01-07 23:42 <DIR> d-------- C:\Program Files\Macromedia
2008-01-07 13:47 . 2008-01-07 13:47 <DIR> d-------- C:\Program Files\AC3Filter
2008-01-07 13:47 . 2007-08-18 07:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-01-07 13:45 . 2008-01-07 13:45 <DIR> d-------- C:\Program Files\AC3File
2008-01-07 13:42 . 2007-12-11 19:46 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-01-07 00:05 . 2008-01-07 00:05 75,840 --a------ C:\WINDOWS\system32\vvesepnb.dll
2008-01-06 20:41 . 2008-01-06 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-06 20:40 . 2008-01-06 20:41 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-06 20:40 . 2008-01-06 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-06 19:28 . 2008-01-06 19:45 <DIR> d-------- C:\Program Files\Autodesk
2008-01-06 19:11 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-06 19:06 . 2008-01-06 19:06 <DIR> d-------- C:\Program Files\MagicDisc
2008-01-06 19:06 . 2007-09-05 01:46 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-01-06 19:04 . 2008-01-06 19:04 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\ImgBurn
2008-01-06 19:03 . 2008-01-06 19:03 <DIR> d-------- C:\Program Files\ImgBurn
2008-01-05 17:52 . 2008-01-05 17:53 <DIR> d-------- C:\3dsmax9Tutorials
2008-01-04 17:42 . 2004-11-25 05:07 79,679 --a------ C:\WINDOWS\system32\E_FLMAHE.DLL
2008-01-04 17:42 . 2003-05-21 02:27 64,000 --a------ C:\WINDOWS\system32\E_FBCBAHE.DLL
2008-01-04 17:42 . 2004-09-10 20:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2008-01-04 17:42 . 2000-06-07 01:01 34,304 --a------ C:\WINDOWS\system32\E_FBCHAHE.DLL
2008-01-04 17:40 . 2008-01-04 17:42 <DIR> d-------- C:\Program Files\EPSON

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-27 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-27 17:59 --------- d-----w C:\Program Files\Bonjour
2008-01-27 14:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 23:42 --------- d-----w C:\Documents and Settings\Guru\Application Data\Azureus
2008-01-26 11:57 --------- d-----w C:\Program Files\QuickTime
2008-01-07 13:42 --------- d-----w C:\Program Files\DivX
2008-01-06 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-06 19:45 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-06 15:34 --------- d-----w C:\Documents and Settings\Guru\Application Data\DivX
2008-01-06 15:13 --------- d-----w C:\Program Files\Azureus
2008-01-01 19:57 --------- d-----w C:\Documents and Settings\Guru\Application Data\Vso
2008-01-01 19:57 --------- d-----w C:\Documents and Settings\Guru\Application Data\Roxio
2007-12-29 15:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-29 15:39 --------- d-----w C:\Program Files\PowerISO
2007-12-29 11:20 --------- d-----w C:\Documents and Settings\Guru\Application Data\Grisoft
2007-12-29 11:08 94,208 ----a-w C:\WINDOWS\SM1BG .EXE
2007-12-29 11:05 --------- d-----w C:\Program Files\D-Tools
2007-12-28 19:10 --------- d-----w C:\Program Files\Lavasoft
2007-12-28 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-28 19:01 --------- d-----w C:\Program Files\Security Task Manager
2007-12-16 20:54 --------- d-----w C:\Program Files\Electric Rain
2007-12-16 17:30 --------- d-----w C:\Program Files\dvddr
2007-12-16 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2007-12-16 11:30 54,784 ----a-w C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-12-16 11:30 12,464 ----a-w C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-12-16 11:30 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-16 11:29 --------- d-----w C:\Program Files\backburner 2
2007-12-11 19:46 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 19:46 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 19:46 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-09 20:58 --------- d-----w C:\Program Files\Boson Software
2007-12-09 19:54 --------- d-----w C:\Program Files\cbview
2007-12-09 11:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Boson
2007-12-05 23:19 --------- d-----w C:\Program Files\Temp
2007-12-05 19:53 86,400 ----a-w C:\WINDOWS\~GLC0000.TMP
2007-12-05 19:49 --------- d-----w C:\Program Files\Mustek 1200 UB PLUS
2007-10-08 17:47 94,080 ----a-w C:\Documents and Settings\Guru\Application Data\ezplay.sys
2007-10-08 17:47 81,920 ----a-w C:\Documents and Settings\Guru\Application Data\ezpinst.exe
2007-10-08 17:47 47,360 ----a-w C:\Documents and Settings\Guru\Application Data\pcouffin.sys
2003-08-27 13:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
<pre>
----a-w		   843,776 2008-01-26 11:51:06  C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2 .exe
----a-w			23,552 2008-01-26 11:51:04  C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter .exe
----a-w		   620,152 2008-01-27 12:35:01  C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w		 1,884,160 2007-12-29 11:08:37  C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2 .EXE
----a-w		 2,372,240 2008-01-27 12:35:07  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w			81,920 2007-12-29 11:01:46  C:\Program Files\D-Tools\daemon .exe
----a-w		 6,731,312 2008-01-27 22:02:46  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas  .exe
----a-w		 7,485,952 2008-01-27 14:45:41  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w		   132,496 2007-12-29 11:08:32  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 1,667,584 2007-12-29 11:08:36  C:\Program Files\Messenger\msmsgs .exe
----a-w		   200,704 2007-12-28 18:51:27  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w		 1,179,648 2007-12-29 11:08:32  C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc .exe
----a-w		   224,248 2007-12-29 11:08:34  C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w			94,208 2007-12-29 11:08:29  C:\WINDOWS\SM1BG .EXE
----a-w		   158,208 2007-12-29 11:01:50  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			98,304 2008-01-08 10:21:33  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{552FA423-7972-4A0C-92C6-1123BDD40AE7}]
C:\Program Files\MSN\hokevof83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BDF5FE6-81D7-4345-9DAE-13411FEB7D5F}]
C:\WINDOWS\system32\awvvu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c726700-6e5f-4d5a-90c1-5801c3b61687}]
C:\WINDOWS\system32\oucoukmh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEE58817-27C3-40BF-83BC-86760C27A322}]
C:\Program Files\MSN\hokevof4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B25DCF81-0E47-42A3-98A8-6C2A7D60CD9C}]
C:\Program Files\MSN\hokevof455101.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE4F4543-E392-48EC-2FB4-5A7A52A172DE}]
C:\Program Files\Outlook Express\lavupagoz251.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
"Rpbn"="C:\PROGRA~1\TSKS~1\rundll.exe" [ ]
"Tgnuxi"="C:\WINDOWS\??mantec\?srss.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ActivFilter"="C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter.exe" [ ]
"ActivControl"="C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe" [ ]
"BFC5C9C1C9CAC8CD"="D6DCE0D8E0E1DF.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [2008-01-27 22:02 6731312]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 23:29 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-27 23:29 219136]

C:\Documents and Settings\Guru\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-01-06 19:06:32 557568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxywts]
byxywts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Rasbdd"=3 (0x3)
"cmdService"=2 (0x2)

R3 ActivHIDSerMini;Promethean Serial Board Driver;C:\WINDOWS\system32\DRIVERS\activhidsermini.sys [2006-10-04 16:14]
R3 prmvmouse;Promethean HID Mouse Service;C:\WINDOWS\system32\DRIVERS\activmouse.sys [2006-10-04 16:14]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 20:41:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 20:12:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
.
**************************************************************************
.
Completion time: 2008-02-02 20:15:25 - machine was rebooted [Guru]
ComboFix-quarantined-files.txt 2008-02-02 20:15:22
.
2008-01-28 23:04:06 --- E O F ---



--------------------------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 20:17:06, on 02/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {552FA423-7972-4A0C-92C6-1123BDD40AE7} - C:\Program Files\MSN\hokevof83122.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BDF5FE6-81D7-4345-9DAE-13411FEB7D5F} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: {78616b3c-1085-1c09-a5d4-f5e6007627c8} - {8c726700-6e5f-4d5a-90c1-5801c3b61687} - C:\WINDOWS\system32\oucoukmh.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {AEE58817-27C3-40BF-83BC-86760C27A322} - C:\Program Files\MSN\hokevof4444.dll (file missing)
O2 - BHO: (no name) - {B25DCF81-0E47-42A3-98A8-6C2A7D60CD9C} - C:\Program Files\MSN\hokevof455101.dll (file missing)
O2 - BHO: 0 - {EE4F4543-E392-48EC-2FB4-5A7A52A172DE} - C:\Program Files\Outlook Express\lavupagoz251.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ActivFilter] C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter.exe
O4 - HKLM\..\Run: [ActivControl] C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe
O4 - HKLM\..\Run: [BFC5C9C1C9CAC8CD] D6DCE0D8E0E1DF.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Rpbn] "C:\PROGRA~1\TSKS~1\rundll.exe" -vt ndrv
O4 - HKCU\..\Run: [Tgnuxi] C:\WINDOWS\??mantec\?srss.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201454236125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxywts - byxywts.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

#4
Rorschach112
Posted 03 February 2008 - 10:55 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\vvesepnb.dll

Folder::
C:\WINDOWS\system32\pip2
C:\WINDOWS\system32\eck8
C:\WINDOWS\system32\nGpxx01

RenV::
----a-w 843,776 2008-01-26 11:51:06 C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2 .exe
----a-w 23,552 2008-01-26 11:51:04 C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter .exe
----a-w 620,152 2008-01-27 12:35:01 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,884,160 2007-12-29 11:08:37 C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2 .EXE
----a-w 2,372,240 2008-01-27 12:35:07 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 81,920 2007-12-29 11:01:46 C:\Program Files\D-Tools\daemon .exe
----a-w 6,731,312 2008-01-27 22:02:46 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 7,485,952 2008-01-27 14:45:41 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 132,496 2007-12-29 11:08:32 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,667,584 2007-12-29 11:08:36 C:\Program Files\Messenger\msmsgs .exe
----a-w 200,704 2007-12-28 18:51:27 C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w 1,179,648 2007-12-29 11:08:32 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc .exe
----a-w 224,248 2007-12-29 11:08:34 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 94,208 2007-12-29 11:08:29 C:\WINDOWS\SM1BG .EXE
----a-w 158,208 2007-12-29 11:01:50 C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w 98,304 2008-01-08 10:21:33 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE .EXE


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {552FA423-7972-4A0C-92C6-1123BDD40AE7} - C:\Program Files\MSN\hokevof83122.dll (file missing)
O2 - BHO: (no name) - {7BDF5FE6-81D7-4345-9DAE-13411FEB7D5F} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: {78616b3c-1085-1c09-a5d4-f5e6007627c8} - {8c726700-6e5f-4d5a-90c1-5801c3b61687} - C:\WINDOWS\system32\oucoukmh.dll (file missing)
O2 - BHO: (no name) - {AEE58817-27C3-40BF-83BC-86760C27A322} - C:\Program Files\MSN\hokevof4444.dll (file missing)
O2 - BHO: (no name) - {B25DCF81-0E47-42A3-98A8-6C2A7D60CD9C} - C:\Program Files\MSN\hokevof455101.dll (file missing)
O2 - BHO: 0 - {EE4F4543-E392-48EC-2FB4-5A7A52A172DE} - C:\Program Files\Outlook Express\lavupagoz251.dll (file missing)
O4 - HKCU\..\Run: [Rpbn] "C:\PROGRA~1\TSKS~1\rundll.exe" -vt ndrv
O4 - HKCU\..\Run: [Tgnuxi] C:\WINDOWS\??mantec\?srss.exe
O20 - Winlogon Notify: byxywts - byxywts.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
  • 0

#5
Rorschach112
Posted 08 February 2008 - 08:05 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#6
Rorschach112
Posted 09 February 2008 - 06:44 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Please post the logs
  • 0

#7
xaero_cool
Posted 09 February 2008 - 12:13 PM

xaero_cool

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi

Logs as requested starting with Combofix and followed by Hijack this

ComboFix 08-02.03.1 - Guru 2008-02-09 10:02:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.412 [GMT 0:00]
Running from: C:\Documents and Settings\Guru\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Guru\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\vvesepnb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\eck8
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pip2

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-01-27 23:30 . 2008-02-09 09:50 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\AVG7
2008-01-27 23:29 . 2008-01-27 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-27 23:29 . 2008-01-27 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-27 20:50 . 2008-01-27 20:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-27 20:09 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-27 17:35 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\creplbdiwthm.sys
2008-01-27 17:31 . 2008-01-27 17:33 721,473,536 --a------ C:\CE.tmp
2008-01-27 17:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-27 17:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-27 17:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-27 17:12 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\yqfcpquwnfmp.sys
2008-01-27 16:56 . 2008-01-27 18:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-27 16:56 . 2008-01-27 17:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-27 16:56 . 2008-01-27 17:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-27 16:56 . 2008-01-27 17:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-27 14:47 . 2008-01-27 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 14:46 . 2008-01-27 22:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 14:46 . 2008-01-27 14:46 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\SUPERAntiSpyware.com
2008-01-24 21:27 . 2008-01-24 21:27 <DIR> d-------- C:\WINDOWS\system32\0C12160E161715
2008-01-16 13:15 . 2008-01-16 13:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 13:15 . 2008-01-16 13:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-11 19:49 . 2008-01-11 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Activ Software
2008-01-11 19:48 . 2008-01-11 19:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-11 19:48 . 2008-01-11 19:50 <DIR> d-------- C:\Program Files\Common Files\ACTIV Software
2008-01-11 19:48 . 2008-01-11 19:50 <DIR> d-------- C:\Program Files\ACTIV Software
2008-01-10 23:23 . 2008-01-20 11:57 9,662 --a------ C:\WINDOWS\EPISME00.SWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 10:02 --------- d-----w C:\Program Files\PowerISO
2008-02-09 10:02 --------- d-----w C:\Program Files\D-Tools
2008-02-03 11:16 --------- d-----w C:\Documents and Settings\Guru\Application Data\Roxio
2008-02-02 20:21 --------- d-----w C:\Program Files\Security Task Manager
2008-01-28 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-27 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-27 17:59 --------- d-----w C:\Program Files\Bonjour
2008-01-27 14:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 23:42 --------- d-----w C:\Documents and Settings\Guru\Application Data\Azureus
2008-01-26 11:57 --------- d-----w C:\Program Files\QuickTime
2008-01-07 23:44 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-01-07 23:42 --------- d-----w C:\Program Files\Macromedia
2008-01-07 13:47 --------- d-----w C:\Program Files\AC3Filter
2008-01-07 13:45 --------- d-----w C:\Program Files\AC3File
2008-01-07 13:42 --------- d-----w C:\Program Files\DivX
2008-01-06 20:41 --------- d-----w C:\Program Files\Apple Software Update
2008-01-06 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-06 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-06 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-06 19:45 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-06 19:45 --------- d-----w C:\Program Files\Autodesk
2008-01-06 19:06 --------- d-----w C:\Program Files\MagicDisc
2008-01-06 19:04 --------- d-----w C:\Documents and Settings\Guru\Application Data\ImgBurn
2008-01-06 19:03 --------- d-----w C:\Program Files\ImgBurn
2008-01-06 15:34 --------- d-----w C:\Documents and Settings\Guru\Application Data\DivX
2008-01-06 15:13 --------- d-----w C:\Program Files\Azureus
2008-01-04 17:42 --------- d-----w C:\Program Files\EPSON
2008-01-01 19:57 --------- d-----w C:\Documents and Settings\Guru\Application Data\Vso
2007-12-29 15:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-29 11:20 --------- d-----w C:\Documents and Settings\Guru\Application Data\Grisoft
2007-12-29 11:08 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-28 19:10 --------- d-----w C:\Program Files\Lavasoft
2007-12-28 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-16 20:54 --------- d-----w C:\Program Files\Electric Rain
2007-12-16 17:30 --------- d-----w C:\Program Files\dvddr
2007-12-16 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2007-12-16 11:30 54,784 ----a-w C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-12-16 11:30 12,464 ----a-w C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-12-16 11:30 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-16 11:29 --------- d-----w C:\Program Files\backburner 2
2007-12-11 19:46 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 19:46 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 19:46 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-09 20:58 --------- d-----w C:\Program Files\Boson Software
2007-12-09 19:54 --------- d-----w C:\Program Files\cbview
2007-12-09 11:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Boson
2007-12-05 19:53 86,400 ----a-w C:\WINDOWS\~GLC0000.TMP
2007-10-08 17:47 94,080 ----a-w C:\Documents and Settings\Guru\Application Data\ezplay.sys
2007-10-08 17:47 81,920 ----a-w C:\Documents and Settings\Guru\Application Data\ezpinst.exe
2007-10-08 17:47 47,360 ----a-w C:\Documents and Settings\Guru\Application Data\pcouffin.sys
2003-08-27 13:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
<pre>
----a-w		 2,372,240 2008-01-27 12:35:07  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w		 6,731,312 2008-01-27 22:02:46  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{552FA423-7972-4A0C-92C6-1123BDD40AE7}]
C:\Program Files\MSN\hokevof83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BDF5FE6-81D7-4345-9DAE-13411FEB7D5F}]
C:\WINDOWS\system32\awvvu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c726700-6e5f-4d5a-90c1-5801c3b61687}]
C:\WINDOWS\system32\oucoukmh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEE58817-27C3-40BF-83BC-86760C27A322}]
C:\Program Files\MSN\hokevof4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B25DCF81-0E47-42A3-98A8-6C2A7D60CD9C}]
C:\Program Files\MSN\hokevof455101.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE4F4543-E392-48EC-2FB4-5A7A52A172DE}]
C:\Program Files\Outlook Express\lavupagoz251.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 11:08 1667584]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-29 11:08 224248]
"Rpbn"="C:\PROGRA~1\TSKS~1\rundll.exe" [ ]
"Tgnuxi"="C:\WINDOWS\??mantec\?srss.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ActivFilter"="C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter.exe" [2008-01-26 11:51 23552]
"ActivControl"="C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe" [2008-01-26 11:51 843776]
"BFC5C9C1C9CAC8CD"="D6DCE0D8E0E1DF.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [2008-01-27 22:02 6731312]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-29 11:08 224248]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-12-28 18:51 200704]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 23:29 579072]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-27 12:35 620152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-27 23:29 219136]

C:\Documents and Settings\Guru\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-01-06 19:06:32 557568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxywts]
byxywts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Rasbdd"=3 (0x3)
"cmdService"=2 (0x2)

R3 ActivHIDSerMini;Promethean Serial Board Driver;C:\WINDOWS\system32\DRIVERS\activhidsermini.sys [2006-10-04 16:14]
R3 prmvmouse;Promethean HID Mouse Service;C:\WINDOWS\system32\DRIVERS\activmouse.sys [2006-10-04 16:14]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 20:41:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 10:13:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-02-09 10:16:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 10:16:33
ComboFix2.txt 2008-02-02 20:15:25
.
2008-01-28 23:04:06 --- E O F ---




----------------------------------------------------------------




Logfile of HijackThis v1.99.1
Scan saved at 10:36:27, on 09/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ActivFilter] C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter.exe
O4 - HKLM\..\Run: [ActivControl] C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe
O4 - HKLM\..\Run: [BFC5C9C1C9CAC8CD] D6DCE0D8E0E1DF.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201454236125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxywts - byxywts.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

#8
Rorschach112
Posted 09 February 2008 - 12:41 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O20 - Winlogon Notify: byxywts - byxywts.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe

RenV::
----a-w 2,372,240 2008-01-27 12:35:07 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 6,731,312 2008-01-27 22:02:46 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Reboot and post a new HijackThis log
  • 0

#9
xaero_cool
Posted 10 February 2008 - 09:35 AM

xaero_cool

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi

Please find below the following logs

Combofix
Super Anti spyware
HiJack this

ComboFix 08-02.03.1 - Guru 2008-02-09 19:33:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.433 [GMT 0:00]
Running from: C:\Documents and Settings\Guru\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Guru\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-01-27 23:30 . 2008-02-09 09:50 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\AVG7
2008-01-27 23:29 . 2008-01-27 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-27 23:29 . 2008-01-27 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-27 20:50 . 2008-01-27 20:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-27 20:09 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-27 17:35 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\creplbdiwthm.sys
2008-01-27 17:31 . 2008-01-27 17:33 721,473,536 --a------ C:\CE.tmp
2008-01-27 17:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-27 17:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-27 17:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-27 17:12 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\yqfcpquwnfmp.sys
2008-01-27 16:56 . 2008-01-27 18:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-27 16:56 . 2008-01-27 17:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-27 16:56 . 2008-01-27 17:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-27 16:56 . 2008-01-27 17:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-27 14:47 . 2008-01-27 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 14:46 . 2008-02-09 19:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 14:46 . 2008-01-27 14:46 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\SUPERAntiSpyware.com
2008-01-24 21:27 . 2008-01-24 21:27 <DIR> d-------- C:\WINDOWS\system32\0C12160E161715
2008-01-16 13:15 . 2008-01-16 13:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 13:15 . 2008-01-16 13:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-11 19:49 . 2008-01-11 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Activ Software
2008-01-11 19:48 . 2008-01-11 19:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-11 19:48 . 2008-01-11 19:50 <DIR> d-------- C:\Program Files\Common Files\ACTIV Software
2008-01-11 19:48 . 2008-01-11 19:50 <DIR> d-------- C:\Program Files\ACTIV Software
2008-01-10 23:23 . 2008-01-20 11:57 9,662 --a------ C:\WINDOWS\EPISME00.SWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 19:31 --------- d-----w C:\Documents and Settings\Guru\Application Data\Azureus
2008-02-09 10:02 --------- d-----w C:\Program Files\PowerISO
2008-02-09 10:02 --------- d-----w C:\Program Files\D-Tools
2008-02-03 11:16 --------- d-----w C:\Documents and Settings\Guru\Application Data\Roxio
2008-02-02 20:21 --------- d-----w C:\Program Files\Security Task Manager
2008-01-28 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-27 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-27 17:59 --------- d-----w C:\Program Files\Bonjour
2008-01-27 14:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 11:57 --------- d-----w C:\Program Files\QuickTime
2008-01-07 23:44 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-01-07 23:42 --------- d-----w C:\Program Files\Macromedia
2008-01-07 13:47 --------- d-----w C:\Program Files\AC3Filter
2008-01-07 13:45 --------- d-----w C:\Program Files\AC3File
2008-01-07 13:42 --------- d-----w C:\Program Files\DivX
2008-01-06 20:41 --------- d-----w C:\Program Files\Apple Software Update
2008-01-06 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-06 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-06 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-06 19:45 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-06 19:45 --------- d-----w C:\Program Files\Autodesk
2008-01-06 19:06 --------- d-----w C:\Program Files\MagicDisc
2008-01-06 19:04 --------- d-----w C:\Documents and Settings\Guru\Application Data\ImgBurn
2008-01-06 19:03 --------- d-----w C:\Program Files\ImgBurn
2008-01-06 15:34 --------- d-----w C:\Documents and Settings\Guru\Application Data\DivX
2008-01-06 15:13 --------- d-----w C:\Program Files\Azureus
2008-01-04 17:42 --------- d-----w C:\Program Files\EPSON
2008-01-01 19:57 --------- d-----w C:\Documents and Settings\Guru\Application Data\Vso
2007-12-29 15:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-29 11:20 --------- d-----w C:\Documents and Settings\Guru\Application Data\Grisoft
2007-12-29 11:08 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-29 11:01 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2007-12-28 19:10 --------- d-----w C:\Program Files\Lavasoft
2007-12-28 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-16 20:54 --------- d-----w C:\Program Files\Electric Rain
2007-12-16 17:30 --------- d-----w C:\Program Files\dvddr
2007-12-16 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2007-12-16 11:30 54,784 ----a-w C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-12-16 11:30 12,464 ----a-w C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-12-16 11:30 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-16 11:29 --------- d-----w C:\Program Files\backburner 2
2007-12-11 19:46 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 19:46 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 19:46 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-09 20:58 --------- d-----w C:\Program Files\Boson Software
2007-12-09 19:54 --------- d-----w C:\Program Files\cbview
2007-12-09 11:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Boson
2007-12-05 19:53 86,400 ----a-w C:\WINDOWS\~GLC0000.TMP
2007-10-08 17:47 94,080 ----a-w C:\Documents and Settings\Guru\Application Data\ezplay.sys
2007-10-08 17:47 81,920 ----a-w C:\Documents and Settings\Guru\Application Data\ezpinst.exe
2007-10-08 17:47 47,360 ----a-w C:\Documents and Settings\Guru\Application Data\pcouffin.sys
2003-08-27 13:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
<pre>
----a-w		 6,731,312 2008-01-27 22:02:46  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-29 11:08 224248]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ActivFilter"="C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter.exe" [2008-01-26 11:51 23552]
"ActivControl"="C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe" [2008-01-26 11:51 843776]
"BFC5C9C1C9CAC8CD"="D6DCE0D8E0E1DF.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [2008-01-27 22:02 6731312]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-29 11:08 224248]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-12-28 18:51 200704]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 23:29 579072]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-27 12:35 620152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-27 23:29 219136]

C:\Documents and Settings\Guru\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-01-06 19:06:32 557568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Rasbdd"=3 (0x3)
"cmdService"=2 (0x2)

R3 ActivHIDSerMini;Promethean Serial Board Driver;C:\WINDOWS\system32\DRIVERS\activhidsermini.sys [2006-10-04 16:14]
R3 prmvmouse;Promethean HID Mouse Service;C:\WINDOWS\system32\DRIVERS\activmouse.sys [2006-10-04 16:14]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 20:41:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 19:37:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-02-09 19:40:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 19:40:15
ComboFix2.txt 2008-02-09 10:16:36
ComboFix3.txt 2008-02-02 20:15:25
.
2008-02-09 10:33:19 --- E O F ---






SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2008 at 10:08 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 02:27:04

Memory items scanned : 340
Memory threats detected : 0
Registry items scanned : 6784
Registry threats detected : 0
File items scanned : 112149
File threats detected : 35

Adware.Tracking Cookie
C:\Documents and Settings\Guru\Cookies\guru@a[1].txt
C:\Documents and Settings\Guru\Cookies\guru@xiti[1].txt
C:\Documents and Settings\Guru\Cookies\guru@1072453479[2].txt
C:\Documents and Settings\Guru\Cookies\[email protected][1].txt
C:\Documents and Settings\Guru\Cookies\guru@adrevolver[1].txt
C:\Documents and Settings\Guru\Cookies\[email protected][1].txt
C:\Documents and Settings\Guru\Cookies\[email protected][1].txt
C:\Documents and Settings\Guru\Cookies\guru@mediaplex[1].txt
C:\Documents and Settings\Guru\Cookies\guru@gostats[1].txt
C:\Documents and Settings\Guru\Cookies\guru@hitbox[2].txt
C:\Documents and Settings\Guru\Cookies\[email protected][1].txt
C:\Documents and Settings\Guru\Cookies\guru@harglandn[1].txt
C:\Documents and Settings\Guru\Cookies\guru@cassava[1].txt
C:\Documents and Settings\Guru\Cookies\guru@estat[1].txt
C:\Documents and Settings\Guru\Cookies\[email protected][2].txt
C:\Documents and Settings\Guru\Cookies\guru@doubleclick[1].txt
C:\Documents and Settings\Guru\Cookies\guru@statcounter[1].txt
C:\Documents and Settings\Guru\Cookies\guru@atdmt[2].txt
C:\Documents and Settings\Guru\Cookies\guru@tacoda[2].txt
C:\Documents and Settings\Guru\Cookies\guru@adrevolver[2].txt
C:\Documents and Settings\Guru\Cookies\guru@revsci[1].txt
C:\Documents and Settings\Guru\Cookies\[email protected][2].txt
C:\Documents and Settings\Guru\Cookies\guru@windowsmedia[1].txt
C:\Documents and Settings\Guru\Cookies\guru@1066502365[2].txt
C:\Documents and Settings\Guru\Cookies\guru@advertising[1].txt
C:\Documents and Settings\Guru\Cookies\[email protected][2].txt
C:\Documents and Settings\Guru\Cookies\guru@2o7[1].txt
C:\Documents and Settings\Guru\Cookies\guru@serving-sys[2].txt
C:\Documents and Settings\Guru\Cookies\guru@1071043909[1].txt
C:\Documents and Settings\Guru\Cookies\guru@888[1].txt
C:\Documents and Settings\Guru\Cookies\[email protected][2].txt
C:\Documents and Settings\Guru\Cookies\[email protected][2].txt
C:\Documents and Settings\Guru\Cookies\[email protected][2].txt

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{49BE436C-BE2F-45C6-ADF0-AC7DD182E860}\RP90\A0023544.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{49BE436C-BE2F-45C6-ADF0-AC7DD182E860}\RP96\A0024782.DLL


Logfile of HijackThis v1.99.1
Scan saved at 15:32:21, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ActivFilter] C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter.exe
O4 - HKLM\..\Run: [ActivControl] C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe
O4 - HKLM\..\Run: [BFC5C9C1C9CAC8CD] D6DCE0D8E0E1DF.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201454236125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E5A4A98-A82C-4430-9AA0-261B2AFEA950}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

#10
Rorschach112
Posted 10 February 2008 - 09:38 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • Download RenV.exe by sUBs to your desktop
  • Double click on it to run it
  • It will search your system drive looking for any modified .exe file and will produce a log for you.
  • Drag this log into RenV.exe and post the resulting log

  • 0

Advertisements

#11
xaero_cool
Posted 10 February 2008 - 12:14 PM

xaero_cool

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Is this what you meant?

Ran on 10/02/2008 - 18:05:51.17

----a-w		 6,731,312 2008-01-27 22:02:46  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas  .exe

 Entries:				1  (1)
 Directories:			0  Files:			 1
 Bytes:		  6,731,312  Blocks:	   13,148

  • 0

#12
Rorschach112
Posted 10 February 2008 - 12:21 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

Save the attached CFScript to your desktop

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by Rorschach112, 10 February 2008 - 12:21 PM.

  • 0

#13
xaero_cool
Posted 10 February 2008 - 12:45 PM

xaero_cool

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 08-02.03.1 - Guru 2008-02-10 18:39:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.439 [GMT 0:00]
Running from: C:\Documents and Settings\Guru\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Guru\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 18:30 . 2008-02-10 18:31 <DIR> d-------- C:\Program Files\Video Strip Poker2
2008-02-10 16:58 . 2008-02-10 16:58 <DIR> d-------- C:\Program Files\Video Strip Poker1
2008-02-10 16:57 . 2008-02-10 16:57 <DIR> d-------- C:\Program Files\Video Strip Poker
2008-02-10 16:16 . 2008-02-10 16:16 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-10 16:12 . 2008-02-10 17:03 <DIR> d-------- C:\Program Files\Video Strip Poker Supreme
2008-01-27 23:30 . 2008-02-10 15:29 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\AVG7
2008-01-27 23:29 . 2008-01-27 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-27 23:29 . 2008-01-27 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-27 20:50 . 2008-01-27 20:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-27 20:09 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-27 17:35 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\creplbdiwthm.sys
2008-01-27 17:31 . 2008-01-27 17:33 721,473,536 --a------ C:\CE.tmp
2008-01-27 17:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-27 17:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-27 17:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-27 17:12 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\yqfcpquwnfmp.sys
2008-01-27 16:56 . 2008-01-27 18:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-27 16:56 . 2008-01-27 17:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-27 16:56 . 2008-01-27 17:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-27 16:56 . 2008-01-27 17:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-27 14:47 . 2008-01-27 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 14:46 . 2008-02-10 15:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 14:46 . 2008-01-27 14:46 <DIR> d-------- C:\Documents and Settings\Guru\Application Data\SUPERAntiSpyware.com
2008-01-24 21:27 . 2008-01-24 21:27 <DIR> d-------- C:\WINDOWS\system32\0C12160E161715
2008-01-16 13:15 . 2008-01-16 13:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 13:15 . 2008-01-16 13:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-11 19:49 . 2008-01-11 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Activ Software
2008-01-11 19:48 . 2008-01-11 19:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-11 19:48 . 2008-01-11 19:50 <DIR> d-------- C:\Program Files\Common Files\ACTIV Software
2008-01-11 19:48 . 2008-01-11 19:50 <DIR> d-------- C:\Program Files\ACTIV Software
2008-01-10 23:23 . 2008-01-20 11:57 9,662 --a------ C:\WINDOWS\EPISME00.SWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 18:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:02 --------- d-----w C:\Documents and Settings\Guru\Application Data\Azureus
2008-02-10 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-09 10:02 --------- d-----w C:\Program Files\PowerISO
2008-02-09 10:02 --------- d-----w C:\Program Files\D-Tools
2008-02-03 11:16 --------- d-----w C:\Documents and Settings\Guru\Application Data\Roxio
2008-02-02 20:21 --------- d-----w C:\Program Files\Security Task Manager
2008-01-27 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-27 17:59 --------- d-----w C:\Program Files\Bonjour
2008-01-27 14:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 11:57 --------- d-----w C:\Program Files\QuickTime
2008-01-07 23:44 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-01-07 23:42 --------- d-----w C:\Program Files\Macromedia
2008-01-07 13:47 --------- d-----w C:\Program Files\AC3Filter
2008-01-07 13:45 --------- d-----w C:\Program Files\AC3File
2008-01-07 13:42 --------- d-----w C:\Program Files\DivX
2008-01-06 20:41 --------- d-----w C:\Program Files\Apple Software Update
2008-01-06 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-06 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-06 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-06 19:45 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-06 19:45 --------- d-----w C:\Program Files\Autodesk
2008-01-06 19:06 --------- d-----w C:\Program Files\MagicDisc
2008-01-06 19:04 --------- d-----w C:\Documents and Settings\Guru\Application Data\ImgBurn
2008-01-06 19:03 --------- d-----w C:\Program Files\ImgBurn
2008-01-06 15:34 --------- d-----w C:\Documents and Settings\Guru\Application Data\DivX
2008-01-06 15:13 --------- d-----w C:\Program Files\Azureus
2008-01-04 17:42 --------- d-----w C:\Program Files\EPSON
2008-01-01 19:57 --------- d-----w C:\Documents and Settings\Guru\Application Data\Vso
2007-12-29 15:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-29 11:20 --------- d-----w C:\Documents and Settings\Guru\Application Data\Grisoft
2007-12-29 11:08 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-29 11:01 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2007-12-28 19:10 --------- d-----w C:\Program Files\Lavasoft
2007-12-28 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-16 20:54 --------- d-----w C:\Program Files\Electric Rain
2007-12-16 17:30 --------- d-----w C:\Program Files\dvddr
2007-12-16 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2007-12-16 11:30 54,784 ----a-w C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-12-16 11:30 12,464 ----a-w C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-12-16 11:30 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-16 11:29 --------- d-----w C:\Program Files\backburner 2
2007-12-11 19:46 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 19:46 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 19:46 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-11 19:46 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:46 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-12-11 19:46 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-11 19:46 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-12-11 19:45 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-05 19:53 86,400 ----a-w C:\WINDOWS\~GLC0000.TMP
2007-10-08 17:47 94,080 ----a-w C:\Documents and Settings\Guru\Application Data\ezplay.sys
2007-10-08 17:47 81,920 ----a-w C:\Documents and Settings\Guru\Application Data\ezpinst.exe
2007-10-08 17:47 47,360 ----a-w C:\Documents and Settings\Guru\Application Data\pcouffin.sys
2003-08-27 13:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-29 11:08 224248]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ActivFilter"="C:\Program Files\ACTIV Software\ACTIVdriver\ActivFilter.exe" [2008-01-26 11:51 23552]
"ActivControl"="C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe" [2008-01-26 11:51 843776]
"BFC5C9C1C9CAC8CD"="D6DCE0D8E0E1DF.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-29 11:08 224248]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-12-28 18:51 200704]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 23:29 579072]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-27 12:35 620152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-27 23:29 219136]

C:\Documents and Settings\Guru\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-01-06 19:06:32 557568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Rasbdd"=3 (0x3)
"cmdService"=2 (0x2)

R3 ActivHIDSerMini;Promethean Serial Board Driver;C:\WINDOWS\system32\DRIVERS\activhidsermini.sys [2006-10-04 16:14]
R3 prmvmouse;Promethean HID Mouse Service;C:\WINDOWS\system32\DRIVERS\activmouse.sys [2006-10-04 16:14]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 20:41:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 18:41:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 18:42:15
ComboFix-quarantined-files.txt 2008-02-10 18:42:06
ComboFix2.txt 2008-02-09 19:40:19
ComboFix3.txt 2008-02-09 10:16:36
ComboFix4.txt 2008-02-02 20:15:25
.
2008-02-09 10:33:19 --- E O F ---
  • 0

#14
Rorschach112
Posted 10 February 2008 - 01:54 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [BFC5C9C1C9CAC8CD] D6DCE0D8E0E1DF.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log and tell me how your PC is running
  • 0

#15
Rorschach112
Posted 10 February 2008 - 01:54 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Double post

Edited by Rorschach112, 10 February 2008 - 01:55 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP