Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PC Slow, Cant Show Hidden Files, suspecious


  • Please log in to reply

#1
Phrozenflame

Phrozenflame

    Member

  • Member
  • PipPip
  • 21 posts
PC is slow, I cant display hidden files and There seems to be autorun files too. I have scanned with updated AVG Anti virus, anti spyware and Ad-ware 2007. No results...yet my PC is getting extremely slow. Sometiems for no reason a process is taking 50% CPU usage...its random..but mostly its browser process. I use Opera, Firefox and sometimes IE.

TY

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:46 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\IDU\IDUServ.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\taskswitch.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\ALCWZRD.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\SpeedFan\speedfan.exe
D:\Program Files\Opera\Opera.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\explorer.exe
D:\Program Files\FlashGet\flashget.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] D:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [Runonce] D:\WINDOWS\smss.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: lsass.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.symentec.com
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193170030343
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B69DC2AE-6054-4C62-B830-4398B1C1F8FB}: NameServer = 203.135.0.70,203.135.1.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2B02338-6DF7-4587-A631-692DBD6DA5EB}: NameServer = 4.2.2.5,4.2.2.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 10419 bytes


  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Phrozenflame

Welcome to G2Go. :)
=====================
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
Phrozenflame

Phrozenflame

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hiye, Thanks for your help :)

ComboFix 08-02.03.1 - Osama Zulfiqar 2008-02-03 6:54:35.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.466 [GMT 5:00]
Running from: D:\Documents and Settings\Osama Zulfiqar\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\WINDOWS\autorun.inf
D:\WINDOWS\system32\amvo0.dll
D:\WINDOWS\system32\amvo1.dll

----- BITS: Possible infected sites -----

hxxp://msgr.dlservice.microsoft.com
.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\SUPERAntiSpyware.com
2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 00:06 . 2008-02-03 00:06 <DIR> d-------- D:\Program Files\Trend Micro
2008-02-02 23:09 . 2008-02-02 23:09 <DIR> d-------- D:\Program Files\Lavasoft
2008-02-02 23:09 . 2008-02-02 23:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-02 02:30 . 2008-02-02 02:30 <DIR> d--hs---- D:\FOUND.159
2008-01-31 12:53 . 2008-01-31 12:53 <DIR> d--hs---- D:\FOUND.158
2008-01-30 23:57 . 2008-01-30 23:57 <DIR> d--hs---- D:\FOUND.157
2008-01-30 00:57 . 2008-01-30 00:57 <DIR> d--hs---- D:\FOUND.156
2008-01-25 20:02 . 2008-01-25 20:02 <DIR> d--hs---- D:\FOUND.155
2008-01-23 00:00 . 2008-01-23 00:00 <DIR> d--hs---- D:\FOUND.154
2008-01-22 20:05 . 2008-01-22 20:05 <DIR> d--hs---- D:\FOUND.153
2008-01-22 14:52 . 2008-01-22 14:52 <DIR> d--hs---- D:\FOUND.152
2008-01-18 04:44 . 2008-01-18 04:44 <DIR> d-------- D:\Program Files\Neoretix
2008-01-18 03:48 . 2008-01-18 03:48 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-01-18 03:48 . 2008-01-18 03:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-18 03:48 . 2007-11-07 18:51 229,621 -rahs---- D:\WINDOWS\Funny UST Scandal.exe
2008-01-18 03:42 . 2008-01-18 03:42 <DIR> d-------- D:\log
2008-01-18 01:14 . 2008-01-18 01:14 <DIR> d--hs---- D:\FOUND.151
2008-01-16 22:25 . 2008-01-16 22:25 <DIR> d--hs---- D:\FOUND.150
2008-01-16 08:35 . 2007-11-07 18:51 229,621 -rahs---- D:\Funny UST Scandal.avi.exe
2008-01-15 00:04 . 2008-01-15 00:04 <DIR> d--hs---- D:\FOUND.149
2008-01-14 21:48 . 2008-01-14 21:48 <DIR> d--hs---- D:\FOUND.148
2008-01-12 02:42 . 2008-01-12 02:42 <DIR> d-------- D:\Program Files\MSECache
2008-01-11 20:06 . 2008-01-11 20:06 <DIR> d--hs---- D:\FOUND.147
2008-01-11 16:41 . 2008-01-11 16:41 <DIR> d--hs---- D:\FOUND.146
2008-01-10 20:01 . 2008-01-10 20:01 <DIR> d--hs---- D:\FOUND.145
2008-01-10 02:37 . 2008-01-10 02:37 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\FrostWire
2008-01-10 02:19 . 2007-09-24 23:31 69,632 --a------ D:\WINDOWS\system32\javacpl.cpl
2008-01-10 02:06 . 2008-01-10 02:06 <DIR> d-------- D:\Program Files\FrostWire
2008-01-09 19:59 . 2008-01-09 19:59 <DIR> d--hs---- D:\FOUND.144
2008-01-06 19:56 . 2008-01-06 19:56 <DIR> d-------- D:\Program Files\Powerbullet
2008-01-06 19:11 . 2007-01-13 09:45 172,032 --a------ D:\WINDOWS\system32\igfxres.dll
2008-01-06 17:46 . 2008-01-06 17:46 <DIR> d--hs---- D:\FOUND.143
2008-01-06 17:38 . 2008-01-06 17:38 <DIR> d--hs---- D:\FOUND.142
2008-01-06 17:00 . 2008-01-06 17:01 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\Serious Magic
2008-01-06 16:58 . 2008-01-06 16:58 <DIR> d-------- D:\Program Files\Serious Magic
2008-01-06 16:58 . 2008-01-06 16:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Serious Magic
2008-01-06 15:54 . 2008-01-06 15:54 <DIR> d--hs---- D:\FOUND.141

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 10:20 32 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-02-02 10:20 32 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 02:41 573,440 ------w D:\WINDOWS\Internet Logs\xDB29.tmp
2008-01-30 02:41 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB2A.tmp
2008-01-22 10:40 13,824 ------w D:\WINDOWS\Internet Logs\xDB28.tmp
2008-01-18 04:34 286,720 ------w D:\WINDOWS\Internet Logs\xDB27.tmp
2008-01-17 03:53 1,056,768 ------w D:\WINDOWS\Internet Logs\xDB26.tmp
2008-01-16 11:49 10,398,241 ------w D:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-12 08:58 35,712 ----a-w D:\Documents and Settings\Osama Zulfiqar\Application Data\GDIPFONTCACHEV1.DAT
2007-12-21 21:40 63,488 ------w D:\WINDOWS\Internet Logs\xDB24.tmp
2007-12-21 21:40 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB25.tmp
2007-12-20 14:57 92,672 ------w D:\WINDOWS\Internet Logs\xDB22.tmp
2007-12-20 14:57 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB23.tmp
2007-12-18 03:31 589,824 ------w D:\WINDOWS\Internet Logs\xDB20.tmp
2007-12-18 03:31 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB21.tmp
2007-12-14 06:32 12,632 ----a-w D:\WINDOWS\system32\lsdelete.exe
2007-12-11 18:40 --------- d-----w D:\Program Files\PictureDesk
2007-12-11 04:45 401,408 ------w D:\WINDOWS\Internet Logs\xDB1E.tmp
2007-12-11 04:45 1,835,008 ------w D:\WINDOWS\Internet Logs\xDB1F.tmp
2007-12-10 13:18 --------- d-----w D:\Documents and Settings\All Users\Application Data\Bluetooth
2007-12-07 13:20 46,592 ------w D:\WINDOWS\Internet Logs\xDB1C.tmp
2007-12-07 13:20 1,563,648 ------w D:\WINDOWS\Internet Logs\xDB1D.tmp
2007-12-07 12:52 --------- d-----w D:\Program Files\My-Proxy
2007-12-06 21:57 409,600 ------w D:\WINDOWS\Internet Logs\xDB1A.tmp
2007-12-06 21:57 1,556,992 ------w D:\WINDOWS\Internet Logs\xDB1B.tmp
2007-11-28 16:29 1,540,608 ------w D:\WINDOWS\Internet Logs\xDB19.tmp
2007-11-25 02:39 178,688 ------w D:\WINDOWS\Internet Logs\xDB17.tmp
2007-11-25 02:39 1,534,464 ------w D:\WINDOWS\Internet Logs\xDB18.tmp
2007-11-19 14:27 286,720 ------w D:\WINDOWS\Internet Logs\xDB16.tmp
2007-11-17 22:58 376,832 ------w D:\WINDOWS\Internet Logs\xDB14.tmp
2007-11-17 22:58 1,516,544 ------w D:\WINDOWS\Internet Logs\xDB15.tmp
2007-11-07 21:36 47,104 ------w D:\WINDOWS\Internet Logs\xDB12.tmp
2007-11-07 21:36 1,498,112 ------w D:\WINDOWS\Internet Logs\xDB13.tmp
2007-11-06 22:31 331,264 ------w D:\WINDOWS\Internet Logs\xDB10.tmp
2007-11-06 22:31 1,494,528 ------w D:\WINDOWS\Internet Logs\xDB11.tmp
2007-10-29 08:52 1,470,464 ------w D:\WINDOWS\Internet Logs\xDBF.tmp
2007-10-28 23:51 70,656 ------w D:\WINDOWS\Internet Logs\xDBD.tmp
2007-10-28 23:51 1,469,440 ------w D:\WINDOWS\Internet Logs\xDBE.tmp
2007-10-28 12:00 1,465,344 ------w D:\WINDOWS\Internet Logs\xDBC.tmp
2007-10-28 12:00 1,137,152 ------w D:\WINDOWS\Internet Logs\xDBB.tmp
2007-10-20 09:17 306,176 ------w D:\WINDOWS\Internet Logs\xDB9.tmp
2007-10-20 09:17 1,439,232 ------w D:\WINDOWS\Internet Logs\xDBA.tmp
2007-10-18 09:08 532,480 ------w D:\WINDOWS\Internet Logs\xDB8.tmp
2007-10-16 06:08 925,696 ------w D:\WINDOWS\Internet Logs\xDB6.tmp
2007-10-16 06:08 1,423,872 ------w D:\WINDOWS\Internet Logs\xDB7.tmp
2007-10-12 19:36 1,458,176 ------w D:\WINDOWS\Internet Logs\xDB4.tmp
2007-10-12 19:36 1,420,800 ------w D:\WINDOWS\Internet Logs\xDB5.tmp
2007-10-10 10:52 1,414,656 ------w D:\WINDOWS\Internet Logs\xDB3.tmp
2007-10-06 22:21 363,520 ------w D:\WINDOWS\Internet Logs\xDB1.tmp
2007-10-06 22:21 1,401,344 ------w D:\WINDOWS\Internet Logs\xDB2.tmp
2007-10-05 11:30 523,264 ------w D:\WINDOWS\Internet Logs\xDB1AF.tmp
2007-10-05 11:30 1,389,056 ------w D:\WINDOWS\Internet Logs\xDB1B0.tmp
2007-10-02 06:44 21,495,305 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_11_34_21_full.dmp.zip
2007-10-02 06:37 120,320 ------w D:\WINDOWS\Internet Logs\xDB39D.tmp
2007-10-02 04:30 138,089 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_40_06_small.dmp.zip
2007-10-02 04:30 115,140 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_37_00_small.dmp.zip
2007-10-02 04:30 112,650 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_41_17_small.dmp.zip
2007-10-02 04:30 106,886 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_38_37_small.dmp.zip
2007-10-01 22:41 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB250.tmp
2007-10-01 22:40 24,064 ------w D:\WINDOWS\Internet Logs\xDB24A.tmp
2007-10-01 22:40 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB24B.tmp
2007-10-01 22:38 27,648 ------w D:\WINDOWS\Internet Logs\xDB242.tmp
2007-10-01 22:38 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB243.tmp
2007-10-01 22:37 1,339,392 ------w D:\WINDOWS\Internet Logs\xDB23E.tmp
2007-10-01 16:20 112,583 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_19_38_28_small.dmp.zip
2007-10-01 10:39 20,698,146 ------w D:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_13_48_04_full.dmp.zip
2007-10-01 10:39 113,319 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_47_03_small.dmp.zip
2007-10-01 10:39 106,375 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_44_58_small.dmp.zip
2007-10-01 08:40 110,088 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_39_33_small.dmp.zip
2007-09-30 18:19 251,904 ------w D:\WINDOWS\Internet Logs\xDB11C.tmp
2006-11-23 16:01 94,744 ----a-w D:\Program Files\grid32.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"Runonce"="D:\WINDOWS\smss.exe" [ ]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="D:\WINDOWS\System32\taskswitch.exe" [2002-03-19 17:30 45632]
"NVCLOCK"="nvclock.dll" [2003-04-14 06:59 81920 D:\WINDOWS\system32\nvclock.dll]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:29 579072]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 10:24 86016 D:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-10-11 13:33 2807808 D:\WINDOWS\ALCWZRD.EXE]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2004-09-30 10:35 4603904]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2004-09-30 10:35 86016]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:25 6731312]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2005-11-10 15:31 155648]
"IgfxTray"="D:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]
"HotKeysCmds"="D:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"Persistence"="D:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 16:32 219136]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
lsass.exe [2007-11-07 18:51:42 229621]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLogon]
srvc.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=D:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk
backup=D:\WINDOWS\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk
backup=D:\WINDOWS\pss\PCSuiteForNokia6600 TS.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinIRXHelper.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinIRXHelper.lnk
backup=D:\WINDOWS\pss\WinIRXHelper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 D:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
D:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 22:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2004-08-24 13:30 986624 D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
--a------ 2007-03-16 07:51 715888 D:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2005-01-07 17:07 61952 D:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 D:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipTray.exe]
--a------ 2004-06-11 16:04 1226752 C:\Program Files\Intel\IDU\iptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
--a------ 2004-09-23 14:19 477696 D:\Program Files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-09 14:50 155648 D:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
--a------ 2003-12-19 11:38 425984 D:\Program Files\Common Files\Nokia\Tools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-09-30 10:35 921600 D:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2004-08-17 16:04 148992 D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-10 15:31 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonicFocus]
D:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2003-09-05 06:59 878080 D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-01-24 19:58 81920 D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-25 08:35 68856 D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-08-24 17:37 2539520 D:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Core Kernel Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Win32Kernel"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WINLOGON"=2 (0x2)
"usnjsvc"=3 (0x3)
"Tenable Nessus"=2 (0x2)
"SPTISRV"=3 (0x3)
"sdk"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=2 (0x2)
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"aawservice"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"NVSvc"=2 (0x2)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"New.net Startup"=rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

R0 d343bus;d343bus;D:\WINDOWS\system32\DRIVERS\d343bus.sys [2003-12-15 18:46]
R0 d343port;d343port;D:\WINDOWS\system32\DRIVERS\d343port.sys [2003-12-15 17:29]
R2 osaio;osaio;D:\WINDOWS\system32\drivers\osaio.sys [2004-06-01 15:28]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;D:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 12:11]
R3 VGAUTI;VGAUTI;D:\WINDOWS\System32\DRIVERS\VGAUTI.sys [2005-01-17 11:51]
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);D:\WINDOWS\system32\DRIVERS\zebrceb.sys [2006-02-01 13:01]
S3 BTNetFilter;Bluetooth Network Filter;D:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 16:32]
S3 Cap7134;ASUS TV7134 WDM Video Capture;D:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-07-18 14:17]
S3 dump_wmimmc;dump_wmimmc;E:\games\softnyx\GunboundWC\GameGuard\dump_wmimmc.sys []
S3 Intels51;Intel® 536EP Modem;D:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 20:44]
S3 MEMSWEEP2;MEMSWEEP2;D:\WINDOWS\system32\SophosMEMSWEEP.SYS []
S3 NPF;Netgroup Packet Filter;D:\WINDOWS\system32\drivers\packet.sys [2004-09-21 18:18]
S3 PhTVTune;ASUS WDM TV Tuner;D:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-07-18 07:23]
S3 tap0801;TAP-Win32 Adapter V8;D:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 17:37]
S3 XDva028;XDva028;D:\WINDOWS\system32\XDva028.sys []
S4 Remote Reader Machine;Remote Reader Machine;"D:\WINDOWS\system32\ssmc.exe" []
S4 sdk;Microsoft sdk core;"D:\WINDOWS\lsass.exe" []
S4 Tenable Nessus;Tenable Nessus;"D:\Program Files\Tenable\Nessus\nessusd.exe" [2007-07-27 16:01]
S4 Win32Kernel;Win32 Kernel Update;"D:\WINDOWS\win32host.exe" []
S4 Windows Idle Process;Windows Idle Process;"D:\WINDOWS\system32\smsc.exe" []
S4 WINLOGON;Windows NT Logon Application;"D:\WINDOWS\system\winlogon.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bb01b58-ac87-11da-9421-00508b0d65a7}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46aa3c8a-ed00-11db-ad4e-000e509ec26c}]
\Shell\AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52ee5d18-e711-11db-ad25-000e509ec26c}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{658c365c-f4e5-11db-ad7a-000e509ec26c}]
\Shell\AutoRun\command - K:\h.cmd
\Shell\explore\Command - K:\h.cmd
\Shell\open\Command - K:\h.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a69ac6ce-e764-11db-ad28-000e509ec26c}]
\Shell\AutoRun\command - J:\RavMon.exe
\Shell\explore\Command - J:\RavMon.exe -e
\Shell\open\Command - J:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7c58b78-158d-11db-9667-000e509ec26c}]
\Shell\AutoRun\command - G:\m1t8ta.com
\Shell\explore\Command - G:\m1t8ta.com
\Shell\open\Command - G:\m1t8ta.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa87b154-0d19-11dc-ae31-000e509ec26c}]
\Shell\AutoRun\command - J:\RavMon.exe
\Shell\explore\Command - J:\RavMon.exe -e
\Shell\open\Command - J:\RavMon.exe

*Newly Created Service* - AAWSERVICE
*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 06:58:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 7:00:13
ComboFix-quarantined-files.txt 2008-02-03 02:00:10
ComboFix2.txt 2007-10-19 19:18:50


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:20 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\IDU\IDUServ.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\taskswitch.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\ALCWZRD.EXE
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\SpeedFan\speedfan.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Runonce] D:\WINDOWS\smss.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: lsass.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.symentec.com
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193170030343
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B69DC2AE-6054-4C62-B830-4398B1C1F8FB}: NameServer = 203.135.0.70,203.135.1.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2B02338-6DF7-4587-A631-692DBD6DA5EB}: NameServer = 4.2.2.5,4.2.2.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 10102 bytes


  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#5
Phrozenflame

Phrozenflame

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

SDFix


SDFix: Version 1.136

Run by Osama Zulfiqar on Sun 02/03/2008 at 09:16 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\DOCUME~1\OSAMAZ~1\Desktop\SDfix\SDFix

Safe Mode:
Checking Services:

Name:
Remote Reader Machine
sdk
Win32Kernel
WINLOGON

Path:
"D:\WINDOWS\system32\ssmc.exe"
"D:\WINDOWS\lsass.exe"
"D:\WINDOWS\win32host.exe"
"D:\WINDOWS\system\winlogon.exe"

Remote Reader Machine - Deleted
sdk - Deleted
Win32Kernel - Deleted
WINLOGON - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

D:\WINDOWS\SYSTEM32\ARAUDI~1.DLL - Deleted
D:\WINDOWS\SYSTEM32\ARAUDI~2.DLL - Deleted
D:\WINDOWS\SYSTEM32\ARAUDI~3.DLL - Deleted
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe - Deleted





Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 09:29:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - D:\DOCUME~1\OSAMAZ~1\Desktop\SDfix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 7 Nov 2007 229,621 A.SHR --- "D:\Funny UST Scandal.avi.exe"
Wed 7 Nov 2007 229,621 A.SHR --- "D:\WINDOWS\Funny UST Scandal.exe"
Wed 5 Oct 2005 1,024 ...HR --- "D:\WINDOWS\system32\ntiembed.dll"
Tue 23 May 2006 4,348 ..SH. --- "D:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 11 Nov 2006 5,346 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\cc_20061111_1444.reg"
Sat 8 Apr 2006 9,934,458 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\rregbackyp.reg"
Sat 11 Nov 2006 179 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\cc_20061111_1445.reg"
Tue 3 Jul 2007 25,088 ...H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\~WRL2400.tmp"
Tue 3 Jul 2007 29,696 ...H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\~WRL3412.tmp"
Fri 20 Oct 2006 86,780,512 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\Regbakup.reg"
Fri 20 Oct 2006 101,725 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\cc_20061020_0803.reg"
Fri 20 Oct 2006 14,293 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\cc_20061020_0804.reg"
Sun 22 Oct 2006 3,393 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\cc_20061022_1113.reg"
Mon 6 Nov 2006 0 A.SH. --- "D:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 19 Oct 2005 83,851 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\My Received Files\PROJECT.zip"
Tue 27 Dec 2005 12,561 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\My Received Files\Album 1.zip"
Sat 12 Nov 2005 17,871 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\Thunder Pics\cydoxgvg01.zip"
Thu 17 Nov 2005 684,210 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\Wiki watch\My Pictures.zip"
Fri 3 Nov 2006 1,238,224 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\top 10 mba\awstats-6.5.zip"
Wed 24 Oct 2007 322,560 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\A-ZA Folder\ZA HR\ESL HR Policy Docs\~WRL0149.tmp"
Wed 24 Oct 2007 325,120 A..H. --- "D:\Documents and Settings\Osama Zulfiqar\My Documents\A-ZA Folder\ZA HR\ESL HR Policy Docs\~WRL3455.tmp"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:34 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\IDU\IDUServ.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\System32\taskswitch.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\ALCWZRD.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Opera\Opera.exe
D:\Program Files\SpeedFan\speedfan.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.symentec.com
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193170030343
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B69DC2AE-6054-4C62-B830-4398B1C1F8FB}: NameServer = 203.135.0.70,203.135.1.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2B02338-6DF7-4587-A631-692DBD6DA5EB}: NameServer = 4.2.2.5,4.2.2.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 10207 bytes


Also, I feel these keep comming from my USB, Infact I am sure of it, How can I stop them from infecting PC again and again. USB usage is a must for me, the viruses on it come from University network, and I need to use it for studies :/.

Ty

Edited by Phrozenflame, 02 February 2008 - 10:42 PM.

  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
During this run with combofix please insert your flash drive while it is running as the infected files will be deleted.
We will run a flash disinfector tool after that to fininsh that part up.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Make sure to scroll the entire way down inside of the codebox to get the entire contents
File::D:\WINDOWS\Funny UST Scandal.exeD:\Funny UST Scandal.avi.exeD:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exeD:\WINDOWS\system32\amvo.exeE:\games\softnyx\GunboundWC\GameGuard\dump_wmimmc.sys D:\WINDOWS\system32\ssmc.exeD:\WINDOWS\lsass.exeD:\WINDOWS\win32host.exeD:\WINDOWS\system32\smsc.exeD:\WINDOWS\system\winlogon.exeJ:\RavMon.exeK:\h.cmdG:\m1t8ta.comFolder::D:\PROGRA~1\NEWDOT~1Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLogon][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Core Kernel Update][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"New.net Startup"=-[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Runonce"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bb01b58-ac87-11da-9421-00508b0d65a7}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52ee5d18-e711-11db-ad25-000e509ec26c}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{658c365c-f4e5-11db-ad7a-000e509ec26c}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a69ac6ce-e764-11db-ad28-000e509ec26c}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7c58b78-158d-11db-9667-000e509ec26c}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa87b154-0d19-11dc-ae31-000e509ec26c}]Driver::dump_wmimmcWindows Idle Process


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
Phrozenflame

Phrozenflame

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

ComboFix 08-02.03.1 - Osama Zulfiqar 2008-02-03 17:55:37.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.578 [GMT 5:00]
Running from: D:\Documents and Settings\Osama Zulfiqar\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Osama Zulfiqar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe
D:\Funny UST Scandal.avi.exe
D:\WINDOWS\Funny UST Scandal.exe
D:\WINDOWS\lsass.exe
D:\WINDOWS\system\winlogon.exe
D:\WINDOWS\system32\amvo.exe
D:\WINDOWS\system32\smsc.exe
D:\WINDOWS\system32\ssmc.exe
D:\WINDOWS\win32host.exe
E:\games\softnyx\GunboundWC\GameGuard\dump_wmimmc.sys
G:\m1t8ta.com
J:\RavMon.exe
K:\h.cmd
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Funny UST Scandal.avi.exe
D:\WINDOWS\Funny UST Scandal.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DUMP_WMIMMC
-------\LEGACY_WINDOWS_IDLE_PROCESS
-------\dump_wmimmc
-------\Windows Idle Process


((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 09:12 . 2008-02-03 09:12 <DIR> d-------- D:\WINDOWS\ERUNT
2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\SUPERAntiSpyware.com
2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 00:06 . 2008-02-03 00:06 <DIR> d-------- D:\Program Files\Trend Micro
2008-02-02 23:09 . 2008-02-02 23:09 <DIR> d-------- D:\Program Files\Lavasoft
2008-02-02 23:09 . 2008-02-02 23:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-02 02:30 . 2008-02-02 02:30 <DIR> d--hs---- D:\FOUND.159
2008-01-31 12:53 . 2008-01-31 12:53 <DIR> d--hs---- D:\FOUND.158
2008-01-30 23:57 . 2008-01-30 23:57 <DIR> d--hs---- D:\FOUND.157
2008-01-30 00:57 . 2008-01-30 00:57 <DIR> d--hs---- D:\FOUND.156
2008-01-25 20:02 . 2008-01-25 20:02 <DIR> d--hs---- D:\FOUND.155
2008-01-23 00:00 . 2008-01-23 00:00 <DIR> d--hs---- D:\FOUND.154
2008-01-22 20:05 . 2008-01-22 20:05 <DIR> d--hs---- D:\FOUND.153
2008-01-22 14:52 . 2008-01-22 14:52 <DIR> d--hs---- D:\FOUND.152
2008-01-18 04:44 . 2008-01-18 04:44 <DIR> d-------- D:\Program Files\Neoretix
2008-01-18 03:48 . 2008-01-18 03:48 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-01-18 03:48 . 2008-01-18 03:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-18 03:42 . 2008-01-18 03:42 <DIR> d-------- D:\log
2008-01-18 01:14 . 2008-01-18 01:14 <DIR> d--hs---- D:\FOUND.151
2008-01-16 22:25 . 2008-01-16 22:25 <DIR> d--hs---- D:\FOUND.150
2008-01-15 00:04 . 2008-01-15 00:04 <DIR> d--hs---- D:\FOUND.149
2008-01-14 21:48 . 2008-01-14 21:48 <DIR> d--hs---- D:\FOUND.148
2008-01-12 02:42 . 2008-01-12 02:42 <DIR> d-------- D:\Program Files\MSECache
2008-01-11 20:06 . 2008-01-11 20:06 <DIR> d--hs---- D:\FOUND.147
2008-01-11 16:41 . 2008-01-11 16:41 <DIR> d--hs---- D:\FOUND.146
2008-01-10 20:01 . 2008-01-10 20:01 <DIR> d--hs---- D:\FOUND.145
2008-01-10 02:37 . 2008-01-10 02:37 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\FrostWire
2008-01-10 02:19 . 2007-09-24 23:31 69,632 --a------ D:\WINDOWS\system32\javacpl.cpl
2008-01-10 02:06 . 2008-01-10 02:06 <DIR> d-------- D:\Program Files\FrostWire
2008-01-09 19:59 . 2008-01-09 19:59 <DIR> d--hs---- D:\FOUND.144
2008-01-06 19:56 . 2008-01-06 19:56 <DIR> d-------- D:\Program Files\Powerbullet
2008-01-06 19:11 . 2007-01-13 09:45 172,032 --a------ D:\WINDOWS\system32\igfxres.dll
2008-01-06 17:46 . 2008-01-06 17:46 <DIR> d--hs---- D:\FOUND.143
2008-01-06 17:38 . 2008-01-06 17:38 <DIR> d--hs---- D:\FOUND.142
2008-01-06 17:00 . 2008-01-06 17:01 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\Serious Magic
2008-01-06 16:58 . 2008-01-06 16:58 <DIR> d-------- D:\Program Files\Serious Magic
2008-01-06 16:58 . 2008-01-06 16:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Serious Magic
2008-01-06 15:54 . 2008-01-06 15:54 <DIR> d--hs---- D:\FOUND.141

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 13:00 32 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-02-03 13:00 32 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 02:41 573,440 ------w D:\WINDOWS\Internet Logs\xDB29.tmp
2008-01-30 02:41 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB2A.tmp
2008-01-22 10:40 13,824 ------w D:\WINDOWS\Internet Logs\xDB28.tmp
2008-01-18 04:34 286,720 ------w D:\WINDOWS\Internet Logs\xDB27.tmp
2008-01-17 03:53 1,056,768 ------w D:\WINDOWS\Internet Logs\xDB26.tmp
2008-01-16 11:49 10,398,241 ------w D:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-12 08:58 35,712 ----a-w D:\Documents and Settings\Osama Zulfiqar\Application Data\GDIPFONTCACHEV1.DAT
2007-12-21 21:40 63,488 ------w D:\WINDOWS\Internet Logs\xDB24.tmp
2007-12-21 21:40 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB25.tmp
2007-12-20 14:57 92,672 ------w D:\WINDOWS\Internet Logs\xDB22.tmp
2007-12-20 14:57 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB23.tmp
2007-12-18 03:31 589,824 ------w D:\WINDOWS\Internet Logs\xDB20.tmp
2007-12-18 03:31 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB21.tmp
2007-12-14 06:32 12,632 ----a-w D:\WINDOWS\system32\lsdelete.exe
2007-12-11 18:40 --------- d-----w D:\Program Files\PictureDesk
2007-12-11 04:45 401,408 ------w D:\WINDOWS\Internet Logs\xDB1E.tmp
2007-12-11 04:45 1,835,008 ------w D:\WINDOWS\Internet Logs\xDB1F.tmp
2007-12-10 13:18 --------- d-----w D:\Documents and Settings\All Users\Application Data\Bluetooth
2007-12-07 13:20 46,592 ------w D:\WINDOWS\Internet Logs\xDB1C.tmp
2007-12-07 13:20 1,563,648 ------w D:\WINDOWS\Internet Logs\xDB1D.tmp
2007-12-07 12:52 --------- d-----w D:\Program Files\My-Proxy
2007-12-06 21:57 409,600 ------w D:\WINDOWS\Internet Logs\xDB1A.tmp
2007-12-06 21:57 1,556,992 ------w D:\WINDOWS\Internet Logs\xDB1B.tmp
2007-11-28 16:29 1,540,608 ------w D:\WINDOWS\Internet Logs\xDB19.tmp
2007-11-25 02:39 178,688 ------w D:\WINDOWS\Internet Logs\xDB17.tmp
2007-11-25 02:39 1,534,464 ------w D:\WINDOWS\Internet Logs\xDB18.tmp
2007-11-19 14:27 286,720 ------w D:\WINDOWS\Internet Logs\xDB16.tmp
2007-11-17 22:58 376,832 ------w D:\WINDOWS\Internet Logs\xDB14.tmp
2007-11-17 22:58 1,516,544 ------w D:\WINDOWS\Internet Logs\xDB15.tmp
2007-11-07 21:36 47,104 ------w D:\WINDOWS\Internet Logs\xDB12.tmp
2007-11-07 21:36 1,498,112 ------w D:\WINDOWS\Internet Logs\xDB13.tmp
2007-11-06 22:31 331,264 ------w D:\WINDOWS\Internet Logs\xDB10.tmp
2007-11-06 22:31 1,494,528 ------w D:\WINDOWS\Internet Logs\xDB11.tmp
2007-10-29 08:52 1,470,464 ------w D:\WINDOWS\Internet Logs\xDBF.tmp
2007-10-28 23:51 70,656 ------w D:\WINDOWS\Internet Logs\xDBD.tmp
2007-10-28 23:51 1,469,440 ------w D:\WINDOWS\Internet Logs\xDBE.tmp
2007-10-28 12:00 1,465,344 ------w D:\WINDOWS\Internet Logs\xDBC.tmp
2007-10-28 12:00 1,137,152 ------w D:\WINDOWS\Internet Logs\xDBB.tmp
2007-10-20 09:17 306,176 ------w D:\WINDOWS\Internet Logs\xDB9.tmp
2007-10-20 09:17 1,439,232 ------w D:\WINDOWS\Internet Logs\xDBA.tmp
2007-10-18 09:08 532,480 ------w D:\WINDOWS\Internet Logs\xDB8.tmp
2007-10-16 06:08 925,696 ------w D:\WINDOWS\Internet Logs\xDB6.tmp
2007-10-16 06:08 1,423,872 ------w D:\WINDOWS\Internet Logs\xDB7.tmp
2007-10-12 19:36 1,458,176 ------w D:\WINDOWS\Internet Logs\xDB4.tmp
2007-10-12 19:36 1,420,800 ------w D:\WINDOWS\Internet Logs\xDB5.tmp
2007-10-10 10:52 1,414,656 ------w D:\WINDOWS\Internet Logs\xDB3.tmp
2007-10-06 22:21 363,520 ------w D:\WINDOWS\Internet Logs\xDB1.tmp
2007-10-06 22:21 1,401,344 ------w D:\WINDOWS\Internet Logs\xDB2.tmp
2007-10-05 11:30 523,264 ------w D:\WINDOWS\Internet Logs\xDB1AF.tmp
2007-10-05 11:30 1,389,056 ------w D:\WINDOWS\Internet Logs\xDB1B0.tmp
2007-10-02 06:44 21,495,305 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_11_34_21_full.dmp.zip
2007-10-02 06:37 120,320 ------w D:\WINDOWS\Internet Logs\xDB39D.tmp
2007-10-02 04:30 138,089 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_40_06_small.dmp.zip
2007-10-02 04:30 115,140 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_37_00_small.dmp.zip
2007-10-02 04:30 112,650 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_41_17_small.dmp.zip
2007-10-02 04:30 106,886 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_38_37_small.dmp.zip
2007-10-01 22:41 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB250.tmp
2007-10-01 22:40 24,064 ------w D:\WINDOWS\Internet Logs\xDB24A.tmp
2007-10-01 22:40 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB24B.tmp
2007-10-01 22:38 27,648 ------w D:\WINDOWS\Internet Logs\xDB242.tmp
2007-10-01 22:38 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB243.tmp
2007-10-01 22:37 1,339,392 ------w D:\WINDOWS\Internet Logs\xDB23E.tmp
2007-10-01 16:20 112,583 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_19_38_28_small.dmp.zip
2007-10-01 10:39 20,698,146 ------w D:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_13_48_04_full.dmp.zip
2007-10-01 10:39 113,319 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_47_03_small.dmp.zip
2007-10-01 10:39 106,375 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_44_58_small.dmp.zip
2007-10-01 08:40 110,088 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_39_33_small.dmp.zip
2007-09-30 18:19 251,904 ------w D:\WINDOWS\Internet Logs\xDB11C.tmp
2006-11-23 16:01 94,744 ----a-w D:\Program Files\grid32.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="D:\WINDOWS\System32\taskswitch.exe" [2002-03-19 17:30 45632]
"NVCLOCK"="nvclock.dll" [2003-04-14 06:59 81920 D:\WINDOWS\system32\nvclock.dll]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:29 579072]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 10:24 86016 D:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-10-11 13:33 2807808 D:\WINDOWS\ALCWZRD.EXE]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2004-09-30 10:35 4603904]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2004-09-30 10:35 86016]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:25 6731312]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2005-11-10 15:31 155648]
"IgfxTray"="D:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]
"HotKeysCmds"="D:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"Persistence"="D:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 16:32 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=D:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk
backup=D:\WINDOWS\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk
backup=D:\WINDOWS\pss\PCSuiteForNokia6600 TS.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinIRXHelper.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinIRXHelper.lnk
backup=D:\WINDOWS\pss\WinIRXHelper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 D:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 22:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2004-08-24 13:30 986624 D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
--a------ 2007-03-16 07:51 715888 D:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2005-01-07 17:07 61952 D:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 D:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipTray.exe]
--a------ 2004-06-11 16:04 1226752 C:\Program Files\Intel\IDU\iptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
--a------ 2004-09-23 14:19 477696 D:\Program Files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-09 14:50 155648 D:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
--a------ 2003-12-19 11:38 425984 D:\Program Files\Common Files\Nokia\Tools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-09-30 10:35 921600 D:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2004-08-17 16:04 148992 D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-10 15:31 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonicFocus]
D:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2003-09-05 06:59 878080 D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-01-24 19:58 81920 D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-25 08:35 68856 D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-08-24 17:37 2539520 D:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Win32Kernel"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WINLOGON"=2 (0x2)
"usnjsvc"=3 (0x3)
"Tenable Nessus"=2 (0x2)
"SPTISRV"=3 (0x3)
"sdk"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=2 (0x2)
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"aawservice"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"NVSvc"=2 (0x2)
"gusvc"=3 (0x3)

R0 d343bus;d343bus;D:\WINDOWS\system32\DRIVERS\d343bus.sys [2003-12-15 18:46]
R0 d343port;d343port;D:\WINDOWS\system32\DRIVERS\d343port.sys [2003-12-15 17:29]
R2 osaio;osaio;D:\WINDOWS\system32\drivers\osaio.sys [2004-06-01 15:28]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;D:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 12:11]
R3 VGAUTI;VGAUTI;D:\WINDOWS\System32\DRIVERS\VGAUTI.sys [2005-01-17 11:51]
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);D:\WINDOWS\system32\DRIVERS\zebrceb.sys [2006-02-01 13:01]
S3 BTNetFilter;Bluetooth Network Filter;D:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 16:32]
S3 Cap7134;ASUS TV7134 WDM Video Capture;D:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-07-18 14:17]
S3 Intels51;Intel® 536EP Modem;D:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 20:44]
S3 MEMSWEEP2;MEMSWEEP2;D:\WINDOWS\system32\SophosMEMSWEEP.SYS []
S3 NPF;Netgroup Packet Filter;D:\WINDOWS\system32\drivers\packet.sys [2004-09-21 18:18]
S3 PhTVTune;ASUS WDM TV Tuner;D:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-07-18 07:23]
S3 tap0801;TAP-Win32 Adapter V8;D:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 17:37]
S3 XDva028;XDva028;D:\WINDOWS\system32\XDva028.sys []
S4 Tenable Nessus;Tenable Nessus;"D:\Program Files\Tenable\Nessus\nessusd.exe" [2007-07-27 16:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46aa3c8a-ed00-11db-ad4e-000e509ec26c}]
\Shell\AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 18:01:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\IDU\IDUServ.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-03 18:05:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 13:05:06
ComboFix3.txt 2007-10-19 19:18:50
ComboFix2.txt 2008-02-03 02:00:16


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:15 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\ComboFix\kmd.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\IDU\IDUServ.exe
D:\WINDOWS\System32\taskswitch.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\ALCWZRD.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\regedit.exe
D:\Program Files\Opera\Opera.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.symentec.com
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193170030343
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B69DC2AE-6054-4C62-B830-4398B1C1F8FB}: NameServer = 203.135.0.70,203.135.1.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2B02338-6DF7-4587-A631-692DBD6DA5EB}: NameServer = 4.2.2.5,4.2.2.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 10213 bytes


  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
With all removable drives plugged in do the following:

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
=================================================================
After that let's see what is left over. :)

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP