[JSntgRvr]

Ugh..I'm so sorry. I have another obstacle. I don't have Winzip and I can't afford to buy it.

Right click on the downloaded file (.zip) and select Extract All. Follow the prompts.

[Advertisements]

I don't think you understand. I don't have winzip. there's no way I can extract the files, I get a prompt to buy winzip.

[Lovltn848]

I don't think you understand. I don't have winzip. there's no way I can extract the files, I get a prompt to buy winzip.

[JSntgRvr]

Have you removed Winzip. If you haven't, please do. There is no need for this type of utility in XP. After removing Winzip, when you right click on the .zip folder. Do you have an option to Extract All. See the picture below.

[Lovltn848]

okay I removed winzip but I don't get that option. it still says "open with WinZip"

edit: alright nevermind! I clicked explore and somehow got into the zip folder.

Edited by Lovltn848, 16 February 2008 - 09:50 PM.

[Lovltn848]

okay here it is! I hope it worked.

Attached Files

•  Report.txt   201.1KB   164 downloads

[JSntgRvr]

Hi, Lovltn848.

Beep.sys still present but seems the legit copy.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
  
  
  • 
  
  
• If the disclaimer notice is displayed, select "2" and press Enter

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Create a Restore point (If the above process fails):

• Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
• In the System Restore dialog box, click Create a restore point, and then click Next.
• Type a description for your restore point, such as "After Cleanup", then click Create.

Test the computer and let me know how is it doing.

Edited by JSntgRvr, 16 February 2008 - 10:08 PM.

[Lovltn848]

One more quick thing before I do this. My Avast antivirus still says I have the figaro.sys trojan horse. Previously when I've tried to do something about it, my computer freaks out and restarts, so I've just kept the alert window up so my computer will stay on. Is there anything I should do about this or should I continue with the above instructions?

Also, can I do this in safe mode? I guess my normal mode doesn't have admin access, because I don't see an option for system restore.

Edited by Lovltn848, 16 February 2008 - 10:36 PM.

[Lovltn848]

I got the system restore thing turned off, then after I rebooted the system restore tab disappeared. What do I do now?

[Lovltn848]

well..crap. I guess I'm stuck. Everytime I want to go into normal mode without it crashing, I have to go to safe mode and run SDFix. I still have that figaro.sys trojan and now I can't make a system restore point.

THANKS A LOT!

[JSntgRvr]

Good Morning, Lovltn848

Please post the SDFix report. In should be saved in the SDFix folder as Report.txt. Also, remove Combofix as follows:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
  
  
  • 
  
  
• If the disclaimer notice is displayed, select "2" and press Enter

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Please download the latest version of ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[Lovltn848]

how exactly is this supposed to help? That's all I've been doing here and I just did further damage to my computer by turning off system restore and I can't turn it back on.

[Lovltn848]

oh well, here it goes

SDFix

SDFix: Version 1.142

Run by Administrator on Mon 02/18/2008 at 11:10 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

D:\WINDOWS\system32\braviax.exe - Deleted
D:\WINDOWS\system32\users32.dat - Deleted





Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 11:18:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - D:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 23 Jan 2005 140,288 ..SHR --- "D:\Program Files\PhoTags Express\Setup.exe"
Wed 15 Dec 2004 39,936 A.SHR --- "D:\Program Files\PhoTags Express\_Setupx.dll"
Sun 22 Oct 2006 4,348 ..SH. --- "D:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 16 Jan 2008 188 A..H. --- "D:\Program Files\InterActual\InterActual Player\iti4E.tmp"

Finished!


ComboFix

ComboFix 08-02-17.2 - Lauren 2008-02-18 11:24:37.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.108 [GMT -7:00]
Running from: D:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-18 11:21 . 2008-02-18 11:21 30,720 --a------ D:\WINDOWS\system32\dllcache\figaro.sys
2008-02-18 10:55 . 2008-02-18 10:55 1,597,661 --a------ D:\ComboFix.exe
2008-02-18 02:58 . 2008-02-18 02:58 <DIR> d--hs---- D:\FOUND.012
2008-02-18 00:52 . 2008-02-18 00:52 <DIR> d-------- D:\Autoruns
2008-02-18 00:51 . 2008-02-18 00:51 545,241 --a------ D:\Autoruns.zip
2008-02-17 23:05 . 2008-02-17 23:05 <DIR> d--hs---- D:\FOUND.011
2008-02-17 22:53 . 2008-02-17 22:53 <DIR> d--hs---- D:\FOUND.010
2008-02-17 22:49 . 2008-02-18 11:05 3,739 --a------ D:\WINDOWS\imsins.BAK
2008-02-17 22:40 . 2008-02-17 22:40 <DIR> d--hs---- D:\FOUND.009
2008-02-17 18:35 . 2008-02-17 18:35 <DIR> d--hs---- D:\FOUND.008
2008-02-17 18:12 . 2008-02-17 18:12 <DIR> d--hs---- D:\FOUND.007
2008-02-17 18:06 . 2008-02-13 13:20 4,224 --a------ D:\WINDOWS\system32\drivers\beep.sys
2008-02-17 18:06 . 2008-02-13 13:20 4,224 --a------ D:\WINDOWS\system32\dllcache\beep.sys
2008-02-17 15:28 . 2008-02-17 15:28 <DIR> d-------- D:\WINDOWS\system32\LogFiles
2008-02-16 15:01 . 2008-02-16 15:01 <DIR> d--hs---- D:\FOUND.006
2008-02-16 14:45 . 2008-02-16 14:45 <DIR> d-------- D:\WINDOWS\ERUNT
2008-02-16 14:37 . 2008-02-13 13:22 <DIR> d-------- D:\SDFix
2008-02-16 14:06 . 2008-02-16 14:06 <DIR> d--hs---- D:\FOUND.005
2008-02-16 12:32 . 2008-02-16 12:32 <DIR> d--hs---- D:\FOUND.003
2008-02-16 12:20 . 2008-02-16 12:20 <DIR> d--hs---- D:\FOUND.002
2008-02-16 12:09 . 2008-02-16 12:09 <DIR> d--hs---- D:\FOUND.001
2008-02-08 17:33 . 2008-02-08 17:33 <DIR> d-------- D:\Program Files\MSECache
2008-02-05 19:47 . 2008-02-05 19:47 <DIR> d--hs---- D:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 07:41 --------- d-----w D:\Program Files\Apple Software Update
2007-12-21 07:39 --------- d-----w D:\Program Files\Common Files\Apple
2007-12-21 07:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple
2007-12-18 20:59 --------- d-----w D:\Documents and Settings\All Users\Application Data\WinZip
2007-12-18 09:51 179,584 ----a-w D:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w D:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w D:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w D:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w D:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w D:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w D:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w D:\WINDOWS\system32\AVASTSS.scr
2006-12-21 19:59 20 ---h--w D:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\System32\NvCpl.dll" [2006-09-18 13:25 7630848]
"NvMediaCenter"="D:\WINDOWS\System32\NvMcTray.dll" [2006-09-18 13:25 86016]
"SmartDefrag"="G:\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-01-09 10:46 3957760]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]
"iTunesHelper"="G:\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - G:\Microsoft Office PRO\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
oodm.exe [2008-02-16 12:00:34 49152]
Printkey2000.lnk - G:\Pictures\PrintKey2000\Printkey2000.exe [2008-02-18 01:14:19 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= D:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-06-12 13:42 102400]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Lauren^Start Menu^Programs^Startup^lsas.exe]
path=D:\Documents and Settings\Lauren\Start Menu\Programs\Startup\lsas.exe
backup=D:\WINDOWS\pss\lsas.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atwtusb]
--a------ 2005-09-21 18:08 290816 D:\WINDOWS\system32\Atwtusb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
D:\WINDOWS\system32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 D:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-09-18 13:25 1519616 D:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-09 23:02 282624 G:\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCScheduleCheck]
--a------ 2003-06-09 16:45 151552 D:\Program Files\VCOM\Recovery Commander\RCSCHED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
--a------ 2007-01-09 10:46 3957760 G:\IObit SmartDefrag\IObit SmartDefrag.exe

R1 aiptektp;HyperPen;D:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
R1 fwdrv;Tiny Personal Firewall Driver;D:\WINDOWS\system32\Drivers\fwdrv.sys [2001-10-22 17:54]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;D:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 19:50]
S3 utblfilt;utblfilt;D:\WINDOWS\system32\drivers\utblfilt.sys [2001-05-23 15:42]

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 14:05:02 D:\WINDOWS\Tasks\Scheduled Checkpoint.job"
- D:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
"2008-02-14 10:20:08 D:\WINDOWS\Tasks\RegCure.job"
- G:\RegCure\RegCure.exe
"2008-02-18 18:21:34 D:\WINDOWS\Tasks\SmartDefrag.job"
- G:\IObit SmartDefrag\schedule.exe-
"2008-02-18 10:00:50 D:\WINDOWS\Tasks\RegCure Program Check.job"
- G:\RegCure\RegCure.exe
"2008-02-15 05:45:24 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 11:27:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 11:29:06
.
2008-02-14 10:14:54 --- E O F ---

[JSntgRvr]

Hi, Lovltn848

We are gong to fix several things in your computer. Please pay close attention at the instructions and perform each task separately:

Step 1:

Set Explorer to view File extensions of known file types:

• Right-click your Start button and go to "Explore".
• Select Tools from the menu
• Select Folder Options
• Select the View tab
• Remove the check mark from "Hide extension from known file types".
• Select Apply to All Folders | Yes | Apply | OK.

Step 2:

Download the enclosed file. It is a text file to reset your .zip file association. Once downloaded right click on the file and change its extension from .txt to .reg. After you have done this, the file will be renamed zipfolder_fix.reg and its icon would have changed to a registry entries file. Once done, double click on the zipfolder_fix.reg and select Yes when prompted to merge it into your registry.

Restart the computer.

Step 3:

Download the enclosed file. It is a text file to remove all Found.* files in the root of your system. Once downloaded right click on the file and change its extension from .txt to .bat. After you have done this, the file will be renamed FoundFix.bat and its icon would have changed to a batch file. Once done, double click on the FoundFix.bat. The MSDOS window will be displayed for a second. That is Normal.

Step 4:

Set Explorer to Defaults:

• Right-click your Start button and go to "Explore".
• Select Tools from the menu
• Select Folder Options
• Select the View tab
• Click on Restore Defaults
• Select Apply to All Folders | Yes | Apply | OK.

Step 5:

Download the enclosed file. Save this file next to Combofix.



Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a fresh Hijackthis log.

Note:

All this can be done from Safe Mode if still having problems in Normal Mode.

[Lovltn848]

okay. I'm doing this in normal mode since now my computer won't restart as long as I leave the avast virus warning for the figaro.sys file up.

Edited by Lovltn848, 17 February 2008 - 03:48 PM.

[Lovltn848]

After Combofix rebooted windows, for some reason my computer rebooted again. Now it's working fine and I didn't get the virus warning this time. w00t!

combofix

ComboFix 08-02-17.2 - Lauren 2008-02-18 14:52:24.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.167 [GMT -7:00]
Running from: D:\ComboFix.exe
Command switches used :: D:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
D:\Autoruns.zip
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\oodm.exe
D:\Documents and Settings\Lauren\Start Menu\Programs\Startup\lsas.exe
D:\WINDOWS\pss\lsas.exeStartup
D:\WINDOWS\system32\Atwtusb.exe
D:\WINDOWS\system32\braviax.exe
D:\WINDOWS\system32\dllcache\figaro.sys
G:\qttask.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autoruns
D:\Autoruns.zip
D:\Autoruns\autoruns.chm
D:\Autoruns\autoruns.exe
D:\Autoruns\autorunsc.exe
D:\Autoruns\Eula.txt
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\oodm.exe
D:\Documents and Settings\Lauren\Start Menu\Programs\Startup\lsas.exe
D:\WINDOWS\pss\lsas.exeStartup
D:\WINDOWS\system32\Atwtusb.exe
D:\WINDOWS\system32\dllcache\figaro.sys
G:\qttask.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-18 14:45 . 2008-02-18 14:45 59 --a------ D:\FoundFix.bat
2008-02-18 14:26 . 2008-02-18 14:26 6,132 --a------ D:\zipfolder_fix.reg
2008-02-18 10:55 . 2008-02-18 10:55 1,597,661 --a------ D:\ComboFix.exe
2008-02-18 02:58 . 2008-02-18 02:58 <DIR> d--hs---- D:\FOUND.012
2008-02-17 23:05 . 2008-02-17 23:05 <DIR> d--hs---- D:\FOUND.011
2008-02-17 22:53 . 2008-02-17 22:53 <DIR> d--hs---- D:\FOUND.010
2008-02-17 22:49 . 2008-02-18 11:05 3,739 --a------ D:\WINDOWS\imsins.BAK
2008-02-17 22:40 . 2008-02-17 22:40 <DIR> d--hs---- D:\FOUND.009
2008-02-17 18:35 . 2008-02-17 18:35 <DIR> d--hs---- D:\FOUND.008
2008-02-17 18:12 . 2008-02-17 18:12 <DIR> d--hs---- D:\FOUND.007
2008-02-17 18:06 . 2008-02-13 13:20 4,224 --a------ D:\WINDOWS\system32\drivers\beep.sys
2008-02-17 18:06 . 2008-02-13 13:20 4,224 --a------ D:\WINDOWS\system32\dllcache\beep.sys
2008-02-17 15:28 . 2008-02-17 15:28 <DIR> d-------- D:\WINDOWS\system32\LogFiles
2008-02-16 15:01 . 2008-02-16 15:01 <DIR> d--hs---- D:\FOUND.006
2008-02-16 14:45 . 2008-02-16 14:45 <DIR> d-------- D:\WINDOWS\ERUNT
2008-02-16 14:37 . 2008-02-13 13:22 <DIR> d-------- D:\SDFix
2008-02-16 14:06 . 2008-02-16 14:06 <DIR> d--hs---- D:\FOUND.005
2008-02-16 12:32 . 2008-02-16 12:32 <DIR> d--hs---- D:\FOUND.003
2008-02-16 12:20 . 2008-02-16 12:20 <DIR> d--hs---- D:\FOUND.002
2008-02-16 12:09 . 2008-02-16 12:09 <DIR> d--hs---- D:\FOUND.001
2008-02-08 17:33 . 2008-02-08 17:33 <DIR> d-------- D:\Program Files\MSECache
2008-02-05 19:47 . 2008-02-05 19:47 <DIR> d--hs---- D:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 07:41 --------- d-----w D:\Program Files\Apple Software Update
2007-12-21 07:39 --------- d-----w D:\Program Files\Common Files\Apple
2007-12-21 07:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple
2007-12-18 20:59 --------- d-----w D:\Documents and Settings\All Users\Application Data\WinZip
2007-12-18 09:51 179,584 ----a-w D:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w D:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w D:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w D:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w D:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w D:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w D:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w D:\WINDOWS\system32\AVASTSS.scr
2006-12-21 19:59 20 ---h--w D:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\System32\NvCpl.dll" [2006-09-18 13:25 7630848]
"NvMediaCenter"="D:\WINDOWS\System32\NvMcTray.dll" [2006-09-18 13:25 86016]
"SmartDefrag"="G:\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-01-09 10:46 3957760]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]
"iTunesHelper"="G:\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - G:\Microsoft Office PRO\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Printkey2000.lnk - G:\Pictures\PrintKey2000\Printkey2000.exe [2008-02-18 01:14:19 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= D:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-06-12 13:42 102400]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 D:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-09-18 13:25 1519616 D:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCScheduleCheck]
--a------ 2003-06-09 16:45 151552 D:\Program Files\VCOM\Recovery Commander\RCSCHED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
--a------ 2007-01-09 10:46 3957760 G:\IObit SmartDefrag\IObit SmartDefrag.exe

R1 aiptektp;HyperPen;D:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
R1 fwdrv;Tiny Personal Firewall Driver;D:\WINDOWS\system32\Drivers\fwdrv.sys [2001-10-22 17:54]
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;D:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 19:50]
S3 utblfilt;utblfilt;D:\WINDOWS\system32\drivers\utblfilt.sys [2001-05-23 15:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 14:05:02 D:\WINDOWS\Tasks\Scheduled Checkpoint.job"
- D:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
"2008-02-14 10:20:08 D:\WINDOWS\Tasks\RegCure.job"
- G:\RegCure\RegCure.exe
"2008-02-18 22:01:28 D:\WINDOWS\Tasks\SmartDefrag.job"
- G:\IObit SmartDefrag\schedule.exe-
"2008-02-18 22:01:24 D:\WINDOWS\Tasks\RegCure Program Check.job"
- G:\RegCure\RegCure.exe
"2008-02-15 05:45:24 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 15:00:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Tiny Personal Firewall\persfw.exe
D:\WINDOWS\System32\HPZipm12.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
.
**************************************************************************
.
Completion time: 2008-02-18 15:03:04 - machine was rebooted
ComboFix2.txt 2008-02-18 18:29:08
ComboFix-quarantined-files.txt 2008-02-18 22:02:52
.
2008-02-14 10:14:54 --- E O F ---


Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 3:16:21 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\Explorer.EXE
G:\IObit SmartDefrag\IObit SmartDefrag.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
G:\Pictures\PrintKey2000\Printkey2000.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Tiny Personal Firewall\persfw.exe
D:\WINDOWS\System32\HPZipm12.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\msiexec.exe
G:\SlimBrowser\sbrowser.exe
D:\Documents and Settings\Lauren\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmartDefrag] "G:\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = G:\Microsoft Office PRO\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = G:\Pictures\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - D:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...e/w4sgeen10.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay11...es/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188675217674
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - D:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - G:\XBox 360 Controller\pinnacle_updater.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)