Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IE Windows (with advertisement) appear although I use Firefox [RESOLVE


  • This topic is locked This topic is locked

#1
GaryGG

GaryGG

    Member

  • Member
  • PipPip
  • 37 posts
Here is my HJT-log!

The topic says it all: Internet Explorer windows open every now and then and they bring up some ads etc...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:50, on 14.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\eTCrtMng.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ProjectX\ProjectX.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AvaFind\AvaFind.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.12.3.74:3124
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Desktop] "C:\Program Files\Restore Desktop\Restore Desktop.exe"
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189667763599
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1189667753067
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\Software\..\Telephony: DomainName = intra.center.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.center.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain & Abel\Abel.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11940 bytes

Edited by GaryGG, 20 March 2008 - 02:23 AM.

  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi GaryGG

welcome back to geekstogo :)

sorry to keep you waiting. lets do a deeper scan of your machine for me to analyse.

(if your problem has already been resolved, could you just let me know so that i an move onto other logs to help others, thanks)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
GaryGG

GaryGG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi,

Thanks for helping me! I still have the same problem, so here are the two logs you asked:

1. main.txt

Deckard's System Scanner v20071014.68
Run by alle on 2008-03-20 10:04:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
84: 2008-03-20 08:04:39 UTC - RP150 - Deckard's System Scanner Restore Point
83: 2008-03-19 12:20:34 UTC - RP149 - Software Distribution Service 3.0
82: 2008-03-18 12:35:15 UTC - RP148 - System Checkpoint
81: 2008-03-16 16:26:02 UTC - RP147 - System Checkpoint
80: 2008-03-15 11:46:27 UTC - RP146 - System Checkpoint


-- First Restore Point --
1: 2007-12-29 14:15:09 UTC - RP67 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as alle.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07, on 20.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Documents and Settings\alle.TTT\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\alle.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.12.3.74:3124
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Desktop] "C:\Program Files\Restore Desktop\Restore Desktop.exe"
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189667763599
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1189667753067
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\Software\..\Telephony: DomainName = intra.center.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.center.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain & Abel\Abel.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11250 bytes

-- File Associations -----------------------------------------------------------

.txt - txtfile - DefaultIcon - C:\alle\Desktop\Ikoneita\Text.ico,0


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 drmkaudd - c:\windows\system32\drivers\drmkaudd.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN-tietoliikenne) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 SbieDrv - c:\program files\sandboxie\sbiedrv.sys <Not Verified; tzuk; Sandboxie>

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 tap0801 (TAP-Win32 Adapter V8) - c:\windows\system32\drivers\tap0801.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>
S3 TFBULK (Topfield USB client driver) - c:\windows\system32\drivers\tfbulk.sys <Not Verified; Topfield Co., Ltd.; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ETOKSRV (eToken Notification Service) - c:\windows\system32\etsrv.exe <Not Verified; Aladdin Knowledge Systems, Ltd.; eToken RTE>
R2 MySQL - "c:\program files\mysql server 4.1\bin\mysqld-nt" --defaults-file="c:\program files\mysql server 4.1\my.ini" mysql (file missing)
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 SbieSvc (Sandboxie Service) - c:\program files\sandboxie\sbiesvc.exe <Not Verified; tzuk; Sandboxie>
R2 tcsd_win32.exe (NTRU Hybrid TSS v2.0.25 TCS) - "c:\program files\ntru cryptosystems\ntru hybrid tss v2.0.25\bin\tcsd_win32.exe"
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 Abel - c:\program files\cain & abel\abel.exe (file missing)
S3 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1E21E450364FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1E21E450364FC000
Service: NIC1394

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia N95
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N95
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Files created between 2008-02-20 and 2008-03-20 -----------------------------

2008-03-19 14:21:56 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-15 13:10:38 1350 --a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache
2008-03-15 11:36:37 0 d-------- C:\Program Files\TVUPlayer
2008-03-15 11:02:02 0 d-------- C:\Program Files\BSplayer
2008-03-14 13:48:32 86144 --a------ C:\WINDOWS\system32\drivers\drmkaudd.sys
2008-03-14 13:16:37 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\Symantec
2008-03-14 12:56:51 215144 -ra------ C:\WINDOWS\patchw32.dll
2008-03-14 12:53:53 215144 -ra------ C:\WINDOWS\pw32a.dll
2008-03-14 12:35:11 0 d-------- C:\Program Files\Norton Ghost
2008-03-14 10:36:29 0 d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-14 10:24:50 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-03-14 10:16:18 716272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-14 10:15:57 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\DAEMON Tools
2008-03-14 09:10:07 0 d-------- C:\Documents and Settings\alle.TTT\.VirtualBox
2008-03-13 09:38:23 0 d-------- C:\Program Files\IrfanView
2008-03-12 08:38:19 0 d-------- C:\Program Files\Lavasoft
2008-03-12 08:38:18 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-11 12:16:39 364544 -----n--- C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2008-03-11 12:16:39 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-03-11 12:16:35 471040 -----n--- C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-03-11 12:16:35 262144 -----n--- C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-03-11 12:16:35 1568768 -----n--- C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-03-11 12:16:33 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-03-11 12:16:30 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-11 12:16:29 0 d-------- C:\Program Files\Nero
2008-03-09 15:02:39 0 d-------- C:\Program Files\TopSet
2008-03-07 10:21:03 0 d-------- C:\Program Files\mp3DirectCut
2008-03-06 14:58:43 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\MPEG Streamclip
2008-03-06 14:57:22 0 d-------- C:\Program Files\QuickTime Alternative
2008-03-06 11:02:40 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\DivX
2008-03-06 10:54:10 0 d-------- C:\divx
2008-03-06 10:52:24 0 d-------- C:\Program Files\DivX
2008-03-06 10:29:33 0 d-------- C:\Program Files\MPlayer
2008-02-27 09:31:59 0 d-------- C:\Program Files\MySQL Server 4.1


-- Find3M Report ---------------------------------------------------------------

2008-03-19 18:18:12 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-19 16:02:03 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-03-18 22:01:54 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-03-18 16:32:18 0 d-------- C:\Program Files\Apoint
2008-03-16 11:03:04 0 d-------- C:\Program Files\ImTOO MPEG Encoder
2008-03-16 08:06:37 0 d-------- C:\Program Files\PPMate
2008-03-15 11:00:25 0 d-------- C:\Program Files\VLC Player
2008-03-15 09:48:12 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\uTorrent
2008-03-14 14:32:02 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\Sandbox
2008-03-14 12:35:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-14 10:58:41 0 d-------- C:\Program Files\Common Files
2008-03-13 14:01:14 0 d-------- C:\Program Files\MSN Messenger
2008-03-13 11:55:57 0 d-------- C:\Program Files\VirtuaWin
2008-03-12 12:39:45 0 d-------- C:\Program Files\EasyCleaner
2008-03-12 11:25:29 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\AvaFind Data
2008-03-12 11:22:47 0 d-------- C:\Program Files\Trillian
2008-03-12 11:18:58 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\Hamachi
2008-03-12 10:24:43 0 d-------- C:\Program Files\SpywareBlaster
2008-03-12 10:22:50 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\Skype
2008-03-12 10:22:25 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\skypePM
2008-03-12 08:38:49 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\Lavasoft
2008-03-12 08:36:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 15:42:48 0 d-------- C:\Program Files\Java
2008-02-11 10:45:54 1599488 ---hs---- C:\alleCxb77n_cfdg.exe
2008-02-11 09:01:16 0 d-------- C:\Program Files\save2pc
2008-02-07 15:05:07 0 d-------- C:\Program Files\Dell
2008-01-27 15:57:09 0 d-------- C:\Program Files\SopCast
2008-01-22 11:55:00 0 d-------- C:\Documents and Settings\alle.TTT\Application Data\Nokia
2008-01-22 11:32:42 0 d-------- C:\Program Files\Nokia
2008-01-22 11:31:15 0 d-------- C:\Program Files\PC Connectivity Solution
2008-01-21 09:27:37 0 d-------- C:\Program Files\Winamp
2008-01-20 09:23:22 0 d-------- C:\Program Files\SpeedFan


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [13.12.2005 16:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [13.12.2005 16:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [13.12.2005 16:45]
"SigmatelSysTrayApp"="stsystra.exe" [24.03.2006 16:30 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [18.10.2006 20:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [18.10.2006 19:58]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [19.07.2006 18:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [27.09.2006 19:33]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [20.07.2007 16:55]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11.04.2007 14:32 C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04.08.2004 14:00 C:\WINDOWS\system32\bthprops.cpl]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04.08.2004 14:00]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07.10.2005 14:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 14:00]
"Restore Desktop"="C:\Program Files\Restore Desktop\Restore Desktop.exe" []
"RestoreDesktop"="C:\Program Files\Restore Desktop\RestoreDesktop.exe" [11.03.2003 10:52]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [05.08.2006 00:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [02.09.2007 13:58]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [10.12.2007 10:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [17.04.2007 12:04:16]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [27.11.2007 11:25:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=0 (0x0)
"NoSecurityTab"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^VirtuaWin.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\VirtuaWin.lnk
backup=C:\WINDOWS\pss\VirtuaWin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiFreeze]
C:\Program Files\AntiFreeze\AntiFreeze.exe /splash

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTCertManger]
C:\WINDOWS\system32\eTCrtMng.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
"C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
"C:\Program Files\Norton Ghost\Agent\VProTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6ab763d-ad55-11dc-8d43-00188bbe9b34}]
AutoRun\command- E:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.0.0.1 update.asdf.cn
127.0.0.1 msg.asdf.com


-- End of Deckard's System Scanner: finished at 2008-03-20 10:08:30 ------------




2. extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU U2500 @ 1.20GHz
CPU 1: Genuine Intel® CPU U2500 @ 1.20GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 1014.05 MiB / 424.88 MiB
Pagefile Memory (total/avail): 2440.54 MiB / 1920.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1881.12 MiB

C: is Fixed (NTFS) - 55.8 GiB total, 25.06 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
K: is Network (NTFS)
L: is Network (NTFS)
N: is Network (NTFS)
P: is Network (NTFS)
W: is Network (NTFS)
Y: is Network (NTFS)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6008GAH - 55.89 GiB - 2 partitions
\PARTITION0 - Unknown - 86.26 MiB
\PARTITION1 (bootable) - Installable File System - 55.8 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.1.5.5000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\EPSON\\EBAPI\\eEBSvc.exe"="C:\\Program Files\\Common Files\\EPSON\\EBAPI\\eEBSvc.exe:*:Enabled:eEBSvc"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"
"C:\\Program Files\\FreeCall\\FreeCall.exe"="C:\\Program Files\\FreeCall\\FreeCall.exe:*:Enabled:FreeCall"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Documents and Settings\\alle.TTT\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\alle.TTT\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\X-Lite\\x-lite.exe"="C:\\Program Files\\X-Lite\\x-lite.exe:*:Enabled:X-Lite"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\WOL Magic Packet Sender\\WakeOnLan.exe"="C:\\Program Files\\WOL Magic Packet Sender\\WakeOnLan.exe:*:Enabled:WOL - Magic Packet Sender"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Disabled:SopCast Adver"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPS????"
"C:\\alle\\Asennustiedostoja\\µTorrent 1.7.7_renamed.exe"="C:\\alle\\Asennustiedostoja\\µTorrent 1.7.7_renamed.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\FreeCall\\FreeCall.exe"="C:\\Program Files\\FreeCall\\FreeCall.exe:*:Enabled:FreeCall"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\alle.TTT\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\alle.TTT\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Enabled:PPLive"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe:*:Enabled:PPMate"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPSÍřÂçµçĘÓ"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\VGO\\Clt.exe"="C:\\Program Files\\VGO\\Clt.exe:*:Enabled:21CN VGO ?????"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\PPStream\\PPSAP.exe"="C:\\Program Files\\PPStream\\PPSAP.exe:*:Enabled:PPS ÍřÂçĽÓËŮĆ÷"
"C:\\Program Files\\Virtual Pool 3\\vp3.exe"="C:\\Program Files\\Virtual Pool 3\\vp3.exe:*:Enabled:Virtual Pool 3"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\PPMate\\ppamnet.exe"="C:\\Program Files\\PPMate\\ppamnet.exe:*:Enabled:PPMate"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\alle.TTT\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ICT-07A3B15704B
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\alle.TTT
HOMESHARE=\\fileserver\forusers
LOGONSERVER=\\TTTSERVER1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\PC Connectivity Solution";C:\Program Files\MySQL Server 4.1\bin;C:\Program Files\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\alle.TTT\LOCALS~1\Temp
TMP=C:\DOCUME~1\alle.TTT\LOCALS~1\Temp
USERDNSDOMAIN=INTRA.CENTER.COM
USERDOMAIN=TTT
USERNAME=alle
USERPROFILE=C:\Documents and Settings\alle.TTT
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mikrotuki (new local, admin)
Administrator.ICT-07A3B15704B (admin)
alle.TTT (admin)
administrator.TTT (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat Connect Add-in --> C:\Documents and Settings\alle.TTT\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin6x5\connectaddin6x5.exe -uninstall
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AM-DeadLink 3.1 --> "C:\Program Files\AM-DeadLink\unins000.exe"
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Ava Find Pro --> "C:\Program Files\AvaFind\Uninstall.exe" "C:\Program Files\AvaFind\Install_Log.txt"
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
BSPlayer --> "C:\Program Files\BSplayer\uninstall.exe"
CC Get MAC Address 2.2 --> "C:\Program Files\CC Get MAC Address\unins000.exe"
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
CutePDF Writer 2.7 --> C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
Dell Resource CD --> MsiExec.exe /X{2764CA82-DFB9-4498-AF85-719340BF5305}
Developer Certificate Request 2.1.1 --> C:\Program Files\InstallShield Installation Information\{4FDF4C76-5789-4AA9-8112-ADA95C79B798}\setup.exe -runfromtemp -l0x0009 -removeonly
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
eToken Run Time Environment 3.60 --> MsiExec.exe /I{D8027DE9-D42B-4847-8377-9292C6C4A761}
ffdshow [rev 1471] [2007-09-09] --> "C:\Program Files\ffdshow\unins000.exe"
Foxit PDF Editor --> C:\Program Files\Foxit Reader\PDF Editor\uninstall.exe
Foxit Reader --> C:\Program Files\Foxit Reader\Uninstall.exe
FreeCall --> "C:\Program Files\FreeCall\unins000.exe"
Hamachi 1.0.2.5 --> C:\Program Files\Hamachi\uninstall.exe
HD Tune 2.54 --> "C:\Program Files\HD Tune\unins000.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ImTOO MPEG Encoder --> C:\Program Files\ImTOO MPEG Encoder\Uninstall.exe
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KhalInstallWrapper --> MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
Launchy 2.0 --> "C:\Program Files\Launchy\unins000.exe"
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Living Beaches Wallpaper #1 --> "C:\PROGRA~1\Freeze.com\LIVING~2\UNINSTAL.EXE"
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0009 -removeonly
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2003 Proofing Tools --> MsiExec.exe /I{901F0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
MozBackup 1.4.7 --> "C:\Program Files\MozBackup\unins000.exe"
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.12) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
MySQL Server 4.1 --> MsiExec.exe /I{063DFF87-7F52-4A39-89C0-BFF7E9B7BA8E}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero 6 Ultra Edition --> C:\Program Files\Nero\nero\uninstall\UNNERO.exe /UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}
Nokia Lifeblog 2.5 --> MsiExec.exe /I{E94603CA-2996-4154-8EE2-A5FCD4BFB500}
Nokia Multimedia Factory --> "C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations\{4CFB3821-1582-4f3b-BF8D-30986923B36B}\Nokia_Multimedia_Factory_2_0.exe" /MAINTENANCE /SILENT="SWLPCER" /LANG="2057" /MSI_COMMON_OPTIONS="PCSLANG= MMFLANG=eng"
Nokia Multimedia Factory --> MsiExec.exe /I{4CFB3821-1582-4F3B-BF8D-30986923B36B}
Nokia PC Suite --> C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Nokia_PC_Suite_rel_6_85_14_1_eng_us_web.exe
Nokia PC Suite --> MsiExec.exe /I{29466F9C-7C6A-419C-B301-F440FAF78760}
Nokia Software Updater --> MsiExec.exe /X{FE5D756F-71E1-47C4-972A-D6775344B40B}
Nokia Video Manager --> "C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations\{B1B4E612-9ACC-4fab-BD04-1721D9503266}\NokiaVideoManager1.6.exe" /MAINTENANCE /SILENT="SGWLRPFCE" /LANG="2057" /O=";EXTUNINSTALL=1"
Nokia Video Manager --> MsiExec.exe /I{B1B4E612-9ACC-4FAB-BD04-1721D9503266}
Norton Ghost --> MsiExec.exe /I{B0255743-165B-4BD5-8DA8-37DFB9930014}
NTRU Hybrid TSS v2.0.25 --> MsiExec.exe /I{0BA2A0BA-7F4D-4B7B-AE94-5F0233AC8A5A}
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
PPLive 1.7 --> C:\Program Files\PPLive\uninst.exe
PPMate Network TV 2.3.1.76 --> C:\Program Files\PPMate\uninst.exe
PPStream --> C:\Program Files\PPStream\uninst.exe
ProjectX 0.90.4.00 --> C:\Program Files\ProjectX\Uninstall.exe
PropertiesPlus (Remove Only) --> C:\WINDOWS\system32\ShellExt\ppsetup.exe /uninstall
QuickSet --> C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 -removeonly
QuickTime Alternative 1.81 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.52 --> "C:\Program Files\Real Alternative\unins000.exe"
Restore Desktop (remove only) --> "C:\Program Files\Restore Desktop\uninstall.exe"
RocketDock 1.3.5 --> "C:\Program Files\RocketDock\unins000.exe"
Sandboxie version 3.01 --> C:\WINDOWS\Installer\SandboxieInstall.exe
save2pc Light 3.25 --> "C:\Program Files\save2pc\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SnagIt 7 --> MsiExec.exe /I{4360BB46-507E-4361-8DCB-4FF9BDC9907B}
SopCast 2.0.4 --> C:\Program Files\SopCast\uninst.exe
SopCore 1.1.2 --> C:\Program Files\SopCast\uninst.exe
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
Symantec AntiVirus --> MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
TaskSwitchXP --> C:\Program Files\TaskSwitchXP\uninst.exe
Top Set 2.00 --> "C:\Program Files\TopSet\unins000.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
TVUPlayer 2.3.5.4 --> C:\Program Files\TVUPlayer\uninst.exe
UltraVNC v1.0.2 --> "C:\Program Files\UltraVNC\unins000.exe"
Unlocker 1.8.6 --> C:\Program Files\Unlocker\uninst.exe
VideoLAN VLC media player 0.8.6e --> C:\Program Files\VLC Player\uninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Wind
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi GaryGG

i can see the malware that is probably causing the issues, but first some questions.

1. do you recognise this address, is it your company? The Computing Laboratory The University Canterbury Kent CT2 7NF.

2. Does this mean anything to you? Possibly related to the above Domain = intra.center.com

3. any idea what this file is? C:\alleCxb77n_cfdg.exe

4. any idea what this file is? c:\windows\system32\drivers\drmkaudd.sys


====STEP 1====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop

Do NOT run it yet


Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

sc stop Abel
sc delete Abel
exit

Double click FixServices.bat. A window will open and close. This is normal.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain & Abel\Abel.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\Cain & Abel\Abel.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 2====
we will be making some changes directly to your registry, so first we will backup your Registry. Better safe than sorry!

Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch. <= important!
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


====STEP 3====
having done Step 2............

Registry Modifications

Next, lets remove the unwanted items.

Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
Please copy the contents of the code box below into the notepad. To do this highlight the contents of the box and right click on it.

Save it to your desktop has fixit.reg (filetype = any)

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"=dword:00000000

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating sysytem


Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.

(In case you are unsure how to create a reg file, take a look here with screenshots.)


In your next reply could i see:
1. the answers to the 4 questions above
2. a new Hijackthis log

andrewuk
  • 0

#5
GaryGG

GaryGG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi,

First of all: I don't know what has happened to the Abel file and folder, because there is no such file or folder on my computer "anymore". I did the MoveIt trick, but as you can see (below) there was no such file in my computer. I have deleted NO folder since I posted my first HiJack log... I ran a virus scan the other day, maybe it did something(?)

Anyway I know that months ago I installed something called Abel & Cain (and removed it), and it most definitely is NOT the reason for these pop-ups, because they started to appear only last week when I clicked a weird file!

The pop-ups still appear while writing this message (I rebooted the machine after the tricks I did)


THE QUESTIONS YOU ASKED:
1. do you recognise this address, is it your company? The Computing Laboratory The University Canterbury Kent CT2 7NF.
- No, I have never heard of it!

2. Does this mean anything to you? Possibly related to the above Domain = intra.center.com
- Yes, that is the name of the domain of the company I work in! It has nothing to do with the "University of Canterbury"

3. any idea what this file is? C:\alleCxb77n_cfdg.exe
- No idea!

4. any idea what this file is? c:\windows\system32\drivers\drmkaudd.sys
- No idea!


REGISTRY FIX:
Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.


- Yes, the merge was successful!


OTMoveIt -log:

File/Folder C:\Program Files\Cain & Abel\Abel.exe not found.
[Custom Input]
< purity >

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_105235


HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23, on 21.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.12.3.74:3124
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Desktop] "C:\Program Files\Restore Desktop\Restore Desktop.exe"
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189667763599
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1189667753067
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\Software\..\Telephony: DomainName = intra.center.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.center.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11319 bytes

Edited by GaryGG, 21 March 2008 - 03:41 AM.

  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

I don't know what has happened to the Abel file and folder, because there is no such file or folder on my computer "anymore".

no problem, it was there once and there is no harm trying to remove it again, just in case.

The pop-ups still appear while writing this message (I rebooted the machine after the tricks I did)

we will see if we can resolve that this post, though it may take 2 or 3 more posts from me after this to get to the bottom of it.

i also want to scan those 2 files to see what we come up with.

====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.12.3.74:3124

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 3====
Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\alleCxb77n_cfdg.exe

Click on the submit button

Please also do the same with the following file:
C:\WINDOWS\system32\drivers\drmkaudd.sys


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal


====STEP 4====
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


In your next reply could i see:
1. the malwarebytes log
2. the jotti scan results for the 2 files
3. the combofix log
4. a new hijackthis log

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#7
GaryGG

GaryGG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
1. the malwarebytes log


Malwarebytes' Anti-Malware 1.09
Database version: 518

Scan type: Quick Scan
Objects scanned: 44258
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.


2. the jotti scan results for the 2 files

C:\alleCxb77n_cfdg.exe

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\system32\drivers\drmkaudd.sys

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


3. the combofix log

- I was unable to disable my virus scanner (Symantec AntiVirus): the auto scan option was "grey" and I could not uncheck it!

ComboFix 08-03-21.1 - alle 2008-03-21 22:09:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.400 [GMT 2:00]
Running from: C:\Documents and Settings\alle.TTT\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\drmkaudd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRMKAUDD
-------\Service_drmkaudd


((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-21 19:28 . 2008-03-21 19:28 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\Malwarebytes
2008-03-21 19:27 . 2008-03-21 19:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 19:27 . 2008-03-21 19:27 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-21 10:52 . 2008-03-21 10:52 <DIR> d-------- C:\_OTMoveIt
2008-03-20 22:58 . 2008-03-20 22:58 <DIR> d-------- C:\Program Files\HashTab Shell Extension
2008-03-20 22:23 . 2008-03-20 22:50 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\wxChecksums
2008-03-20 12:37 . 2008-03-20 12:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-20 12:37 . 2008-03-20 12:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-03-20 10:04 . 2008-03-20 10:04 <DIR> d-------- C:\Deckard
2008-03-19 14:21 . 2008-03-19 14:21 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-15 22:43 . 2008-03-15 22:43 <DIR> d-------- C:\Program Files\Unlocker
2008-03-15 22:42 . 2008-03-15 22:42 360,064 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-03-15 13:10 . 2008-03-15 13:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-15 13:10 . 2008-03-15 13:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 11:36 . 2008-03-15 12:19 <DIR> d-------- C:\Program Files\TVUPlayer
2008-03-15 11:02 . 2008-03-15 11:02 <DIR> d-------- C:\Program Files\BSplayer
2008-03-14 13:16 . 2008-03-14 13:16 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\Symantec
2008-03-14 12:56 . 2008-02-02 18:04 215,144 -ra------ C:\WINDOWS\patchw32.dll
2008-03-14 12:53 . 2008-02-02 18:04 215,144 -ra------ C:\WINDOWS\pw32a.dll
2008-03-14 12:37 . 2008-01-19 20:12 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2008-03-14 12:37 . 2008-01-19 19:31 109,360 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-03-14 12:37 . 2008-01-19 19:31 15,664 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-03-14 12:36 . 2007-12-20 17:13 136,416 --a------ C:\WINDOWS\system32\drivers\symsnap.sys
2008-03-14 12:36 . 2008-01-19 19:45 38,112 --a------ C:\WINDOWS\system32\drivers\v2imount.sys
2008-03-14 12:36 . 2008-01-19 19:40 15,088 --a------ C:\WINDOWS\system32\drivers\vproeventmonitor.sys
2008-03-14 12:35 . 2008-03-14 12:35 <DIR> d-------- C:\Program Files\Norton Ghost
2008-03-14 10:36 . 2008-03-14 10:36 <DIR> d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-14 10:36 . 2004-11-30 10:51 84,636 --a------ C:\WINDOWS\system32\drivers\aksifdh.sys
2008-03-14 10:36 . 2004-11-30 10:51 32,472 --a------ C:\WINDOWS\system32\drivers\aksup.sys
2008-03-14 10:36 . 2008-03-14 10:36 88 --a------ C:\WINDOWS\Entrust.ini
2008-03-14 10:24 . 2008-03-14 10:24 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-03-14 10:16 . 2008-03-14 10:16 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-14 10:15 . 2008-03-14 10:15 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\DAEMON Tools
2008-03-14 09:10 . 2008-03-14 09:19 <DIR> d-------- C:\Documents and Settings\alle.TTT\.VirtualBox
2008-03-14 08:53 . 2008-02-20 20:17 27,776 --a------ C:\WINDOWS\system32\drivers\VBoxUSBMon.sys
2008-03-14 08:52 . 2008-02-20 20:17 40,928 --a------ C:\WINDOWS\system32\drivers\VBoxDrv.sys
2008-03-13 09:38 . 2008-03-13 09:38 <DIR> d-------- C:\Program Files\IrfanView
2008-03-12 11:29 . 2008-03-20 22:52 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-12 08:38 . 2008-03-12 08:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-12 08:38 . 2008-03-12 08:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-11 12:17 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-03-11 12:17 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-03-11 12:16 . 2008-03-11 12:16 <DIR> d-------- C:\Program Files\Nero
2008-03-11 12:16 . 2008-03-11 12:16 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-11 12:16 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-03-11 12:16 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-03-11 12:16 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-03-11 12:16 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-03-11 12:16 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-03-11 12:16 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-11 12:16 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-09 15:02 . 2008-03-09 15:02 <DIR> d-------- C:\Program Files\TopSet
2008-03-07 10:21 . 2008-03-07 10:23 <DIR> d-------- C:\Program Files\mp3DirectCut
2008-03-06 14:58 . 2008-03-06 14:58 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\MPEG Streamclip
2008-03-06 14:57 . 2008-03-06 14:57 <DIR> d-------- C:\Program Files\QuickTime Alternative
2008-03-06 14:57 . 2007-04-27 09:42 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-06 14:57 . 2007-04-27 09:42 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-06 11:02 . 2008-03-06 11:02 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\DivX
2008-03-06 10:54 . 2008-03-14 14:29 <DIR> d-------- C:\divx
2008-03-06 10:52 . 2008-03-06 10:52 <DIR> d-------- C:\Program Files\DivX
2008-03-06 10:29 . 2008-03-14 15:00 <DIR> d-------- C:\Program Files\MPlayer
2008-03-01 19:00 . 2008-03-01 19:00 89 --a------ C:\WINDOWS\TFDN_USB.INI
2008-02-27 09:31 . 2008-02-27 09:37 <DIR> d-------- C:\Program Files\MySQL Server 4.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 20:14 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-21 17:54 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\AvaFind Data
2008-03-20 10:17 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-18 14:32 --------- d-----w C:\Program Files\Apoint
2008-03-16 09:03 --------- d-----w C:\Program Files\ImTOO MPEG Encoder
2008-03-16 06:06 --------- d-----w C:\Program Files\PPMate
2008-03-15 20:42 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-03-15 09:00 --------- d-----w C:\Program Files\VLC Player
2008-03-15 07:48 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\uTorrent
2008-03-14 12:32 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Sandbox
2008-03-14 10:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-03-14 10:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-13 12:01 --------- d-----w C:\Program Files\MSN Messenger
2008-03-13 09:55 --------- d-----w C:\Program Files\VirtuaWin
2008-03-12 10:39 --------- d-----w C:\Program Files\EasyCleaner
2008-03-12 09:22 --------- d-----w C:\Program Files\Trillian
2008-03-12 09:18 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Hamachi
2008-03-12 08:24 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-12 08:22 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\skypePM
2008-03-12 08:22 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Skype
2008-03-12 06:38 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Lavasoft
2008-03-12 06:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 13:42 --------- d-----w C:\Program Files\Java
2008-03-06 12:57 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-02-16 12:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-16 11:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-11 08:45 1,599,488 --sh--w C:\alleCxb77n_cfdg.exe
2008-02-11 07:01 --------- d-----w C:\Program Files\save2pc
2008-02-07 13:05 --------- d-----w C:\Program Files\Dell
2008-01-27 13:57 --------- d-----w C:\Program Files\SopCast
2008-01-23 07:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\TVU networks
2008-01-22 09:55 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Nokia
2008-01-22 09:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations
2008-01-22 09:32 --------- d-----w C:\Program Files\Nokia
2008-01-22 09:31 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-01-21 07:27 --------- d-----w C:\Program Files\Winamp
2007-12-15 09:39 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
.

------- Sigcheck -------

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 13:51 359808 de891ad282e856acfd40990094a63b6f C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-03-15 22:42 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-03-15 22:42 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Restore Desktop"="C:\Program Files\Restore Desktop\Restore Desktop.exe" [ ]
"RestoreDesktop"="C:\Program Files\Restore Desktop\RestoreDesktop.exe" [2003-03-11 10:52 45056]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 00:29 62976]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 20:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 19:58 696320]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 18:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 19:33 125168]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-07-20 16:55 1228800]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 14:00 143360]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-04-17 12:04:16 274432]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-27 11:25:03 692224]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^VirtuaWin.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\VirtuaWin.lnk
backup=C:\WINDOWS\pss\VirtuaWin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiFreeze]
C:\Program Files\AntiFreeze\AntiFreeze.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 14:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTCertManger]
--a------ 2004-12-13 09:50 102400 C:\WINDOWS\system32\eTCrtMng.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
--a------ 2008-02-02 18:30 2245984 C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2006-06-18 13:56 712704 C:\Program Files\UltraVNC\WinVNC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FreeCall\\FreeCall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\PPMate\\ppmnet.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\UltraVNC\\winvnc.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\Virtual Pool 3\\vp3.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\PPMate\\ppamnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:VPN

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\WINDOWS\system32\dllhost.exe [2004-08-04 14:00]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 12:22]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2007-08-25 14:51]
S3 SymSnapService;SymSnapService;"C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe" [2008-01-30 13:23]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S3 TFBULK;Topfield USB client driver;C:\WINDOWS\system32\drivers\TfBulk.sys [2003-08-26 14:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6ab763d-ad55-11dc-8d43-00188bbe9b34}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 22:16:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
.
**************************************************************************
.
Completion time: 2008-03-21 22:21:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 20:21:52
.
2007-07-14 06:01:29 --- E O F ---


4. a new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:40, on 2008-03-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\mobsync.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Desktop] "C:\Program Files\Restore Desktop\Restore Desktop.exe"
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189667763599
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1189667753067
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\Software\..\Telephony: DomainName = intra.center.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.center.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11382 bytes
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looks like the file C:\alleCxb77n_cfdg.exe is ok, so we will leave it. the file C:\WINDOWS\system32\drivers\drmkaudd.sys turned out to be bad and was deleted, along with some other malware by the combofix scan.

in this post we will delete some other entries and then hopefully, after this, we can do a couple more scans before we give the all clear :)


firstly, did you disable the monitoring of your norton? your logs seem to show that it is disabled:
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
DisableMonitoring=dword:00000001



secondly..........
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6ab763d-ad55-11dc-8d43-00188bbe9b34}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


andrewuk
  • 0

#9
GaryGG

GaryGG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
No pop-ups today!!! Thank you very much :)


looks like the file C:\alleCxb77n_cfdg.exe is ok, so we will leave it.

- I am almost 100 % sure that this exe-file is not wanted by me. Should I remove it anyway?


firstly, did you disable the monitoring of your norton? your logs seem to show that it is disabled:
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
DisableMonitoring=dword:00000001

- No I didn't because I couldn't. Here is a screen shot of AntiVirus options:
http://www.aijaa.com...p?i=1795106.jpg

The option is grey so I cann't do anything about it. You seem to have noticed that my AntiVirus is disabled... Is my antivirus really enabled or disabled?


Combofix.txt

ComboFix 08-03-21.1 - alle 2008-03-22 9:23:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.417 [GMT 2:00]
Running from: C:\Documents and Settings\alle.TTT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\alle.TTT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-22 09:22 . 2008-03-22 09:22 3,631 --a------ C:\31.tmp
2008-03-21 22:06 . 2008-03-21 22:06 3,631 --a------ C:\26.tmp
2008-03-21 19:28 . 2008-03-21 19:28 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\Malwarebytes
2008-03-21 19:27 . 2008-03-21 19:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 19:27 . 2008-03-21 19:27 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-21 10:52 . 2008-03-21 10:52 <DIR> d-------- C:\_OTMoveIt
2008-03-20 22:58 . 2008-03-20 22:58 <DIR> d-------- C:\Program Files\HashTab Shell Extension
2008-03-20 22:23 . 2008-03-20 22:50 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\wxChecksums
2008-03-20 12:37 . 2008-03-20 12:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-20 12:37 . 2008-03-20 12:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-03-20 10:04 . 2008-03-20 10:04 <DIR> d-------- C:\Deckard
2008-03-19 14:21 . 2008-03-19 14:21 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-15 22:43 . 2008-03-15 22:43 <DIR> d-------- C:\Program Files\Unlocker
2008-03-15 22:42 . 2008-03-15 22:42 360,064 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-03-15 13:10 . 2008-03-15 13:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-15 13:10 . 2008-03-15 13:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 11:36 . 2008-03-15 12:19 <DIR> d-------- C:\Program Files\TVUPlayer
2008-03-15 11:02 . 2008-03-15 11:02 <DIR> d-------- C:\Program Files\BSplayer
2008-03-14 13:16 . 2008-03-14 13:16 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\Symantec
2008-03-14 12:56 . 2008-02-02 18:04 215,144 -ra------ C:\WINDOWS\patchw32.dll
2008-03-14 12:53 . 2008-02-02 18:04 215,144 -ra------ C:\WINDOWS\pw32a.dll
2008-03-14 12:37 . 2008-01-19 20:12 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2008-03-14 12:37 . 2008-01-19 19:31 109,360 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-03-14 12:37 . 2008-01-19 19:31 15,664 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-03-14 12:36 . 2007-12-20 17:13 136,416 --a------ C:\WINDOWS\system32\drivers\symsnap.sys
2008-03-14 12:36 . 2008-01-19 19:45 38,112 --a------ C:\WINDOWS\system32\drivers\v2imount.sys
2008-03-14 12:36 . 2008-01-19 19:40 15,088 --a------ C:\WINDOWS\system32\drivers\vproeventmonitor.sys
2008-03-14 12:35 . 2008-03-14 12:35 <DIR> d-------- C:\Program Files\Norton Ghost
2008-03-14 10:36 . 2008-03-14 10:36 <DIR> d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-14 10:36 . 2004-11-30 10:51 84,636 --a------ C:\WINDOWS\system32\drivers\aksifdh.sys
2008-03-14 10:36 . 2004-11-30 10:51 32,472 --a------ C:\WINDOWS\system32\drivers\aksup.sys
2008-03-14 10:36 . 2008-03-14 10:36 88 --a------ C:\WINDOWS\Entrust.ini
2008-03-14 10:24 . 2008-03-14 10:24 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-03-14 10:16 . 2008-03-14 10:16 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-14 10:15 . 2008-03-14 10:15 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\DAEMON Tools
2008-03-14 09:10 . 2008-03-14 09:19 <DIR> d-------- C:\Documents and Settings\alle.TTT\.VirtualBox
2008-03-14 08:53 . 2008-02-20 20:17 27,776 --a------ C:\WINDOWS\system32\drivers\VBoxUSBMon.sys
2008-03-14 08:52 . 2008-02-20 20:17 40,928 --a------ C:\WINDOWS\system32\drivers\VBoxDrv.sys
2008-03-13 09:38 . 2008-03-13 09:38 <DIR> d-------- C:\Program Files\IrfanView
2008-03-12 11:29 . 2008-03-20 22:52 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-12 08:38 . 2008-03-12 08:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-12 08:38 . 2008-03-12 08:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-11 12:17 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-03-11 12:17 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-03-11 12:16 . 2008-03-11 12:16 <DIR> d-------- C:\Program Files\Nero
2008-03-11 12:16 . 2008-03-11 12:16 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-11 12:16 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-03-11 12:16 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-03-11 12:16 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-03-11 12:16 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-03-11 12:16 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-03-11 12:16 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-11 12:16 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-09 15:02 . 2008-03-09 15:02 <DIR> d-------- C:\Program Files\TopSet
2008-03-07 10:21 . 2008-03-07 10:23 <DIR> d-------- C:\Program Files\mp3DirectCut
2008-03-06 14:58 . 2008-03-06 14:58 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\MPEG Streamclip
2008-03-06 14:57 . 2008-03-06 14:57 <DIR> d-------- C:\Program Files\QuickTime Alternative
2008-03-06 14:57 . 2007-04-27 09:42 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-06 14:57 . 2007-04-27 09:42 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-06 11:02 . 2008-03-06 11:02 <DIR> d-------- C:\Documents and Settings\alle.TTT\Application Data\DivX
2008-03-06 10:54 . 2008-03-14 14:29 <DIR> d-------- C:\divx
2008-03-06 10:52 . 2008-03-06 10:52 <DIR> d-------- C:\Program Files\DivX
2008-03-06 10:29 . 2008-03-14 15:00 <DIR> d-------- C:\Program Files\MPlayer
2008-03-01 19:00 . 2008-03-01 19:00 89 --a------ C:\WINDOWS\TFDN_USB.INI
2008-02-27 09:31 . 2008-02-27 09:37 <DIR> d-------- C:\Program Files\MySQL Server 4.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 20:14 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-21 17:54 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\AvaFind Data
2008-03-20 10:17 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-18 14:32 --------- d-----w C:\Program Files\Apoint
2008-03-16 09:03 --------- d-----w C:\Program Files\ImTOO MPEG Encoder
2008-03-16 06:06 --------- d-----w C:\Program Files\PPMate
2008-03-15 20:42 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-03-15 09:00 --------- d-----w C:\Program Files\VLC Player
2008-03-15 07:48 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\uTorrent
2008-03-14 12:32 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Sandbox
2008-03-14 10:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-03-14 10:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-13 12:01 --------- d-----w C:\Program Files\MSN Messenger
2008-03-13 09:55 --------- d-----w C:\Program Files\VirtuaWin
2008-03-12 10:39 --------- d-----w C:\Program Files\EasyCleaner
2008-03-12 09:22 --------- d-----w C:\Program Files\Trillian
2008-03-12 09:18 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Hamachi
2008-03-12 08:24 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-12 08:22 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\skypePM
2008-03-12 08:22 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Skype
2008-03-12 06:38 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Lavasoft
2008-03-12 06:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 13:42 --------- d-----w C:\Program Files\Java
2008-03-06 12:57 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-02-16 12:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-16 11:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-11 08:45 1,599,488 --sh--w C:\alleCxb77n_cfdg.exe
2008-02-11 07:01 --------- d-----w C:\Program Files\save2pc
2008-02-07 13:05 --------- d-----w C:\Program Files\Dell
2008-01-27 13:57 --------- d-----w C:\Program Files\SopCast
2008-01-23 07:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\TVU networks
2008-01-22 09:55 --------- d-----w C:\Documents and Settings\alle.TTT\Application Data\Nokia
2008-01-22 09:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations
2008-01-22 09:32 --------- d-----w C:\Program Files\Nokia
2008-01-22 09:31 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-12-15 09:39 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
.

------- Sigcheck -------

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 13:51 359808 de891ad282e856acfd40990094a63b6f C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-03-15 22:42 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-03-15 22:42 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Restore Desktop"="C:\Program Files\Restore Desktop\Restore Desktop.exe" [ ]
"RestoreDesktop"="C:\Program Files\Restore Desktop\RestoreDesktop.exe" [2003-03-11 10:52 45056]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 00:29 62976]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 20:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 19:58 696320]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 18:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 19:33 125168]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-07-20 16:55 1228800]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 14:00 143360]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-04-17 12:04:16 274432]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-27 11:25:03 692224]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^VirtuaWin.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\VirtuaWin.lnk
backup=C:\WINDOWS\pss\VirtuaWin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiFreeze]
C:\Program Files\AntiFreeze\AntiFreeze.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 14:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTCertManger]
--a------ 2004-12-13 09:50 102400 C:\WINDOWS\system32\eTCrtMng.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
--a------ 2008-02-02 18:30 2245984 C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2006-06-18 13:56 712704 C:\Program Files\UltraVNC\WinVNC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FreeCall\\FreeCall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\PPMate\\ppmnet.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\UltraVNC\\winvnc.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\Virtual Pool 3\\vp3.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\PPMate\\ppamnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:VPN

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\WINDOWS\system32\dllhost.exe [2004-08-04 14:00]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 12:22]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2007-08-25 14:51]
S3 SymSnapService;SymSnapService;"C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe" [2008-01-30 13:23]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S3 TFBULK;Topfield USB client driver;C:\WINDOWS\system32\drivers\TfBulk.sys [2003-08-26 14:11]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 09:26:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2008-03-22 9:27:07
ComboFix-quarantined-files.txt 2008-03-22 07:26:44
ComboFix2.txt 2008-03-21 20:21:58
.
2007-07-14 06:01:29 --- E O F ---



HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:38, on 2008-03-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Desktop] "C:\Program Files\Restore Desktop\Restore Desktop.exe"
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189667763599
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1189667753067
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\Software\..\Telephony: DomainName = intra.center.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.center.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.center.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11283 bytes


Own questions in addition to the ones in the beginning:

- I almost understood everything we have done during this conversation. But a couple of things anyway:
1. Why was the CFScript.txt dragged over ComboFix.exe and what happened there? Why wasn't the registry changed using a bat-file?
2. How does the OTMoveIt differ from the traditional deletion of a (single) file. Why are some files removed via OTMoveIt?
3. Off-Topic: Java Runtime environment (JRE) should be kept updated and the java temporary files should be removed in some cases. Can you tell me why should those files be removed every now and then (I read about this on another topic)

Edited by GaryGG, 22 March 2008 - 01:47 AM.

  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
your logs are looking good now. in this post we will do some final scans to see if there is anything else lurking on your machine.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.

but firstly, the answers to your questions.

looks like the file C:\alleCxb77n_cfdg.exe is ok, so we will leave it.

- I am almost 100 % sure that this exe-file is not wanted by me. Should I remove it anyway?

if you want to, then you can delete it manually. i do not recognise it as a system file (in fact i am pretty sure it is not).

The option is grey so I cann't do anything about it. You seem to have noticed that my AntiVirus is disabled... Is my antivirus really enabled or disabled?

no, your antivirus is enabled, i was just curious about that registry entry. no problems now :)

1. Why was the CFScript.txt dragged over ComboFix.exe and what happened there? Why wasn't the registry changed using a bat-file?
2. How does the OTMoveIt differ from the traditional deletion of a (single) file. Why are some files removed via OTMoveIt?

combofix is able to change registry entries via that drag and drop method, and thus instead of going through the motions of setting up a .reg file we went this method, it also has the advantage of letting me see the combofix information again, and i suspect that will be the last time i take a look at that depth of information in this fix. we could easily have gone another way. one of the advantages of OTMoveIT is being able to copy and paste a list of files to be deleted instead of having a user manually seek each file out. much of our aim is to keep a fix simple and reduce the risk of user error.

3. Off-Topic: Java Runtime environment (JRE) should be kept updated and the java temporary files should be removed in some cases. Can you tell me why should those files be removed every now and then (I read about this on another topic)

it is important to keep your java up to date to prevent prior vulnerabilities being exploited by malware. also, malware can place itself in the java cache, hence the need to clear it.

and now the scans.....

====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 3====
and an online scan........

Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report


in your next reply could i see:
1. the SUPERantispyware scan
2. the TotalScan report
3. some idea of how your machine is running now

andrewuk
  • 0

Advertisements


#11
GaryGG

GaryGG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

-Done, but after doing this(?) I lost all the graphics on geekstogo-website:
http://www.aijaa.com...p?i=1797050.jpg
(When writing this message, there is no Bold / Italic buttons on top of this text box
I am using Firefox!
Internet Explorer shows the pages great (=normally).
I rebooted the machine and reloaded the page, but nothing seems to happen...


the SUPERantispyware scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2008 at 01:54 PM

Application Version : 4.0.1154

Core Rules Database Version : 3423
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 01:40:42

Memory items scanned : 631
Memory threats detected : 0
Registry items scanned : 6010
Registry threats detected : 0
File items scanned : 67360
File threats detected : 0



2. the TotalScan report

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-03-22 16:55:52
PROTECTIONS: 1
MALWARE: 35
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Symantec AntiVirus Corporate Edition 10.1.5.5000 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.casalemedia.com/]
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{A8DC4FB0-3D02-4DDA-99E9-BBC8A5E4F1B8}\RP153\A0022172.exe[SDFix\apps\Process.exe]
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\alle.TTT\Application Data\Mozilla\Firefox\Profiles\aykf9ahj.default\cookies.txt[.anm.co.uk/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.tucows.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.tucows.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No C:\Documents and Settings\alle.TTT\Application Data\Mozilla\Firefox\Profiles\aykf9ahj.default\cookies.txt[.tucows.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.tucows.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No C:\Documents and Settings\alle.TTT\Application Data\Mozilla\Firefox\Profiles\aykf9ahj.default\cookies.txt[.tucows.com/]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.revenue.net/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.com.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.yadro.ru/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.xiti.com/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.toplist.cz/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][ad.yieldmanager.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.bs.serving-sys.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\alle.TTT\Application Data\Mozilla\Firefox\Profiles\aykf9ahj.default\cookies.txt[.888.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\alle.TTT\Application Data\Mozilla\Firefox\Profiles\aykf9ahj.default\cookies.txt[.888.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.888.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.888.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.888.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[stat.onestat.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.zedo.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.adultfriendfinder.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.go.com/]
00199231 HackTool/EvID HackTools No 0 Yes No C:\alle\Asennustiedostoja\EventID 4226 Patcher Version 2.23d.zip[EvID4226Patch.exe]
00205140 Cookie/Research-int TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.research-int.se/]
00216065 Cookie/Screensavers TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.i.screensavers.com/]
00216065 Cookie/Screensavers TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.i.screensavers.com/]
00216065 Cookie/Screensavers TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.i.screensavers.com/]
00260616 Trj/Agent.BLZ Virus/Trojan No 1 No No C:\alle\Asennustiedostoja\Streamit\pcast_1.1.exe[PcastUpdate.dll]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\alle.TTT\Application Data\Mozilla\Firefox\Profiles\aykf9ahj.default\cookies.txt[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.atwola.com/]
00262021 Cookie/Kmpads TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.kmpads.com/]
00262021 Cookie/Kmpads TrackingCookie No 0 Yes No C:\alle\Kaikkea\Firefox 2.0.0.9 fi - 2007-11-07.pcv[cookies.txt][.kmpads.com/]
00794859 Adware/Dudu Adware No 0 No No C:\alle\Asennustiedostoja\Streamit\pcast_1.1.exe[pCastCtl.dll]
00794922 Adware/Dudu Adware No 0 No No C:\alle\Asennustiedostoja\Streamit\pcast_1.1.exe[PodcastBarMini.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{A8DC4FB0-3D02-4DDA-99E9-BBC8A5E4F1B8}\RP152\A0022061.EXE
01196326 Cookie/GoClick TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.goclick.com/]
01196326 Cookie/GoClick TrackingCookie No 0 Yes No C:\Documents and Settings\alle\Application Data\Mozilla\Firefox\Profiles\7y7thpqf.default\cookies.txt[.goclick.com/]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A8DC4FB0-3D02-4DDA-99E9-BBC8A5E4F1B8}\RP151\A0021864.exe
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\alle.TTT\Application Data\Mozilla\Firefox\Profiles\aykf9ahj.default\cookies.txt[.adserver.easyad.info/]
01891798 Generic Malware Virus/Trojan No 0 Yes No C:\alle\Asennustiedostoja\Vanhoja\WinRAR 3.62 Cracked.zip[WinRAR.exe]
02377451 Adware/SaveNow Adware No 0 No No C:\System Volume Information\_restore{A8DC4FB0-3D02-4DDA-99E9-BBC8A5E4F1B8}\RP150\A0020866.exe[AdVantageSetup.exe]
02377451 Adware/SaveNow Adware No 0 No No C:\alle\Asennustiedostoja\BSPlayer 2.27 Build 959.exe[AdVantageSetup.exe]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{A8DC4FB0-3D02-4DDA-99E9-BBC8A5E4F1B8}\RP152\A0022056.sys
02893893 Trj/Bancos.RQ Virus/Trojan No 0 No No C:\alle\ComboFix.exe[327882R2FWJFW\pv.cfexe]
02893893 Trj/Bancos.RQ Virus/Trojan No 0 No No C:\System Volume Information\_restore{A8DC4FB0-3D02-4DDA-99E9-BBC8A5E4F1B8}\RP151\A0021862.exe[327882R2FWJFW\pv.cfexe]
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
C:\PROGRAM FILES\ULTRAVNC\WINVNC.EXE
;===============================================================================
=================================================================================
===================

I was not able to remove the infected items and files, because that would have required a Pro version...


3. some idea of how your machine is running now
No pop-ups since the first ComboFix! Working great!


Questions:
1. What is the difference between for example the Malwarebytes' Anti-Malware scan and the SUPERAntiSpyware Scan?
I did the MBAM in the preliminary stages of the cleaning process and now I ran SUPERAntiSpyware. Is the latter one a deeper and more complete scan?

2. Also the difference between HJT scan and DSS seems to be that the latter one is more versatile, although HJT allow the user to delete some entries but DDS writes only the log?

3. I have used Spybot, Ad-Aware and SpywareBlaster for adware&spyware protection. Are those just non-professional tools because they are not able to find and delete these bugs?
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

-Done, but after doing this(?) I lost all the graphics on geekstogo-website:

sounds like we should clear your firefox cache.

To clear the cache, go to Tools > Options
Go to Advanced category, and then click on the Network tab.
Under Cache, click the Clear Now button.
Click OK.

I was not able to remove the infected items and files, because that would have required a Pro version...

we only use it to highlight potential issues, and then we can remove them. the scan found some infected files, though many were either harmless cookies or safely quarantined away or in the system restore points (which we will clear in the next post).

1. What is the difference between for example the Malwarebytes' Anti-Malware scan and the SUPERAntiSpyware Scan?
I did the MBAM in the preliminary stages of the cleaning process and now I ran SUPERAntiSpyware. Is the latter one a deeper and more complete scan?

malwarebytes is a general antimalware program, i was using it to home in on your infection. in this fix, it took me a little longer than normal to find the problem. SUPERantispyware is a dedicated antispyware program which i always use towards the end as a final check.

2. Also the difference between HJT scan and DSS seems to be that the latter one is more versatile, although HJT allow the user to delete some entries but DDS writes only the log?

hijackthis runs the scan you can see but also allows you to fix entries. DSS also runs the scan, but goes somewhat deeper as you saw and gives me a better chance of spotting infections.

3. I have used Spybot, Ad-Aware and SpywareBlaster for adware&spyware protection. Are those just non-professional tools because they are not able to find and delete these bugs?

no, they are good. in my final post i will be recommending those. but some infections can just get past most things these days.

in this post we will remove the final infected files we found and then heopfully wrap up in the next post.


Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\alle\Asennustiedostoja\Streamit\pcast_1.1.exe
    C:\alle\Asennustiedostoja\Vanhoja\WinRAR 3.62 Cracked.zip
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

also, if you dont know if these files are legit, could you delete them also:
C:\alle\Asennustiedostoja\EventID 4226 Patcher Version 2.23d.zip
C:\alle\Asennustiedostoja\BSPlayer 2.27 Build 959.exe



in your next reply could i see:
1. the OTMoveIt log

andrewuk
  • 0

#13
GaryGG

GaryGG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thank you: emptying the Firefox cache solved the "graphic problem"!


And here is the OTMoveIT log:

C:\alle\Asennustiedostoja\Streamit\pcast_1.1.exe moved successfully.
C:\alle\Asennustiedostoja\Vanhoja\WinRAR 3.62 Cracked.zip moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03222008_193845

-Should I furthermore delete those files which lie in under the OTMoveIT?


Question: Is it dangerous to run ComboFix every now and then (even if you don't have idea of having malware in your computer)?

Edited by GaryGG, 22 March 2008 - 11:57 AM.

  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
HI GaryGG

congratulations, your logs are clean :)

-Should I furthermore delete those files which lie in under the OTMoveIT?

just as easily delete them manually, to be honest.

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
clearing away the fix tools and reseting your restore points.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
If you have trouble with this, let me know and we will clear away the fix tools and reset your restore points another way

you can clear away the rest of the fix tools we used.

====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

andrewuk
  • 0

#15
GaryGG

GaryGG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thank you very much for your help!!


Just to clarify some issues concerning the software you recommended:

1. Are SpywareBlaster and SpywareShied similar products: should I use them both or only one of them?
2. In Spybot there is an Immunize section in the new version: do I need for ex. SpywareBlaster anymore?
3. IE Spyad: is this only for Internet Explorer? I normally use Firefox.

And this one from the previous post:
Is it dangerous to run ComboFix every now and then (even if you don't have idea of having malware in your computer)?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP