Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde [RESOLVED]

Started by ronbc , Mar 30 2008 03:44 AM

  • This topic is locked This topic is locked

#1
ronbc
Posted 30 March 2008 - 03:44 AM

ronbc

    Member

  • Member
  • PipPip
  • 21 posts
Hi there,

Firstly, allow me to introduce and explain the situation here.
I'm Ronny, nice to meet you :)

I got this malware from my friend in MSN.
She sent me a message like 'is this you' along with URL. And it turns out to be a trojan.
I have tried VundoFix 7.0.3, but it doesnt display any 'broken' files.
I have run SpyBot, and I got Virtumonde.dll in my system and registry.

The last thing that I can do is to ask you guys about this matter.
Please help me :)
The following is the log of my HiJackThis and OTScanIt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:59 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\RoamMgr.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Personal Reminder\PersonalReminder.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Ryonn\Desktop\OTScanIt\OTScanIt.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.219.217.130:3128
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BMb370ec63] Rundll32.exe "C:\WINDOWS\system32\shfufamb.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartupPersonalReminder] C:\Program Files\Personal Reminder\PersonalReminder.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Bux.to Autoclicker.lnk = ?
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} (GoPets Control) - https://secure.gopet.../dev/gopets.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\system32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 9223 bytes

For the HiJackThis, if possible I'd like to remove those GoPets too.


[code=auto:0]OTScanIt logfile created on: 3/30/2008 6:11:42 PM
OTScanIt by OldTimer - Version 1.0.7.0 Folder = C:\Documents and Settings\Ryonn\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.80 Mb Total Physical Memory | 279.05 Mb Available Physical Memory | 54.63% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 4096 4096;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 14.91 Gb Free Space | 26.69% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-70270CF99A
Current User Name: Ryonn
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ati2evxx.exe -> %SystemRoot%\system32\Ati2evxx.exe -> [Ver = | Size = 389120 bytes | Modified Date = 8/31/2004 3:53:00 PM | Attr = ]
s24evmon.exe -> %SystemRoot%\system32\S24EvMon.exe -> Intel Corporation [Ver = 4, 1, 0, 3 | Size = 303171 bytes | Modified Date = 9/11/2003 6:45:46 AM | Attr = ]
zcfgsvc.exe -> %SystemRoot%\system32\ZCfgSvc.exe -> Intel Corporation [Ver = 4, 1, 0, 53 | Size = 356352 bytes | Modified Date = 9/11/2003 6:49:06 AM | Attr = ]
avgamsvr.exe -> %SystemDrive%\PROGRA~1\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 10/24/2007 8:14:32 AM | Attr = ]
avgupsvc.exe -> %SystemDrive%\PROGRA~1\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 3/10/2007 9:25:02 PM | Attr = ]
regsrvc.exe -> %SystemRoot%\system32\RegSrvc.exe -> Intel Corporation [Ver = 4, 1, 0, 0 | Size = 122880 bytes | Modified Date = 9/11/2003 6:45:04 AM | Attr = ]
roammgr.exe -> %SystemRoot%\system32\RoamMgr.exe -> Intel Corporation [Ver = 1, 0, 0, 2 | Size = 139264 bytes | Modified Date = 9/11/2003 6:49:46 AM | Attr = ]
1xconfig.exe -> %SystemRoot%\system32\1XConfig.exe -> Intel [Ver = 4, 1, 0, 3 | Size = 184320 bytes | Modified Date = 9/11/2003 6:46:14 AM | Attr = ]
hcontrol.exe -> %SystemRoot%\ATK0100\HControl.exe -> [Ver = 1043, 2, 15, 41 | Size = 94208 bytes | Modified Date = 11/3/2004 3:48:00 PM | Attr = ]
alu.exe -> %ProgramFiles%\ASUS\ASUS Live Update\ALU.exe -> [Ver = 1, 0, 0, 1 | Size = 172032 bytes | Modified Date = 9/19/2003 12:54:44 PM | Attr = ]
batterylife.exe -> %ProgramFiles%\ASUS\Power4 Gear\BatteryLife.exe -> ASUSTeK Computer Inc. [Ver = 1043, 6, 15, 110 | Size = 81920 bytes | Modified Date = 1/19/2004 4:33:58 PM | Attr = ]
syntplpr.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe -> Synaptics, Inc. [Ver = 7.11.6 23Jul04 | Size = 102400 bytes | Modified Date = 8/5/2004 5:24:00 PM | Attr = ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 7.11.6 23Jul04 | Size = 684032 bytes | Modified Date = 8/5/2004 5:24:00 PM | Attr = ]
atiptaxx.exe -> %ProgramFiles%\ATI Technologies\ATI Control Panel\atiptaxx.exe -> ATI Technologies, Inc. [Ver = 6.14.10.5117 | Size = 339968 bytes | Modified Date = 8/3/2004 9:10:00 PM | Attr = ]
avgcc.exe -> %SystemDrive%\PROGRA~1\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.504 | Size = 579072 bytes | Modified Date = 12/21/2007 8:14:04 AM | Attr = ]
daemon.exe -> %ProgramFiles%\D-Tools\daemon.exe -> DAEMON'S HOME [Ver = 3.46.0.0 | Size = 81920 bytes | Modified Date = 3/12/2004 10:43:18 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_05\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 144784 bytes | Modified Date = 2/22/2008 4:25:22 AM | Attr = ]
winampa.exe -> %ProgramFiles%\Winamp\winampa.exe -> [Ver = | Size = 35328 bytes | Modified Date = 5/15/2007 8:22:22 AM | Attr = ]
personalreminder.exe -> %ProgramFiles%\Personal Reminder\PersonalReminder.exe -> Peter Melchart [Ver = 2, 0, 30, 0 | Size = 266240 bytes | Modified Date = 7/15/2004 1:02:44 PM | Attr = ]
chkmail.exe -> %ProgramFiles%\Asus\Asus ChkMail\ChkMail.exe -> asus [Ver = 1043, 1, 15, 5 | Size = 32768 bytes | Modified Date = 9/12/2003 8:25:30 PM | Attr = ]
atkosd.exe -> %SystemRoot%\ATK0100\ATKOSD.exe -> [Ver = 1043, 2, 15, 41 | Size = 1654784 bytes | Modified Date = 11/3/2004 3:48:00 PM | Attr = ]
yahoomessenger.exe -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 11/30/2006 9:49:04 PM | Attr = ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.7.0 | Size = 369152 bytes | Modified Date = 3/27/2008 12:38:50 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 11/28/2005 12:21:04 AM | Attr = ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %SystemRoot%\system32\Ati2evxx.exe -> [Ver = | Size = 389120 bytes | Modified Date = 8/31/2004 3:53:00 PM | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %SystemDrive%\PROGRA~1\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 10/24/2007 8:14:32 AM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %SystemDrive%\PROGRA~1\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 3/10/2007 9:25:02 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\System32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 8:00:00 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 10/22/2004 3:24:18 AM | Attr = ]
(Macromedia Licensing Service) Macromedia Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macromedia Shared\Service\Macromedia Licensing.exe -> [Ver = 2.42.000 | Size = 68096 bytes | Modified Date = 5/14/2007 10:02:32 PM | Attr = ]
(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 1.1.301.0 | Size = 139264 bytes | Modified Date = 4/29/2003 2:29:54 PM | Attr = ]
(RegSrvc) RegSrvc [Win32_Own | Auto | Running] -> %SystemRoot%\system32\RegSrvc.exe -> Intel Corporation [Ver = 4, 1, 0, 0 | Size = 122880 bytes | Modified Date = 9/11/2003 6:45:04 AM | Attr = ]
(RoamMgr) RoamMgr [Win32_Own | Auto | Running] -> %SystemRoot%\system32\RoamMgr.exe -> Intel Corporation [Ver = 1, 0, 0, 2 | Size = 139264 bytes | Modified Date = 9/11/2003 6:49:46 AM | Attr = ]
(S24EventMonitor) Spectrum24 Event Monitor [Win32_Own | Auto | Running] -> %SystemRoot%\system32\S24EvMon.exe -> Intel Corporation [Ver = 4, 1, 0, 3 | Size = 303171 bytes | Modified Date = 9/11/2003 6:45:46 AM | Attr = ]

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(atapi) Standard IDE/ESDI Hard Disk Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\atapi.sys -> [Ver = | Size = 95360 bytes | Modified Date = 8/3/2004 10:59:44 PM | Attr = ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ati2mtag.sys -> ATI Technologies Inc. [Ver = 6.14.10.6467 | Size = 768512 bytes | Modified Date = 8/31/2004 3:53:00 PM | Attr = ]
(Avg7Core) AVG7 Kernel [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 10/24/2007 8:14:22 AM | Attr = ]
(Avg7RsW) AVG7 Wrap Driver [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 3/10/2007 9:25:06 PM | Attr = ]
(Avg7RsXP) AVG7 Resident Driver XP [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 3/10/2007 9:25:06 PM | Attr = ]
(AvgClean) AVG7 Clean Driver [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10760 bytes | Modified Date = 12/21/2007 8:14:10 AM | Attr = ]
(b57w2k) Broadcom NetXtreme Gigabit Ethernet [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\b57xp32.sys -> Broadcom Corporation [Ver = 7.15.0.0 built by: WinDDK | Size = 112896 bytes | Modified Date = 10/24/2003 12:16:26 AM | Attr = ]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(cdrbsdrv) cdrbsdrv [Kernel | System | Running] -> %SystemRoot%\System32\drivers\CDRBSDRV.SYS -> B.H.A Corporation [Ver = 7. 0. 0. 5 | Size = 13567 bytes | Modified Date = 3/8/2004 12:55:50 PM | Attr = ]
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(d346bus) d346bus [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\d346bus.sys -> [Ver = 3.46.0.0 built by: WinDDK | Size = 156800 bytes | Modified Date = 3/12/2004 10:41:28 PM | Attr = ]
(d346prt) d346prt [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\d346prt.sys -> [Ver = 3.46.0.0 built by: WinDDK | Size = 5248 bytes | Modified Date = 3/12/2004 10:41:42 PM | Attr = ]
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\System32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/4/2004 8:00:00 PM | Attr = ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\System32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/4/2004 8:00:00 PM | Attr = ]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\System32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/4/2004 8:00:00 PM | Attr = ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(DS1410D) DS1410D [Kernel | Auto | Running] -> %SystemRoot%\SYSTEM32\drivers\DS1410D.SYS -> [Ver = | Size = 7328 bytes | Modified Date = 7/10/1998 4:31:00 AM | Attr = ]
(hardlock) hardlock [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\hardlock.sys -> Aladdin Knowledge Systems [Ver = 2.85 | Size = 453632 bytes | Modified Date = 9/24/2006 11:32:32 PM | Attr = ]
(Haspnt) Haspnt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\Haspnt.sys -> Aladdin Knowledge Systems [Ver = 4.65 | Size = 47616 bytes | Modified Date = 9/24/2006 11:32:30 PM | Attr = ]
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(HSFHWICH) HSFHWICH [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSFHWICH.sys -> Conexant Systems, Inc. [Ver = 7.03.00 | Size = 197504 bytes | Modified Date = 11/18/2003 5:36:48 PM | Attr = ]
(HSF_DP) HSF_DP [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_DP.sys -> Conexant Systems, Inc. [Ver = 7.03.00 | Size = 1043072 bytes | Modified Date = 11/18/2003 5:36:46 PM | Attr = ]
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(MDC8021X) AEGIS Protocol (IEEE 802.1x) v2.2.1.0 [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdc8021x.sys -> Meetinghouse Data Communications [Ver = 2.2.1.0 | Size = 14037 bytes | Modified Date = 4/26/2001 12:47:52 AM | Attr = ]
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdmxsdk.sys -> Conexant [Ver = 1.0.2.002 | Size = 11043 bytes | Modified Date = 11/18/2003 5:36:48 PM | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(MTsensor) ATK0100 ACPI UTILITY [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ATKACPI.sys -> [Ver = 1043, 2, 15, 41 | Size = 5632 bytes | Modified Date = 11/3/2004 3:48:00 PM | Attr = ]
(nmwcd) Nokia USB Phone Parent [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\nmwcd.sys -> Nokia [Ver = 6.84.0.0 | Size = 137216 bytes | Modified Date = 6/28/2007 11:44:58 AM | Attr = ]
(nmwcdc) Nokia USB Generic [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\nmwcdc.sys -> Nokia [Ver = 6.84.0.0 | Size = 8320 bytes | Modified Date = 6/28/2007 11:44:16 AM | Attr = ]
(nmwcdcj) Nokia USB Port [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\nmwcdcj.sys -> Nokia [Ver = 6.84.0.0 | Size = 12288 bytes | Modified Date = 6/28/2007 11:44:18 AM | Attr = ]
(nmwcdcm) Nokia USB Modem [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\nmwcdcm.sys -> Nokia [Ver = 6.84.0.0 | Size = 12288 bytes | Modified Date = 6/28/2007 11:44:18 AM | Attr = ]
(npkcrypt) npkcrypt [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Gravity\RO\npkcrypt.sys -> File not found
(NSCIRDA) NSC Infrared Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\nscirda.sys -> National Semiconductor Corporation [Ver = 5,02,00,011 (xpsp_sp2_rtm.040803-2158) | Size = 28672 bytes | Modified Date = 8/3/2004 11:00:52 PM | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/4/2004 8:00:00 PM | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\PxHelp20.sys -> Sonic Solutions [Ver = 3.00.56a | Size = 43528 bytes | Modified Date = 3/8/2007 9:51:00 AM | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(s24trans) WLAN Transport [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\s24trans.sys -> Intel Corporation [Ver = 4, 1, 0, 3 | Size = 10970 bytes | Modified Date = 9/11/2003 6:34:30 AM | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 11/13/2007 9:25:54 PM | Attr = ]
(Sentinel) Sentinel [Kernel | Auto | Running] -> %SystemRoot%\System32\Drivers\SENTINEL.SYS -> Rainbow Technologies, Inc. [Ver = SSD-5.39 | Size = 73728 bytes | Modified Date = 6/21/2001 9:39:02 PM | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(Sntnlusb) Rainbow USB SuperPro [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\SNTNLUSB.SYS -> Rainbow Technologies Inc. [Ver = SSD-5.39b03 (Beta) | Size = 20032 bytes | Modified Date = 6/21/2001 9:39:02 PM | Attr = R ]
(SONYPVU1) Sony USB Filter Driver (SONYPVU1) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\SONYPVU1.SYS -> Sony Corporation [Ver = 1.3.0526.0 (XPClient.010817-1148) | Size = 7552 bytes | Modified Date = 8/17/2001 1:56:16 PM | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(STAC97) SigmaTel C-Major Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\STAC97.sys -> SigmaTel, Inc. [Ver = 5.10.4184 | Size = 253424 bytes | Modified Date = 10/22/2004 5:54:00 PM | Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\SynTP.sys -> Synaptics, Inc. [Ver = 7.11.6 23Jul04 | Size = 185824 bytes | Modified Date = 8/5/2004 5:24:00 PM | Attr = ]
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] -> -> File not found
(ViaIde) ViaIde [Kernel | Disabled | Stopped] -> -> File not found
(w70n51) Intel(R) PRO/Wireless 7100 Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\w70n51.sys -> Intel® Corporation [Ver = 1.2.1.1 | Size = 2479104 bytes | Modified Date = 10/23/2003 7:21:16 PM | Attr = ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_CNXT.sys -> Conexant Systems, Inc. [Ver = 7.03.00 built by: WinDDK | Size = 678400 bytes | Modified Date = 11/18/2003 5:36:46 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 3:06:32 AM | Attr = ]
ASUS Live Update -> %ProgramFiles%\ASUS\ASUS Live Update\ALU.exe -> [Ver = 1, 0, 0, 1 | Size = 172032 bytes | Modified Date = 9/19/2003 12:54:44 PM | Attr = ]
ATIPTA -> %ProgramFiles%\ATI Technologies\ATI Control Panel\atiptaxx.exe -> ATI Technologies, Inc. [Ver = 6.14.10.5117 | Size = 339968 bytes | Modified Date = 8/3/2004 9:10:00 PM | Attr = ]
AVG7_CC -> %SystemDrive%\PROGRA~1\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.504 | Size = 579072 bytes | Modified Date = 12/21/2007 8:14:04 AM | Attr = ]
BMb370ec63 -> %SystemRoot%\system32\swnipqhf.DLL -> File not found
DAEMON Tools-1033 -> %ProgramFiles%\D-Tools\daemon.exe -> DAEMON'S HOME [Ver = 3.46.0.0 | Size = 81920 bytes | Modified Date = 3/12/2004 10:43:18 PM | Attr = ]
HControl -> %SystemRoot%\ATK0100\HControl.exe -> [Ver = 1043, 2, 15, 41 | Size = 94208 bytes | Modified Date = 11/3/2004 3:48:00 PM | Attr = ]
NeroFilterCheck -> %SystemRoot%\system32\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 7/9/2001 10:50:42 AM | Attr = ]
Power_Gear -> %ProgramFiles%\ASUS\Power4 Gear\BatteryLife.exe -> ASUSTeK Computer Inc. [Ver = 1043, 6, 15, 110 | Size = 81920 bytes | Modified Date = 1/19/2004 4:33:58 PM | Attr = ]
PRONoMgr.exe -> %ProgramFiles%\Intel\NCS\PROSet\PRONoMgr.exe -> Intel(R) Corporation [Ver = 6.1.303.0 | Size = 86016 bytes | Modified Date = 5/28/2003 5:21:22 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 9/1/2006 3:57:48 PM | Attr = ]
RegistryMechanic -> -> File not found
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_05\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 144784 bytes | Modified Date = 2/22/2008 4:25:22 AM | Attr = ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 7.11.6 23Jul04 | Size = 684032 bytes | Modified Date = 8/5/2004 5:24:00 PM | Attr = ]
SynTPLpr -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe -> Synaptics, Inc. [Ver = 7.11.6 23Jul04 | Size = 102400 bytes | Modified Date = 8/5/2004 5:24:00 PM | Attr = ]
WinampAgent -> %ProgramFiles%\Winamp\winampa.exe -> [Ver = | Size = 35328 bytes | Modified Date = 5/15/2007 8:22:22 AM | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
-> -> File not found
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 5, 2, 16 | Size = 2097488 bytes | Modified Date = 1/28/2008 11:43:40 AM | Attr = RHS]
StartupPersonalReminder -> %ProgramFiles%\Personal Reminder\PersonalReminder.exe -> Peter Melchart [Ver = 2, 0, 30, 0 | Size = 266240 bytes | Modified Date = 7/15/2004 1:02:44 PM | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 11/30/2006 9:49:04 PM | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\ASUS ChkMail.lnk -> %ProgramFiles%\Asus\Asus ChkMail\ChkMail.exe -> asus [Ver = 1043, 1, 15, 5 | Size = 32768 bytes | Modified Date = 9/12/2003 8:25:30 PM | Attr = ]
< Ryonn Startup Folder > -> C:\Documents and Settings\Ryonn\Start Menu\Programs\Startup ->
%UserProfile%\Start Menu\Programs\Startup\Bux.to Autoclicker.lnk -> %UserProfile%\Desktop\Work\Bux.To\Bux.to Autoclicker.exe -> [Ver = | Size = 876544 bytes | Modified Date = 1/11/2008 3:06:06 PM | Attr = ]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ljJCuTkI.dll [] -> File not found
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
ljJCuTkI -> -> File not found
Sebring -> %SystemRoot%\system32\LgNotify.dll -> Intel Corporation [Ver = 4, 1, 0, 0 | Size = 110592 bytes | Modified Date = 9/11/2003 6:50:32 AM | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 177 ->
< HOSTS File > (230054 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.asus.com ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.com/ ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
HKEY_CURRENT_USER\: ProxyOverride -> <local> ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4266 domain(s) found. ->
33 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4289 domain(s) found. ->
www_christlivingchurch.com [https] -> Trusted sites ->
33 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 78 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ljJCuTkI.dll [Reg Error: Value does not exist or could not be read.] -> File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_05\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 509328 bytes | Modified Date = 2/22/2008 4:25:20 AM | Attr = ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{986EA05A-B894-4D33-BC94-CF735C02412D} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ddcBTLbc.dll [Reg Error: Value does not exist or could not be read.] -> [Ver = | Size = 273920 bytes | Modified Date = 3/28/2008 1:55:30 AM | Attr = ]
{A5366673-E8CA-11D3-9CD9-0090271D075B} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\FLASHGET\jccatch.dll [IeCatch2 Class] -> Amaze Soft [Ver = 1, 1, 4, 0 | Size = 65536 bytes | Modified Date = 1/16/2002 7:12:18 PM | Attr = ]
{CD292324-974F-4224-D074-CACA427AA030} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\Neopets\Toolbar\Toolbar.dll [Neopets] -> Velocity Services, Inc. [Ver = 4.0.2496.19628 | Size = 640552 bytes | Modified Date = 11/16/2006 4:03:42 AM | Attr = ]
{CD7155D6-F45C-4FF0-91BC-E57273804A7B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{CD292324-974F-4224-D074-CACA427AA030} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\Neopets\Toolbar\Toolbar.dll [Neopets] -> Velocity Services, Inc. [Ver = 4.0.2496.19628 | Size = 640552 bytes | Modified Date = 11/16/2006 4:03:42 AM | Attr = ]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\FLASHGET\fgiebar.dll [FlashGet Bar] -> Amaze Soft [Ver = 1, 2, 0, 0 | Size = 86016 bytes | Modified Date = 6/7/2005 11:06:10 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{CD292324-974F-4224-D074-CACA427AA030} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\Neopets\Toolbar\Toolbar.dll [Neopets] -> Velocity Services, Inc. [Ver = 4.0.2496.19628 | Size = 640552 bytes | Modified Date = 11/16/2006 4:03:42 AM | Attr = ]
WebBrowser\\{F2CF5485-4E02-4F68-819C-B92DE9277049} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 132496 bytes | Modified Date = 2/22/2008 4:25:20 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_05\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 509328 bytes | Modified Date = 2/22/2008 4:25:20 AM | Attr = ]
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}:Exec -> %SystemDrive%\PROGRA~1\FLASHGET\flashget.exe [FlashGet] -> Amaze Soft [Ver = 1, 7, 1, 0 | Size = 1318912 bytes | Modified Date = 9/6/2005 3:50:32 PM | Attr = ]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr = ]
{E19ADC6E-3909-43E4-9A89-B7B676377EE3}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sothink SWF Catcher] -> File not found
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}:Exec -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe [Yahoo! Messenger] -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 11/30/2006 9:49:04 PM | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 132496 bytes | Modified Date = 2/22/2008 4:25:20 AM | Attr = ]
CmdMapping\\{A75C6120-9B36-11d4-A3F0-009027427750} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\FLASHGET\flashget.exe [FlashGet] -> Amaze Soft [Ver = 1, 7, 1, 0 | Size = 1318912 bytes | Modified Date = 9/6/2005 3:50:32 PM | Attr = ]
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr = ]
CmdMapping\\{E19ADC6E-3909-43E4-9A89-B7B676377EE3} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\COMMON~1\SOURCE~1\SWFCAT~1\SWFCAT~1.DLL [SWFDecompiler.InternetExplorer] -> SourceTec [Ver = 1, 9, 0, 0 | Size = 389120 bytes | Modified Date = 12/21/2004 12:00:00 PM | Attr = ]
CmdMapping\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [Messenger Class] -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 11/30/2006 9:49:04 PM | Attr = ]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Download All by FlashGet -> %ProgramFiles%\FlashGet\jc_all.htm -> [Ver = | Size = 575 bytes | Modified Date = 2/6/2000 11:06:06 AM | Attr = ]
Download using FlashGet -> %ProgramFiles%\FlashGet\jc_link.htm -> [Ver = | Size = 1898 bytes | Modified Date = 2/6/2000 11:06:34 AM | Attr = ]
Google AdSense Preview Tool -> -> File not found
Sothink SWF Catcher -> %CommonProgramFiles%\SourceTec\SWF Catcher\InternetExplorer.htm -> [Ver = | Size = 191 bytes | Modified Date = 12/21/2004 12:00:00 PM | Attr = ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microso
  • 0

Advertisements

#2
Rorschach112
Posted 30 March 2008 - 01:53 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please don't put the logs in quote boxes


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
ronbc
Posted 30 March 2008 - 07:08 PM

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi,

This is the Combofix log

ComboFix 08-03-30.2 - Ryonn 2008-03-31 11:50:52.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.266 [GMT 11:00]
Running from: C:\Documents and Settings\Ryonn\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Documents\_desktop.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\_desktop.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Extras\_desktop.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Settings\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009F518\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\000A4626\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Videos\_desktop.ini
C:\WINDOWS\BMb370ec63.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aJlUuBeg.ini
C:\WINDOWS\system32\aJlUuBeg.ini2
C:\WINDOWS\system32\cbLTBcdd.ini
C:\WINDOWS\system32\cbLTBcdd.ini2
C:\WINDOWS\system32\ddcBTLbc.dll
C:\WINDOWS\system32\protector.exe
C:\WINDOWS\system32\shfufamb.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 12:01 . 2008-03-31 12:01 <DIR> d--hs---- C:\FOUND.018
2008-03-31 01:23 . 2008-03-31 01:25 230 --a------ C:\Lirik 3
2008-03-30 15:55 . 2008-03-30 15:55 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-30 00:18 . 2008-03-30 00:18 <DIR> d-------- C:\VundoFix Backups
2008-03-29 19:47 . 2008-03-29 19:48 86,592 --------- C:\WINDOWS\system32\swnipqhf.dll_old
2008-03-28 10:11 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-28 10:11 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-28 10:11 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-28 01:29 . 2008-03-28 01:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 00:09 . 2008-03-28 00:09 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-28 00:05 . 2008-03-28 00:05 273,920 --a------ C:\WINDOWS\system32\geBuUlJa.dll_old
2008-03-27 23:38 . 2008-03-27 23:38 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-27 23:37 . 2008-03-27 23:37 <DIR> d-------- C:\Program Files\Windows Live
2008-03-27 23:37 . 2008-03-27 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-27 01:11 . 2008-03-30 23:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-27 01:11 . 2008-03-27 01:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-23 22:10 . 2008-03-23 22:11 187 --a------ C:\WINDOWS\ContentComposer.ini
2008-03-23 22:09 . 2008-03-23 22:09 <DIR> d-------- C:\ContentComposer
2008-03-23 22:09 . 2006-08-16 21:57 39,424 --a------ C:\WINDOWS\dzinst.exe
2008-03-23 22:09 . 2008-03-23 22:09 860 --a------ C:\WINDOWS\ccinst.ini
2008-03-21 17:45 . 2008-03-21 17:45 <DIR> d--hs---- C:\FOUND.017
2008-03-21 08:51 . 2008-03-21 08:51 <DIR> d-------- C:\Program Files\Free Music Zilla
2008-03-21 08:51 . 2008-03-21 08:51 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\FMZilla
2008-03-17 14:00 . 2008-03-17 14:00 <DIR> d--hs---- C:\FOUND.016
2008-03-15 14:23 . 2008-03-27 19:37 567 --a------ C:\WINDOWS\boxworld.ini
2008-03-11 04:15 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2008-03-11 04:15 . 2002-06-13 13:50 376,832 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-11 04:15 . 2002-09-06 11:36 233,472 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\DScaler5
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\CD Audio Reader Filter
2008-03-06 18:52 . 2008-03-06 18:52 <DIR> d-------- C:\Program Files\Zoom Player
2008-03-06 00:44 . 2008-03-06 00:44 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-25 23:49 . 2008-02-25 23:49 <DIR> d-------- C:\bm
2008-02-25 23:48 . 2008-02-25 23:48 <DIR> d-------- C:\Program Files\Windows Grep
2008-02-21 13:05 . 2008-02-21 13:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-21 13:05 . 2008-02-21 13:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-16 09:25 . 2008-02-16 09:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-15 00:43 . 2008-02-15 00:43 137 --a------ C:\WINDOWS\oports.INI
2008-02-14 23:30 . 2008-02-14 23:30 <DIR> d-------- C:\Program Files\Filesland
2008-02-14 14:01 . 2008-02-14 14:01 <DIR> d-------- C:\Program Files\JitBit
2008-02-09 21:46 . 2008-02-09 21:49 22,695 --a------ C:\WINDOWS\inf.tmp
2008-02-09 21:46 . 2008-02-09 21:49 301 --a------ C:\WINDOWS\mid.tmp
2008-02-09 20:36 . 2008-02-09 21:49 15,430 --a------ C:\WINDOWS\global.tmp
2008-02-09 13:36 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-09 13:36 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-09 03:29 . 2008-02-09 03:29 <DIR> d--hs---- C:\FOUND.015
2008-02-08 22:07 . 2008-02-08 21:58 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 22:07 . 2008-02-08 22:08 3,452 --a------ C:\WINDOWS\unins000.dat
2008-02-08 17:56 . 2008-02-08 17:57 59 --a------ C:\WINDOWS\ANS2000.INI
2008-02-08 17:56 . 2008-02-08 17:56 20 --ah----- C:\WINDOWS\akebook.ini
2008-02-08 17:56 . 2008-02-08 17:56 4 --ah----- C:\WINDOWS\a3kebook.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 17:56 4,136,703 ----a-w C:\Program Files\MyScript.rar
2008-01-18 16:52 434,688 ----a-w C:\WINDOWS\system32\ss2uinst.exe
2008-01-14 09:28 9 ----a-w C:\winmap.dll
2008-01-14 09:28 9 ----a-w C:\Program Files\install_log.dat
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-03 05:34 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-05-05 07:40 39,992 ----a-w C:\Documents and Settings\Ryonn\Application Data\GDIPFONTCACHEV1.DAT
2004-09-12 11:47 188,849 ----a-w C:\Documents and Settings\Website\rayathai.zip
2005-05-13 06:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 00:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 04:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 11:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 13:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-05-03 08:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 09:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 02:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2005-07-14 01:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD7155D6-F45C-4FF0-91BC-E57273804A7B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"StartupPersonalReminder"="C:\Program Files\Personal Reminder\PersonalReminder.exe" [2004-07-15 13:02 266240]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-11-03 15:48 94208]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2003-09-19 12:54 172032]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2004-01-19 16:33 81920]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-08-05 17:24 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-08-05 17:24 684032]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 21:10 339968]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:21 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:14 579072]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-03-12 22:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 08:22 35328]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:14 219136]

C:\Documents and Settings\Ryonn\Start Menu\Programs\Startup\
Bux.to Autoclicker.lnk - C:\Documents and Settings\Ryonn\Desktop\Work\Bux.To\Bux.to Autoclicker.exe [2008-02-13 14:35:20 876544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\Asus\Asus ChkMail\ChkMail.exe [2001-04-26 00:35:37 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCuTkI]
ljJCuTkI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003-09-11 06:50 110592 C:\WINDOWS\system32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=C:\WINDOWS\pss\Post-it® Software Notes Lite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryonn^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows live Messenger]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Asus\\ASUS Live Update\\LiveUpdt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\LoveScript 6.16\\mirc.exe"=
"C:\\Program Files\\MyScript\\mirc.exe"=
"C:\\Program Files\\Conference\\Conference.dll"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0700d591-e8d1-11dc-9fa8-000cf107c636}]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0700d592-e8d1-11dc-9fa8-000cf107c636}]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0700d593-e8d1-11dc-9fa8-000cf107c636}]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0700d594-e8d1-11dc-9fa8-000cf107c636}]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b3621f0-fbda-11dc-9fd3-000cf107c636}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 12:03:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\RoamMgr.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ntvdm.exe
.
**************************************************************************
.
Completion time: 2008-03-31 12:06:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 01:06:24
Pre-Run: 15,770,681,344 bytes free
Post-Run: 15,711,076,352 bytes free
.
2008-02-20 01:15:43 --- E O F ---





And this is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:27 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\RoamMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Personal Reminder\PersonalReminder.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.219.217.130:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartupPersonalReminder] C:\Program Files\Personal Reminder\PersonalReminder.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Bux.to Autoclicker.lnk = ?
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} (GoPets Control) - https://secure.gopet.../dev/gopets.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O20 - Winlogon Notify: ljJCuTkI - ljJCuTkI.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\system32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 9550 bytes
  • 0

#4
Rorschach112
Posted 31 March 2008 - 05:19 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O20 - Winlogon Notify: ljJCuTkI - ljJCuTkI.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\swnipqhf.dll_old
C:\WINDOWS\system32\geBuUlJa.dll_old
C:\WINDOWS\ccinst.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\a3kebook.ini
C:\Program Files\MyScript.rar
C:\WINDOWS\system32\x.264.exe

Folder::
C:\FOUND.018
C:\FOUND.017
C:\FOUND.016
C:\FOUND.015

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0700d591-e8d1-11dc-9fa8-000cf107c636}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0700d592-e8d1-11dc-9fa8-000cf107c636}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0700d593-e8d1-11dc-9fa8-000cf107c636}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0700d594-e8d1-11dc-9fa8-000cf107c636}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b3621f0-fbda-11dc-9fd3-000cf107c636}]
[-HKEY_CLASSES_ROOT\CLSID\{0700d594-e8d1-11dc-9fa8-000cf107c636}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\dzinst.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
  • 0

#5
ronbc
Posted 31 March 2008 - 08:07 AM

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi, this is the ComboFix log followed by the VirusTotal log:

ComboFix 08-03-30.2 - Ryonn 2008-04-01 0:48:34.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.211 [GMT 11:00]
Running from: C:\Documents and Settings\Ryonn\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryonn\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\MyScript.rar
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\ccinst.ini
C:\WINDOWS\system32\geBuUlJa.dll_old
C:\WINDOWS\system32\swnipqhf.dll_old
C:\WINDOWS\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.015
C:\FOUND.015\FILE0000.CHK
C:\FOUND.015\FILE0001.CHK
C:\FOUND.016
C:\FOUND.016\FILE0000.CHK
C:\FOUND.016\FILE0001.CHK
C:\FOUND.016\FILE0002.CHK
C:\FOUND.016\FILE0003.CHK
C:\FOUND.016\FILE0004.CHK
C:\FOUND.016\FILE0005.CHK
C:\FOUND.016\FILE0006.CHK
C:\FOUND.017
C:\FOUND.017\FILE0000.CHK
C:\FOUND.017\FILE0001.CHK
C:\FOUND.018
C:\FOUND.018\FILE0000.CHK
C:\Program Files\MyScript.rar
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\ccinst.ini
C:\WINDOWS\system32\geBuUlJa.dll_old
C:\WINDOWS\system32\swnipqhf.dll_old
C:\WINDOWS\system32\x.264.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 17:33 . 2008-03-31 17:33 <DIR> d-------- C:\Program Files\Mavrsoft
2008-03-31 17:31 . 2008-03-31 17:31 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\InstallShield
2008-03-31 17:26 . 2008-03-31 17:26 <DIR> d-------- C:\Program Files\Easy Macro Recorder
2008-03-31 17:26 . 2008-03-31 17:26 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\Easy Macro Recorder
2008-03-31 17:19 . 2008-03-31 17:19 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\Grasssoft
2008-03-31 17:18 . 2008-03-31 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grasssoft
2008-03-31 17:08 . 2008-03-31 17:08 <DIR> d-------- C:\Program Files\Aldo's Macro Recorder
2008-03-31 16:56 . 2008-03-31 16:56 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\Recorder
2008-03-31 16:54 . 2008-03-31 16:54 <DIR> d-------- C:\Program Files\Recorder
2008-03-31 16:54 . 2008-03-31 16:54 249,856 --------- C:\WINDOWS\Setup1.exe
2008-03-31 16:54 . 2008-03-31 16:54 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-03-31 01:23 . 2008-03-31 01:25 230 --a------ C:\Lirik 3
2008-03-30 15:55 . 2008-03-30 15:55 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-30 00:18 . 2008-03-30 00:18 <DIR> d-------- C:\VundoFix Backups
2008-03-28 10:11 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-28 10:11 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-28 10:11 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-28 01:29 . 2008-03-28 01:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 00:09 . 2008-03-28 00:09 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-27 23:38 . 2008-03-27 23:38 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-27 23:37 . 2008-03-27 23:37 <DIR> d-------- C:\Program Files\Windows Live
2008-03-27 23:37 . 2008-03-27 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-27 01:11 . 2008-03-30 23:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-27 01:11 . 2008-03-27 01:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-23 22:10 . 2008-03-23 22:11 187 --a------ C:\WINDOWS\ContentComposer.ini
2008-03-23 22:09 . 2008-03-23 22:09 <DIR> d-------- C:\ContentComposer
2008-03-23 22:09 . 2006-08-16 21:57 39,424 --a------ C:\WINDOWS\dzinst.exe
2008-03-21 08:51 . 2008-03-21 08:51 <DIR> d-------- C:\Program Files\Free Music Zilla
2008-03-21 08:51 . 2008-03-21 08:51 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\FMZilla
2008-03-15 14:23 . 2008-03-31 12:56 583 --a------ C:\WINDOWS\boxworld.ini
2008-03-11 04:15 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2008-03-11 04:15 . 2002-06-13 13:50 376,832 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-11 04:15 . 2002-09-06 11:36 233,472 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\DScaler5
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\CD Audio Reader Filter
2008-03-06 18:52 . 2008-03-06 18:52 <DIR> d-------- C:\Program Files\Zoom Player
2008-03-06 00:44 . 2008-03-06 00:44 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-25 23:49 . 2008-02-25 23:49 <DIR> d-------- C:\bm
2008-02-25 23:48 . 2008-02-25 23:48 <DIR> d-------- C:\Program Files\Windows Grep
2008-02-21 13:05 . 2008-02-21 13:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-21 13:05 . 2008-02-21 13:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-16 09:25 . 2008-02-16 09:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-15 00:43 . 2008-02-15 00:43 137 --a------ C:\WINDOWS\oports.INI
2008-02-14 23:30 . 2008-02-14 23:30 <DIR> d-------- C:\Program Files\Filesland
2008-02-14 14:01 . 2008-02-14 14:01 <DIR> d-------- C:\Program Files\JitBit
2008-02-09 21:46 . 2008-02-09 21:49 22,695 --a------ C:\WINDOWS\inf.tmp
2008-02-09 21:46 . 2008-02-09 21:49 301 --a------ C:\WINDOWS\mid.tmp
2008-02-09 20:36 . 2008-02-09 21:49 15,430 --a------ C:\WINDOWS\global.tmp
2008-02-09 13:36 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-09 13:36 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-08 22:07 . 2008-02-08 21:58 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 22:07 . 2008-02-08 22:08 3,452 --a------ C:\WINDOWS\unins000.dat
2008-02-08 17:56 . 2008-02-08 17:57 59 --a------ C:\WINDOWS\ANS2000.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 16:52 434,688 ----a-w C:\WINDOWS\system32\ss2uinst.exe
2008-01-14 09:28 9 ----a-w C:\winmap.dll
2008-01-14 09:28 9 ----a-w C:\Program Files\install_log.dat
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-03 05:34 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-05-05 07:40 39,992 ----a-w C:\Documents and Settings\Ryonn\Application Data\GDIPFONTCACHEV1.DAT
2004-09-12 11:47 188,849 ----a-w C:\Documents and Settings\Website\rayathai.zip
2005-05-13 06:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 00:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 04:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 11:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 13:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-05-03 08:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 09:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-07-14 01:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_12.06.03.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-06-21 10:39:02 9,949 ----a-w C:\WINDOWS\system32\cmdial32m.SYS
+ 1998-10-09 01:02:22 75,776 ----a-w C:\WINDOWS\system32\DWSPY36.dll
+ 2005-05-26 13:22:02 10,752 ----a-w C:\WINDOWS\system32\hh.exe
+ 2007-10-01 01:09:34 126,976 ----a-w C:\WINDOWS\system32\MacroExpertSensNotify.dll
+ 2002-12-24 11:35:22 57,344 ----a-w C:\WINDOWS\system32\TaskScheduler.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD7155D6-F45C-4FF0-91BC-E57273804A7B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"StartupPersonalReminder"="C:\Program Files\Personal Reminder\PersonalReminder.exe" [2004-07-15 13:02 266240]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-11-03 15:48 94208]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2003-09-19 12:54 172032]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2004-01-19 16:33 81920]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-08-05 17:24 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-08-05 17:24 684032]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 21:10 339968]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:21 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:14 579072]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-03-12 22:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 08:22 35328]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:14 219136]

C:\Documents and Settings\Ryonn\Start Menu\Programs\Startup\
Bux.to Autoclicker.lnk - C:\Documents and Settings\Ryonn\Desktop\Work\Bux.To\Bux.to Autoclicker.exe [2008-02-13 14:35:20 876544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\Asus\Asus ChkMail\ChkMail.exe [2001-04-26 00:35:37 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003-09-11 06:50 110592 C:\WINDOWS\system32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=C:\WINDOWS\pss\Post-it® Software Notes Lite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryonn^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows live Messenger]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Asus\\ASUS Live Update\\LiveUpdt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\LoveScript 6.16\\mirc.exe"=
"C:\\Program Files\\MyScript\\mirc.exe"=
"C:\\Program Files\\Conference\\Conference.dll"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R2 Macro Expert;Macro Expert;c:\program files\grasssoft\mouse recorder\MacroService.exe [2007-09-24 16:17]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 00:52:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 0:52:38
ComboFix-quarantined-files.txt 2008-03-31 13:52:36
ComboFix2.txt 2008-03-31 01:06:28
Pre-Run: 15,624,044,544 bytes free
Post-Run: 15,608,250,368 bytes free
.
2008-02-20 01:15:43 --- E O F ---




--------------------------------------------------------------------------------------------------------------


File dzinst.exe received on 03.31.2008 15:54:45 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/32 (9.38%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.3.29.0 2008.03.31 -
AntiVir 7.6.0.78 2008.03.31 -
Authentium 4.93.8 2008.03.30 -
Avast 4.7.1098.0 2008.03.30 -
AVG 7.5.0.516 2008.03.31 -
BitDefender 7.2 2008.03.31 -
CAT-QuickHeal 9.50 2008.03.28 -
ClamAV 0.92.1 2008.03.31 -
DrWeb 4.44.0.09170 2008.03.31 -
eSafe 7.0.15.0 2008.03.30 suspicious Trojan/Worm
eTrust-Vet 31.3.5658 2008.03.31 -
Ewido 4.0 2008.03.31 -
F-Prot 4.4.2.54 2008.03.30 -
F-Secure 6.70.13260.0 2008.03.31 -
FileAdvisor 1 2008.03.31 -
Fortinet 3.14.0.0 2008.03.31 -
Ikarus T3.1.1.20 2008.03.31 Win32.HLLW.Pamela
Kaspersky 7.0.0.125 2008.03.31 -
McAfee 5262 2008.03.28 -
Microsoft 1.3301 2008.03.31 -
NOD32v2 2986 2008.03.31 -
Norman 5.80.02 2008.03.28 -
Panda 9.0.0.4 2008.03.31 -
Prevx1 V2 2008.03.31 Heuristic: Suspicious Self Modifying EXE
Rising 20.38.01.00 2008.03.31 -
Sophos 4.28.0 2008.03.31 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.31 -
TheHacker 6.2.92.259 2008.03.30 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.31 -
Webwasher-Gateway 6.6.2 2008.03.31 -
Additional information
File size: 39424 bytes
MD5: ff494e0c138508d551c712c7702fabb1
SHA1: 34b712e66b429b0adbd246857b6342da4f85c0e3
PEiD: -
packers: Aspack
packers: ASPack
Prevx info: http://info.prevx.co...3A09600F8FB3AFF
  • 0

#6
ronbc
Posted 31 March 2008 - 08:11 AM

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
And this is the Hijackthis log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:41 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\grasssoft\mouse recorder\MacroService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\RoamMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
c:\program files\grasssoft\mouse recorder\MacroServiceWnd.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Personal Reminder\PersonalReminder.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\Documents and Settings\Ryonn\Desktop\Work\Bux.To\Bux.to Autoclicker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.219.217.130:3128
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: (no name) - {CD7155D6-F45C-4FF0-91BC-E57273804A7B} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartupPersonalReminder] C:\Program Files\Personal Reminder\PersonalReminder.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Bux.to Autoclicker.lnk = ?
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} (GoPets Control) - https://secure.gopet.../dev/gopets.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macro Expert - Grass Software - c:\program files\grasssoft\mouse recorder\MacroService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\system32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 9932 bytes
  • 0

#7
Rorschach112
Posted 31 March 2008 - 08:17 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\dzinst.exe"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\dzinst.exe

  • Click Open.
  • Click Post.
Thank you!



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\dzinst.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CD7155D6-F45C-4FF0-91BC-E57273804A7B} - (no file)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
  • 0

#8
ronbc
Posted 31 March 2008 - 08:46 AM

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi,

This is the HijackThis Log.. the 3 O2s return although I have fixed it, rebooted it, fixed it again, rebooted again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:15 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\grasssoft\mouse recorder\MacroService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\RoamMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\grasssoft\mouse recorder\MacroServiceWnd.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Personal Reminder\PersonalReminder.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\Documents and Settings\Ryonn\Desktop\Work\Bux.To\Bux.to Autoclicker.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.219.217.130:3128
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: (no name) - {CD7155D6-F45C-4FF0-91BC-E57273804A7B} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartupPersonalReminder] C:\Program Files\Personal Reminder\PersonalReminder.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Bux.to Autoclicker.lnk = ?
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} (GoPets Control) - https://secure.gopet.../dev/gopets.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macro Expert - Grass Software - c:\program files\grasssoft\mouse recorder\MacroService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\system32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 9993 bytes





This is the ComboFix log:

ComboFix 08-03-30.2 - Ryonn 2008-04-01 1:29:51.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.206 [GMT 11:00]
Running from: C:\Documents and Settings\Ryonn\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryonn\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\dzinst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dzinst.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 17:33 . 2008-03-31 17:33 <DIR> d-------- C:\Program Files\Mavrsoft
2008-03-31 17:31 . 2008-03-31 17:31 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\InstallShield
2008-03-31 17:26 . 2008-03-31 17:26 <DIR> d-------- C:\Program Files\Easy Macro Recorder
2008-03-31 17:26 . 2008-03-31 17:26 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\Easy Macro Recorder
2008-03-31 17:19 . 2008-03-31 17:19 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\Grasssoft
2008-03-31 17:18 . 2008-03-31 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grasssoft
2008-03-31 17:08 . 2008-03-31 17:08 <DIR> d-------- C:\Program Files\Aldo's Macro Recorder
2008-03-31 16:56 . 2008-03-31 16:56 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\Recorder
2008-03-31 16:54 . 2008-03-31 16:54 <DIR> d-------- C:\Program Files\Recorder
2008-03-31 16:54 . 2008-03-31 16:54 249,856 --------- C:\WINDOWS\Setup1.exe
2008-03-31 16:54 . 2008-03-31 16:54 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-03-31 01:23 . 2008-03-31 01:25 230 --a------ C:\Lirik 3
2008-03-30 15:55 . 2008-03-30 15:55 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-30 00:18 . 2008-03-30 00:18 <DIR> d-------- C:\VundoFix Backups
2008-03-28 10:11 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-28 10:11 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-28 10:11 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-28 01:29 . 2008-03-28 01:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 00:09 . 2008-03-28 00:09 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-27 23:38 . 2008-03-27 23:38 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-27 23:37 . 2008-03-27 23:37 <DIR> d-------- C:\Program Files\Windows Live
2008-03-27 23:37 . 2008-03-27 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-27 01:11 . 2008-03-30 23:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-27 01:11 . 2008-03-27 01:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-23 22:10 . 2008-03-23 22:11 187 --a------ C:\WINDOWS\ContentComposer.ini
2008-03-23 22:09 . 2008-03-23 22:09 <DIR> d-------- C:\ContentComposer
2008-03-21 08:51 . 2008-03-21 08:51 <DIR> d-------- C:\Program Files\Free Music Zilla
2008-03-21 08:51 . 2008-03-21 08:51 <DIR> d-------- C:\Documents and Settings\Ryonn\Application Data\FMZilla
2008-03-15 14:23 . 2008-03-31 12:56 583 --a------ C:\WINDOWS\boxworld.ini
2008-03-11 04:15 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2008-03-11 04:15 . 2002-06-13 13:50 376,832 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-11 04:15 . 2002-09-06 11:36 233,472 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\DScaler5
2008-03-06 18:53 . 2008-03-06 18:53 <DIR> d-------- C:\Program Files\CD Audio Reader Filter
2008-03-06 18:52 . 2008-03-06 18:52 <DIR> d-------- C:\Program Files\Zoom Player
2008-03-06 00:44 . 2008-03-06 00:44 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-25 23:49 . 2008-02-25 23:49 <DIR> d-------- C:\bm
2008-02-25 23:48 . 2008-02-25 23:48 <DIR> d-------- C:\Program Files\Windows Grep
2008-02-21 13:05 . 2008-02-21 13:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-21 13:05 . 2008-02-21 13:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-16 09:25 . 2008-02-16 09:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-15 00:43 . 2008-02-15 00:43 137 --a------ C:\WINDOWS\oports.INI
2008-02-14 23:30 . 2008-02-14 23:30 <DIR> d-------- C:\Program Files\Filesland
2008-02-14 14:01 . 2008-02-14 14:01 <DIR> d-------- C:\Program Files\JitBit
2008-02-09 21:46 . 2008-02-09 21:49 22,695 --a------ C:\WINDOWS\inf.tmp
2008-02-09 21:46 . 2008-02-09 21:49 301 --a------ C:\WINDOWS\mid.tmp
2008-02-09 20:36 . 2008-02-09 21:49 15,430 --a------ C:\WINDOWS\global.tmp
2008-02-09 13:36 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-09 13:36 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-08 22:07 . 2008-02-08 21:58 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 22:07 . 2008-02-08 22:08 3,452 --a------ C:\WINDOWS\unins000.dat
2008-02-08 17:56 . 2008-02-08 17:57 59 --a------ C:\WINDOWS\ANS2000.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 16:52 434,688 ----a-w C:\WINDOWS\system32\ss2uinst.exe
2008-01-14 09:28 9 ----a-w C:\winmap.dll
2008-01-14 09:28 9 ----a-w C:\Program Files\install_log.dat
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-03 05:34 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-05-05 07:40 39,992 ----a-w C:\Documents and Settings\Ryonn\Application Data\GDIPFONTCACHEV1.DAT
2004-09-12 11:47 188,849 ----a-w C:\Documents and Settings\Website\rayathai.zip
2005-05-13 06:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 00:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 04:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 11:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 13:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-05-03 08:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 09:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-07-14 01:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_12.06.03.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-06-21 10:39:02 9,949 ----a-w C:\WINDOWS\system32\cmdial32m.SYS
+ 1998-10-09 01:02:22 75,776 ----a-w C:\WINDOWS\system32\DWSPY36.dll
+ 2005-05-26 13:22:02 10,752 ----a-w C:\WINDOWS\system32\hh.exe
+ 2007-10-01 01:09:34 126,976 ----a-w C:\WINDOWS\system32\MacroExpertSensNotify.dll
+ 2002-12-24 11:35:22 57,344 ----a-w C:\WINDOWS\system32\TaskScheduler.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD7155D6-F45C-4FF0-91BC-E57273804A7B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"StartupPersonalReminder"="C:\Program Files\Personal Reminder\PersonalReminder.exe" [2004-07-15 13:02 266240]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-11-03 15:48 94208]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2003-09-19 12:54 172032]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2004-01-19 16:33 81920]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-08-05 17:24 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-08-05 17:24 684032]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 21:10 339968]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:21 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:14 579072]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-03-12 22:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 08:22 35328]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:14 219136]

C:\Documents and Settings\Ryonn\Start Menu\Programs\Startup\
Bux.to Autoclicker.lnk - C:\Documents and Settings\Ryonn\Desktop\Work\Bux.To\Bux.to Autoclicker.exe [2008-02-13 14:35:20 876544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\Asus\Asus ChkMail\ChkMail.exe [2001-04-26 00:35:37 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003-09-11 06:50 110592 C:\WINDOWS\system32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=C:\WINDOWS\pss\Post-it® Software Notes Lite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryonn^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows live Messenger]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Asus\\ASUS Live Update\\LiveUpdt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\LoveScript 6.16\\mirc.exe"=
"C:\\Program Files\\MyScript\\mirc.exe"=
"C:\\Program Files\\Conference\\Conference.dll"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R2 Macro Expert;Macro Expert;c:\program files\grasssoft\mouse recorder\MacroService.exe [2007-09-24 16:17]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 01:34:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 1:34:49
ComboFix-quarantined-files.txt 2008-03-31 14:34:48
ComboFix3.txt 2008-03-31 01:06:28
ComboFix2.txt 2008-03-31 13:52:40
Pre-Run: 15,552,643,072 bytes free
Post-Run: 15,541,829,632 bytes free
.
2008-02-20 01:15:43 --- E O F ---
  • 0

#9
Rorschach112
Posted 31 March 2008 - 10:25 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also tell me how your PC is running
  • 0

#10
ronbc
Posted 31 March 2008 - 10:33 AM

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
While waiting for the Kaspersky scan,

My PC is running just like usual.
However, 1 hour ago, this laptop experienced a blue screen memory error thing and restarted automatically.

By the way, lately my Firefox is running slowly.
What affects that? Too many addons? Or something inside? I have run Registry Mechanic for PCTools before coming to this site to remove the registry junks.
  • 0

Advertisements

#11
Rorschach112
Posted 31 March 2008 - 10:36 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Strange that you got a BSOD....not sure what would have caused that

As for Firefox, too many add-ons is more than likely the cause. Try run Firefox in it's safe mode version and see if it is still slow, if it is then re-install it and be careful what add-ons you install.

Could be a side effect of the malware you had, will see what Kaspersky shows
  • 0

#12
ronbc
Posted 31 March 2008 - 10:55 AM

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I've just realized that Kaspersky requires IE6+

I dont have IE5, but I have Firefox and Maxthon 1.5.2 (using IE5 engine)
Do you have any suggestion on this? (apart from upgrading IE)
  • 0

#13
ronbc
Posted 31 March 2008 - 11:18 AM

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Blah.. I'll just download IE6, use it for Kaspersky and uninstall it. Please ignore last message. Thanks

Will post Kasp. result like hours from now
  • 0

#14
Rorschach112
Posted 31 March 2008 - 12:24 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok :)
  • 0

#15
ronbc
Posted 31 March 2008 - 07:13 PM

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I haven't got the results from Kaspersky, although I saw 3 or 7 infections.

Every time I am away from my computer (leaving Kaspersky scanning), my comp restarts by itself somehow.

Stressful
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP