Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help to remove trojan horse PSW.Delf.2.AQ (different directory) [


  • This topic is locked This topic is locked

#1
xiaotle

xiaotle

    Member

  • Member
  • PipPip
  • 12 posts
Hi, i'm new here, facing an annoying problem which really need your help. I am using Win XP Home edition (SP3) and AVG antivirus. I keep getting a Threat notification for ' Trojan horse PSW.Delf.2.AQ ' everytime I click My Computer or My Documents or Internet Explorer or some other folders. It gives the path as D:\Windows\system32\confms.dll . When I click on 'Heal' in AVG window I am asked to restart in order to finish the healing. But after restarting I still get the same threats. There is no side effect of doing so but the problem persist. I can locate the file of D:\Windows\system32\confms.dll after using a program 'Heal disk' but i couldn't delete it at all. I have seen a similar problem in one of your replies to member no. 239999 on Feb 22 2008, but not sure can use the same suggested methods in the replies to kill the trojan horse or not. Besides, the steps is very long and confusing, really need someone to guide me through. REALLY APPRECIATE YOUR HELP!!! Tx in advanced!

This is the Hijack This log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:56:10, on 21/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Startup Faster\sfAgent.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Quick ShutDown\qsd.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\update.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C5281A9-C9D8-47A4-8249-52C8B2F38B38} - C:\WINDOWS\system32\confms.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163427643796
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6318E62-B458-4389-A6D5-8AA76B6A46CC}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{F595E043-EEE7-43A0-BDE8-571D0E43BC7A}: NameServer = 192.168.1.1,192.168.1.2
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PCAutoShutdown_Service - GoldSolution Software, Inc. - C:\Program Files\PC Auto Shutdown\ShutdownService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 10392 bytes

Edited by xiaotle, 21 April 2008 - 12:59 AM.

  • 0

Advertisements


#2
xiaotle

xiaotle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I had downloaded the ComboFix and run it. I didn't disable Spyware doctor and while running the combofix, it found trojan horse.bancos and also backdoor, so i terminate the combofix. Why Combofix contain trojan horse and backdoor virus? I downloaded it from the link provided. Tx!
  • 0

#3
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
It doesn't contain those, that is a false positive by SpywareDoctor

Can you delete ComboFix.exe and the folders C:\ComboFix and C:\qoobox then do this


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#4
xiaotle

xiaotle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This is the combofix log file:

ComboFix 08-04-20.5 - Xiaotle 2008-04-23 0:04:01.1 - NTFSx86
Running from: C:\Documents and Settings\Xiaotle\My Documents\Downloads\Programs\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Xiaotle\Application Data\macromedia\Flash Player\#SharedObjects\3PKBCMJD\iforex.com
C:\Documents and Settings\Xiaotle\Application Data\macromedia\Flash Player\#SharedObjects\3PKBCMJD\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Xiaotle\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Xiaotle\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\setting.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 17:38 . 2008-04-21 17:38 <DIR> d-------- C:\Program Files\AmitySource
2008-04-21 17:19 . 2008-04-21 17:19 <DIR> d-------- C:\Program Files\Mobiano
2008-04-21 17:19 . 2008-04-21 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mobiano
2008-04-21 14:55 . 2008-04-21 14:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 12:46 . 2008-04-21 13:32 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-04-21 12:39 . 2008-03-01 21:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-21 11:45 . 2007-07-09 21:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-21 11:25 . 2008-04-22 22:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-04-08 22:14 . 2008-04-08 22:14 <DIR> d-------- C:\Documents and Settings\chkeatng
2008-04-08 20:06 . 2008-04-08 21:23 <DIR> d-------- C:\Program Files\Thoosje Sidebar V2.3
2008-04-06 22:47 . 2008-04-06 22:48 <DIR> d-a------ C:\Program Files\Windows Sidebar
2008-04-06 14:00 . 2008-04-06 14:00 <DIR> d-a------ C:\VAIO
2008-04-03 22:34 . 2008-04-03 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-03 22:29 . 2008-04-03 22:29 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-03 22:26 . 2005-03-08 12:43 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-04-03 22:23 . 2005-03-08 12:43 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-04-03 22:20 . 2005-03-08 12:43 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-04-03 22:14 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-03 22:14 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-03 22:14 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-03 22:14 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-03 22:14 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-03 22:14 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-03 22:05 . 2008-04-03 22:38 112,988 --a------ C:\WINDOWS\hpoins07.dat
2008-04-03 22:05 . 2005-05-24 12:36 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-04-03 21:23 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-02 18:51 . 2008-04-21 09:28 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-02 17:58 . 2008-04-02 17:58 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-04-02 15:35 . 2008-04-02 15:35 <DIR> d-------- C:\Program Files\VMware
2008-04-02 15:09 . 2008-04-21 11:20 <DIR> d-------- C:\Program Files\Wopti
2008-04-02 14:59 . 2008-04-03 21:52 <DIR> d-------- C:\Program Files\Dream Aquarium
2008-04-02 01:50 . 2008-04-22 23:49 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-02 00:58 . 2008-04-02 00:58 <DIR> d-------- C:\Documents and Settings\Xiaotle\Application Data\Nero
2008-04-02 00:52 . 2008-04-02 00:52 <DIR> d-------- C:\Program Files\Nero
2008-04-02 00:52 . 2008-04-06 14:18 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-02 00:52 . 2008-04-02 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-01 22:21 . 2008-04-01 22:21 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2008-04-01 13:24 . 2008-04-01 13:24 <DIR> d-------- C:\Program Files\PDF Password Remover v3.0
2008-03-29 12:23 . 2008-04-03 15:47 <DIR> dr------- C:\Medic Files
2008-03-26 00:35 . 2008-03-26 00:38 <DIR> d-------- C:\Program Files\intocartoonpro
2008-03-23 14:32 . 2008-03-23 14:32 <DIR> d-------- C:\Documents and Settings\Xiaotle\Application Data\3M
2008-03-23 14:31 . 2008-03-23 14:31 <DIR> d-------- C:\Program Files\3M
2008-03-22 12:54 . 2008-03-24 15:10 <DIR> d-------- C:\Documents and Settings\Xiaotle\Application Data\KeyPass
2008-03-22 12:47 . 2008-03-22 12:47 <DIR> d-------- C:\Program Files\Icon Constructor 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 16:04 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-04-22 16:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-22 16:00 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\AVG7
2008-04-22 14:58 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\DMCache
2008-04-21 09:28 --------- d-----w C:\Program Files\Common Files\Skyscape
2008-04-21 08:55 --------- d-----w C:\Program Files\Folder Lock
2008-04-21 08:55 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\MegauploadToolbar
2008-04-21 06:11 --------- d-----w C:\Program Files\Error Repair Professional
2008-04-21 04:53 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 01:42 --------- d-----w C:\Program Files\NoAdware5.0
2008-04-08 13:10 --------- d-----w C:\Program Files\DFX
2008-04-08 13:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 13:01 --------- d-----w C:\Program Files\Internet Download Manager
2008-04-05 11:14 --------- d-----w C:\Program Files\HP
2008-04-04 09:53 --------- d-----w C:\Program Files\IObit
2008-04-04 02:31 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-03 14:05 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\HP
2008-04-03 07:10 --------- d-----w C:\Program Files\Startup Faster
2008-04-02 09:48 --------- d-----w C:\Program Files\NJStar Communicator
2008-04-02 09:48 --------- d-----w C:\Program Files\HPND10
2008-04-02 09:21 --------- d-----w C:\Program Files\SPSS
2008-04-02 09:21 --------- d-----w C:\Program Files\GoldWave
2008-04-01 08:18 --------- d-----w C:\Program Files\Megaupload
2008-04-01 04:50 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\TrojanHunter
2008-03-31 18:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-05 18:03 --------- d-----w C:\Program Files\Volumouse
2008-03-05 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-03-01 10:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 13:55 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\PrevxCSI
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-28 13:44 --------- d-----w C:\Program Files\Real Alternative
2008-02-28 13:17 --------- d-----w C:\Program Files\Common Files\Real
2008-02-28 13:15 --------- d-----w C:\Program Files\Disk Heal
2008-02-28 09:38 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-02-26 08:14 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-02-24 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-24 15:52 --------- d-----w C:\Program Files\Yahoo!
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-18 08:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-11-03 11:57 499,200 ----a-w C:\Program Files\Eject.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C5281A9-C9D8-47A4-8249-52C8B2F38B38}]
2004-08-04 05:00 88320 --a------ C:\WINDOWS\system32\confms.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupFaster"="C:\Program Files\Startup Faster\startuploader.exe" [2007-12-07 21:19 1631456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-07 23:44 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
backup=C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Digital Notes.lnk]
backup=C:\WINDOWS\pss\Post-it® Digital Notes.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vypress Chat StartUp.lnk]
backup=C:\WINDOWS\pss\Vypress Chat StartUp.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
backup=C:\WINDOWS\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT-Watch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-09-01 17:24 684032 C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\NetWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
--a------ 2007-11-01 03:04 2510664 C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Visual Day Planner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 afbtqjli;afbtqjli;C:\WINDOWS\system32\drivers\tybosahm.dat []
R2 PCAutoShutdown_Service;PCAutoShutdown_Service;C:\Program Files\PC Auto Shutdown\ShutdownService.exe [2007-09-14 17:03]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 09:23]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-03 14:38:55 C:\WINDOWS\Tasks\WebReg Officejet 5600 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 00:08:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk error: C:\WINDOWS\system32\drivers\
disk error: C:\DOCUME~1\Xiaotle\LOCALS~1\Temp\
disk error: C:\WINDOWS\TEMP\
disk error: C:\WINDOWS\system32\
disk error: C:\WINDOWS\
disk error: C:\WINDOWS\system32\wbem\
disk error: C:\Program Files\Common Files\
disk error: C:\Documents and Settings\Xiaotle\Application Data\
disk error: C:\
disk error: C:\Program Files\
disk error: C:\Documents and Settings\Xiaotle\Local Settings\Application Data\
disk error: C:\WINDOWS\Fonts\
disk error: C:\WINDOWS\Downloaded Program Files\
disk error: C:\Documents and Settings\Xiaotle\Start Menu\Programs\Startup\
disk error: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\afbtqjli]
"ImagePath"="system32\drivers\tybosahm.dat"
.
Completion time: 2008-04-23 0:09:30
ComboFix-quarantined-files.txt 2008-04-22 16:09:26

Pre-Run: 5,603,225,600 bytes free
Post-Run: 5,608,050,688 bytes free

218 --- E O F --- 2007-08-15 19:10:24



This is the Hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:15:36, on 23/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Startup Faster\sfAgent.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Quick ShutDown\qsd.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\update.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C5281A9-C9D8-47A4-8249-52C8B2F38B38} - C:\WINDOWS\system32\confms.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163427643796
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F595E043-EEE7-43A0-BDE8-571D0E43BC7A}: NameServer = 192.168.1.1,192.168.1.2
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PCAutoShutdown_Service - GoldSolution Software, Inc. - C:\Program Files\PC Auto Shutdown\ShutdownService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9644 bytes


Thanks for your help!
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\confms.dll

Drivers to delete:
afbtqjli


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

#6
xiaotle

xiaotle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi there, i have completed the steps and these are the log files. Thanks!

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\confms.dll" deleted successfully.
Driver "afbtqjli" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:07:03, on 23/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Startup Faster\sfAgent.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Quick ShutDown\qsd.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C5281A9-C9D8-47A4-8249-52C8B2F38B38} - C:\WINDOWS\system32\confms.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163427643796
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6318E62-B458-4389-A6D5-8AA76B6A46CC}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{F595E043-EEE7-43A0-BDE8-571D0E43BC7A}: NameServer = 192.168.1.1,192.168.1.2
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PCAutoShutdown_Service - GoldSolution Software, Inc. - C:\Program Files\PC Auto Shutdown\ShutdownService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9941 bytes
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {0C5281A9-C9D8-47A4-8249-52C8B2F38B38} - C:\WINDOWS\system32\confms.dll (file missing)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{F595E043-EEE7-43A0-BDE8-571D0E43BC7A}: NameServer = 192.168.1.1,192.168.1.2


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#8
xiaotle

xiaotle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi! Finally finished the scans. These are the report, thanks!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 4:21:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 722589
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 97442
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:57:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Xiaotle\Application Data\IDM\DwnlData\Xiaotle\COD_11.part1_1173\COD_11.part1.rar Object is locked skipped
C:\Documents and Settings\Xiaotle\Application Data\IDM\DwnlData\Xiaotle\COD_11.part1_1173\COD_11.part1.rar2 Object is locked skipped
C:\Documents and Settings\Xiaotle\Application Data\IDM\DwnlData\Xiaotle\COD_11.part1_1173\COD_11.part1.rar4 Object is locked skipped
C:\Documents and Settings\Xiaotle\Application Data\IDM\DwnlData\Xiaotle\COD_11.part1_1173\COD_11.part1.rar5 Object is locked skipped
C:\Documents and Settings\Xiaotle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\History\History.IE5\MSHist012008042320080424\index.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Temp\lfjzitao.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Temp\Perflib_Perfdata_804.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Temp\~DF527B.tmp Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Temp\~DF52C4.tmp Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Temp\~DFACE.tmp Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Temp\~DFB42.tmp Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\ntuser.dat Object is locked skipped
C:\Documents and Settings\Xiaotle\ntuser.dat.LOG Object is locked skipped
C:\PPC+Comp\PC Programs (comp)\Nero v8.3.2.1\Nero-8.3.2.1_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\PPC+Comp\PC Programs (comp)\Nero v8.3.2.1\Nero-8.3.2.1_eng_trial.exe 7-Zip: infected - 1 skipped
C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN\Keymaker\Keymaker.exe Object is locked skipped
C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0\pwdremover.exe/file01 Infected: not-a-virus:PSWTool.Win32.PdfCracker.c skipped
C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0\pwdremover.exe Inno: infected - 1 skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\Program Files\PDF Password Remover v3.0\winDecrypt.exe Infected: not-a-virus:PSWTool.Win32.PdfCracker.c skipped
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\A0021564.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bdss.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MobileAr.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\tybosahm.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\tmp00000fe7\tmp00000000 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




The main txt:

Deckard's System Scanner v20071014.68
Run by Xiaotle on 2008-04-23 16:26:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
88: 2008-04-23 08:27:15 UTC - RP191 - Deckard's System Scanner Restore Point
87: 2008-04-22 16:03:20 UTC - RP190 - ComboFix created restore point
86: 2008-04-21 09:17:28 UTC - RP189 - Coming back from Viet
85: 2008-04-21 04:44:49 UTC - RP188 - Software Distribution Service 3.0
84: 2008-04-21 03:40:04 UTC - RP187 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-22 04:26:25 UTC - RP104 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Xiaotle.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:52, on 23/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Startup Faster\sfAgent.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Quick ShutDown\qsd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\IObit\Advanced WindowsCare V2\Awcl.exe
C:\Program Files\Spyware Doctor\update.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Xiaotle\My Documents\Downloads\Programs\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Xiaotle.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163427643796
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PCAutoShutdown_Service - GoldSolution Software, Inc. - C:\Program Files\PC Auto Shutdown\ShutdownService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9767 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080423-113758-366 O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
backup-20080423-113758-486 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
backup-20080423-113758-587 O2 - BHO: (no name) - {0C5281A9-C9D8-47A4-8249-52C8B2F38B38} - C:\WINDOWS\system32\confms.dll (file missing)
backup-20080423-113758-824 O17 - HKLM\System\CCS\Services\Tcpip\..\{F595E043-EEE7-43A0-BDE8-571D0E43BC7A}: NameServer = 192.168.1.1,192.168.1.2

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R2 windrvNT - c:\windows\system32\windrvnt.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 bdfdll - c:\program files\softwin\bitdefender9\bdfdll.sys (file missing)
S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing)
S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing)
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys (file missing)
S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>
S3 wceusbsh (Windows CE USB Serial Host Driver) - c:\windows\system32\drivers\wceusbsh.sys <Not Verified; Microsoft Corporation; Windows CE USB Serial Host Driver>
S4 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\2852C038444FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\2852C038444FC000
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-04-03 22:38:55 308 --a------ C:\WINDOWS\Tasks\WebReg Officejet 5600 series.job


-- Files created between 2008-03-23 and 2008-04-23 -----------------------------

2008-04-23 11:41:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 11:41:53 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-23 11:41:51 0 d-------- C:\WINDOWS\LastGood
2008-04-23 00:02:33 68096 --a------ C:\WINDOWS\zip.exe
2008-04-23 00:02:33 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-23 00:02:33 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-23 00:02:33 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-23 00:02:33 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-23 00:02:33 98816 --a------ C:\WINDOWS\sed.exe
2008-04-23 00:02:33 80412 --a------ C:\WINDOWS\grep.exe
2008-04-23 00:02:33 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-21 17:38:52 0 d-------- C:\Program Files\AmitySource
2008-04-21 17:19:30 0 d-------- C:\Documents and Settings\All Users\Application Data\mobiano
2008-04-21 17:19:27 0 d-------- C:\Program Files\Mobiano
2008-04-21 14:55:14 0 d-------- C:\Program Files\Trend Micro
2008-04-21 11:25:54 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-08 20:06:08 0 d-------- C:\Program Files\Thoosje Sidebar V2.3
2008-04-06 22:47:30 0 d-a------ C:\Program Files\Windows Sidebar
2008-04-06 14:00:24 0 d-a------ C:\VAIO
2008-04-03 22:34:49 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-03 22:29:48 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-03 22:26:31 16496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys <Not Verified; HP; HP Dot4Print>
2008-04-03 22:23:49 51120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys <Not Verified; HP; HP Dot4 Windows 2000>
2008-04-03 22:20:09 21744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys <Not Verified; HP; HP Dot4Usb Windows 2000>
2008-04-03 22:14:37 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-04-03 22:14:37 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-04-03 22:14:37 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-04-03 22:14:37 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-04-03 22:14:37 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-04-03 22:14:36 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-04-03 22:05:47 21124 -----n--- C:\WINDOWS\hpomdl07.dat
2008-04-03 22:05:47 112988 --a------ C:\WINDOWS\hpoins07.dat
2008-04-02 17:58:22 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-04-02 15:35:12 0 d-------- C:\Program Files\VMware
2008-04-02 15:09:52 0 d-------- C:\Program Files\Wopti
2008-04-02 14:59:51 0 d-------- C:\Program Files\Dream Aquarium
2008-04-02 00:58:44 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\Nero
2008-04-02 00:52:57 0 d-------- C:\Program Files\Nero
2008-04-02 00:52:57 0 d-------- C:\Program Files\Common Files\Nero
2008-04-02 00:52:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-01 22:21:16 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-04-01 13:24:45 0 d-------- C:\Program Files\PDF Password Remover v3.0
2008-04-01 12:30:42 18874368 --a------ C:\Documents and Settings\Xiaotle\ntuser.dat
2008-03-29 12:23:15 0 dr------- C:\Medic Files
2008-03-26 00:35:13 0 d-------- C:\Program Files\intocartoonpro
2008-03-23 14:32:10 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\3M
2008-03-23 14:31:18 0 d-------- C:\Program Files\3M


-- Find3M Report ---------------------------------------------------------------

2008-04-23 16:29:45 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-04-23 15:55:46 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\DMCache
2008-04-23 11:23:28 722 --a------ C:\Documents and Settings\Xiaotle\Application Data\AtomicAlarmClock.ini
2008-04-23 01:52:05 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\AVG7
2008-04-23 00:32:56 0 d-------- C:\Program Files\NoAdware5.0
2008-04-21 17:28:02 0 d-------- C:\Program Files\Common Files\Skyscape
2008-04-21 16:55:39 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\MegauploadToolbar
2008-04-21 16:55:08 0 d-------- C:\Program Files\Folder Lock
2008-04-21 14:11:01 0 d-------- C:\Program Files\Error Repair Professional
2008-04-21 12:53:40 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-08 21:10:34 0 d-------- C:\Program Files\DFX
2008-04-08 21:10:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 21:01:45 0 d-------- C:\Program Files\Internet Download Manager
2008-04-05 19:14:24 0 d-------- C:\Program Files\HP
2008-04-04 17:53:19 0 d-------- C:\Program Files\IObit
2008-04-04 10:31:00 0 d-------- C:\Program Files\Spyware Doctor
2008-04-03 22:29:48 0 d-------- C:\Program Files\Common Files
2008-04-03 22:05:34 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\HP
2008-04-03 15:10:18 0 d-------- C:\Program Files\Startup Faster
2008-04-02 17:48:16 0 d-------- C:\Program Files\NJStar Communicator
2008-04-02 17:48:16 0 d-------- C:\Program Files\HPND10
2008-04-02 17:21:54 0 d-------- C:\Program Files\SPSS
2008-04-02 17:21:54 0 d-------- C:\Program Files\GoldWave
2008-04-01 16:18:26 0 d-------- C:\Program Files\Megaupload
2008-04-01 12:50:53 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\TrojanHunter
2008-03-26 13:58:28 0 --a------ C:\Documents and Settings\Xiaotle\Application Data\alarms.ini
2008-03-24 15:10:07 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\KeyPass
2008-03-22 12:47:22 0 d-------- C:\Program Files\Icon Constructor 3
2008-03-06 02:03:52 0 d-------- C:\Program Files\Volumouse
2008-03-05 23:52:28 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\Real
2008-02-29 21:55:09 0 d-------- C:\Documents and Settings\Xiaotle\Application Data\PrevxCSI
2008-02-28 21:44:12 0 d-------- C:\Program Files\Real Alternative
2008-02-28 21:17:38 0 d-------- C:\Program Files\Common Files\Real
2008-02-28 21:15:14 0 d-------- C:\Program Files\Disk Heal
2008-02-24 23:52:57 0 d-------- C:\Program Files\Yahoo!


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupFaster"="C:\Program Files\Startup Faster\startuploader.exe" [07/12/2007 21:19]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoStartBanner"=01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
backup=C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Digital Notes.lnk]
backup=C:\WINDOWS\pss\Post-it® Digital Notes.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vypress Chat StartUp.lnk]
backup=C:\WINDOWS\pss\Vypress Chat StartUp.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
backup=C:\WINDOWS\pss\Winter Fun Wallpaper Changer.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT-Watch]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\NetWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Visual Day Planner]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7791 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-23 16:31:13 ------------

Edited by xiaotle, 23 April 2008 - 02:42 AM.

  • 0

#9
xiaotle

xiaotle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This is the extra txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.70GHz
Percentage of Memory in Use: 84%
Physical Memory (total/avail): 503.37 MiB / 75.88 MiB
Pagefile Memory (total/avail): 1503.05 MiB / 529.92 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.14 MiB

C: is Fixed (NTFS) - 74.49 GiB total, 13.71 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HTS541080G9AT00 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 74.49 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

AV: Bitdefender Antivirus v8.0 (Softwin) Outdated
AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Xiaotle\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SEN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Xiaotle
LOGONSERVER=\\SEN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\DOCUME~1\Xiaotle\Others\3D SexVilla
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Xiaotle\LOCALS~1\Temp
TMP=C:\DOCUME~1\Xiaotle\LOCALS~1\Temp
USERDOMAIN=SEN
USERNAME=Xiaotle
USERPROFILE=C:\Documents and Settings\Xiaotle
VAIO=C:\VAIO
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Xiaotle (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE5BC0BB-9EDA-423C-8276-48857B735D68}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee 6.0 PowerPack --> MsiExec.exe /I{38A0BB97-772D-422E-BCCA-4BA2A5D81F42}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Advanced WindowsCare 2.57 Personal --> "C:\Program Files\IObit\Advanced WindowsCare V2\unins000.exe"
Alive Video Converter (version 3.1.6.2) --> "C:\Program Files\AliveMedia\Video Converter\unins000.exe"
ArcSoft Camera Suite 1.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}\setup.exe" -l0x9
Atomic Alarm Clock 4.9 --> "C:\Program Files\Atomic Alarm Clock\unins000.exe"
Audio Player --> C:\Program Files\Microsoft ActiveSync\Audio Player\Uninstall.exe Audio Player
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BitDefender Free Edition v10 --> MsiExec.exe /I{BDF62CC9-FE60-4F9D-8194-8EB7E6E1412D}
Broadcom Management Programs --> MsiExec.exe /I{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{26BDE7D8-93F0-4A07-AD47-1707DB417941} /l1033
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DE286975-ACF1-45B8-9EF7-34E162B2C817}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}
Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Disk Heal --> C:\Program Files\Disk Heal\Uninstall Disk Heal.exe
Dream Aquarium --> "C:\Program Files\Dream Aquarium\UnInstall.exe"
Error Repair Professional 3.7.8 --> "C:\Program Files\Error Repair Professional\unins000.exe"
Flash Catcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C6B728E-31B1-48B3-99B5-6B6BB85BC896}\setup.exe"
Flash Movie Player 1.5 --> C:\Program Files\Flash Movie Player\uninst.exe
FLIQLO Screen Saver --> C:\WINDOWS\system32\FLIQLO.scr /u
Folder Lock --> C:\Program Files\Folder Lock\Uninstall.exe
GoldWave v5.10 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.10" "C:\Program Files\GoldWave\unstall.log"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Image Transfer v.1.9.8 --> C:\Program Files\Microsoft ActiveSync\HP Image Transfer\Uninst.exe
Icon Constructor 3 --> "C:\Program Files\Icon Constructor 3\unins000.exe"
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Internet Download Manager --> C:\Program Files\Internet Download Manager\Uninstall.exe
iPAQ WebReg --> MsiExec.exe /I{D37C6152-89DF-4D29-83CF-666200D5F398}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
K-Lite Codec Pack 3.4.5 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Living 3D Dolphins Animated Wallpaper --> "C:\PROGRA~1\Freeze.com\LIVING~2\UNINSTAL.EXE"
Living Beaches Wallpaper #1 --> "C:\PROGRA~1\Freeze.com\LIVING~1\UNINSTAL.EXE"
Living Marine Aquarium 2.0 Animated Wallpaper --> "C:\PROGRA~1\Freeze.com\LIVING~1.0AN\UNINSTAL.EXE"
Living Waterfalls II Wallpaper #3 --> "C:\PROGRA~1\Freeze.com\LIVING~3\UNINSTAL.EXE"
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Mega Manager --> C:\Program Files\InstallShield Installation Information\{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}\setup.exe -runfromtemp -l0x0009 -removeonly
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mobiano ThemesBox(PPC) 2.0 --> "C:\Program Files\Mobiano\Mobiano ThemesBox(PPC)\unins000.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
My Way Search Assistant --> MsiExec.exe /X{E7559288-223B-453C-9F06-340E3BE21E39}
Nero 8 --> MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Netscape Navigator (9.0.0.5) --> C:\Program Files\Netscape\Navigator 9\uninstall\helper.exe
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
NJStar Communicator --> "C:\Program Files\NJStar Communicator\Remove.exe" /U:"C:\Program Files\NJStar Communicator\Remove.log"
PC Auto Shutdown 3.68 --> "C:\Program Files\PC Auto Shutdown\unins000.exe"
PDF Password Remover v3.0 --> "C:\Program Files\PDF Password Remover v3.0\unins000.exe"
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
Post-it® Digital Notes --> MsiExec.exe /I{AA2DC6BC-F088-46DD-994B-07F6C5A32EC1}
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Quick ShutDown --> C:\WINDOWS\unvise32.exe C:\Program Files\Quick ShutDown\uninstal.log
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4 SET_LIM_RADIO - ALL
Real Alternative 1.7.5 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
Revo Uninstaller 1.50 --> C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SodaBush Windowpaper XP v1.01 --> MsiExec.exe /X{80CE352B-9086-44FC-BD57-BD6CFA4C9AB1}
Sonic Audio module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spb Mobile DVD --> MsiExec.exe /X{A958E835-BDF0-473F-9DC1-0D952C941625}
Spyware Doctor 5.0 --> C:\Program Files\Spyware Doctor\unins000.exe
Startup Faster! --> "C:\Program Files\Startup Faster\unins000.exe"
Stedman's Medical Dictionary for the Health Professions and Nursing 1.0 --> C:\PROGRA~1\HPND10\UNWISE.EXE C:\PROGRA~1\HPND10\INSTALL.LOG
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Thoosje Sidebar V2.3 --> C:\Program Files\Thoosje Sidebar V2.3\Uninstall.exe
UserBar Generator 1.2 --> "C:\Program Files\AmitySource\UserBar Generator 2.2\unins000.exe"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wopti Utilities --> "C:\Program Files\Wopti\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type12417 / Error
Event Submitted/Written: 04/23/2008 04:24:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module jd2002.dll, version 2.8.0.0, fault address 0x0000b926.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type12411 / Error
Event Submitted/Written: 04/23/2008 02:00:09 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-22 18:00:09,281 SEN [001572:001584] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(1948) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type12398 / Warning
Event Submitted/Written: 04/21/2008 05:13:02 PM
Event ID/Source: 40 / WinMgmt
Event Description:
WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_2050727_ASPNETAppsv2050727 for Performance Library ASP.NET_2.0.50727 because error 0x80041001 was returned

Event Record #/Type12397 / Warning
Event Submitted/Written: 04/21/2008 05:13:02 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type12396 / Warning
Event Submitted/Written: 04/21/2008 05:12:56 PM
Event ID/Source: 40 / WinMgmt
Event Description:
WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_ASPNETApplications for Performance Library ASP.NET because error 0x80041001 was returned



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type89243 / Warning
Event Submitted/Written: 04/23/2008 03:36:26 PM / 04/23/2008 03:36:27 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type89239 / Error
Event Submitted/Written: 04/23/2008 11:23:30 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDRsDrv service failed to start due to the following error:
%%2

Event Record #/Type89238 / Error
Event Submitted/Written: 04/23/2008 11:23:30 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDFsDrv service failed to start due to the following error:
%%2

Event Record #/Type89235 / Error
Event Submitted/Written: 04/23/2008 11:23:15 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The bdfdll service failed to start due to the following error:
%%2

Event Record #/Type89223 / Warning
Event Submitted/Written: 04/23/2008 02:33:12 AM
Event ID/Source: 4 / bcm4sbxp
Event Description:
Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.



-- End of Deckard's System Scanner: finished at 2008-04-23 16:31:13 ------------
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\PPC+Comp\PC Programs (comp)\Nero v8.3.2.1\Nero-8.3.2.1_eng_trial.exe/Toolbar.exe
    C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN
    C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0
    C:\WINDOWS\system32\drivers\tybosahm.dat
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

Advertisements


#11
xiaotle

xiaotle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I followed the instructions but the results is:

'Unable to kill explorer.exe
< C:\PPC+Comp\PC Programs (comp)\Nero v8.3.2.1\Nero-8.3.2.1_eng_trial.exe/Toolbar.exe >'

besides, there is also this pop up {'windows cannot find /idlist,:4332:3816,'. Make sure you type the name correctly, and try again.}


There is also no file in the c:\_OTMoveIt\MovedFiles folder , just the folder with the date and time only.

so, what should i do next then?

Edited by xiaotle, 23 April 2008 - 07:10 AM.

  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this instead

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\PPC+Comp\PC Programs (comp)\Nero v8.3.2.1\Nero-8.3.2.1_eng_trial.exe/Toolbar.exe
C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN
C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0
C:\WINDOWS\system32\drivers\tybosahm.dat

Folder::
C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN
C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#13
xiaotle

xiaotle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix 08-04-20.5 - Sam Ng 2008-04-23 23:30:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT 8:00]
Running from: C:\Documents and Settings\Xiaotle\My Documents\Downloads\Programs\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xiaotle\My Documents\Downloads\Programs\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\PPC+Comp\PC Programs (comp)\Nero v8.3.2.1\Nero-8.3.2.1_eng_trial.exe/Toolbar.exe
C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN
C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0
C:\WINDOWS\system32\drivers\tybosahm.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN
C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN\arn.nfo
C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN\file_id.diz
C:\PPC+Comp\PC Programs (comp)\NoAdware.v5.0.Datecode.011207.Incl.Keymaker-ARN\noadware.exe
C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0
C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0\Keygen.exe
C:\PPC+Comp\PC Programs (comp)\PDF_Password_Remover_3.0\pwdremover.exe
C:\WINDOWS\system32\drivers\tybosahm.dat

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 21:19 . 2008-04-23 21:19 <DIR> d-------- C:\Program Files\Spb Software House
2008-04-23 21:00 . 2008-04-23 21:00 <DIR> d-------- C:\_OTMoveIt
2008-04-23 20:59 . 2008-04-23 20:59 6,144 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-23 16:26 . 2008-04-23 16:26 <DIR> d-------- C:\Deckard
2008-04-23 11:41 . 2008-04-23 11:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-23 11:41 . 2008-04-23 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-21 17:19 . 2008-04-21 17:19 <DIR> d-------- C:\Program Files\Mobiano
2008-04-21 17:19 . 2008-04-21 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mobiano
2008-04-21 14:55 . 2008-04-21 14:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 12:39 . 2008-03-01 21:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-21 11:45 . 2007-07-09 21:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-21 11:25 . 2008-04-23 20:39 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-04-08 22:14 . 2008-04-08 22:14 <DIR> d-------- C:\Documents and Settings\chkeatng
2008-04-08 20:06 . 2008-04-08 21:23 <DIR> d-------- C:\Program Files\Thoosje Sidebar V2.3
2008-04-06 22:47 . 2008-04-06 22:48 <DIR> d-a------ C:\Program Files\Windows Sidebar
2008-04-06 14:00 . 2008-04-06 14:00 <DIR> d-a------ C:\VAIO
2008-04-03 22:34 . 2008-04-03 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-03 22:29 . 2008-04-03 22:29 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-03 22:26 . 2005-03-08 12:43 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-04-03 22:23 . 2005-03-08 12:43 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-04-03 22:20 . 2005-03-08 12:43 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-04-03 22:14 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-03 22:14 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-03 22:14 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-03 22:14 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-03 22:14 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-03 22:14 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-03 22:05 . 2008-04-03 22:38 112,988 --a------ C:\WINDOWS\hpoins07.dat
2008-04-03 22:05 . 2005-05-24 12:36 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-04-03 21:23 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-02 17:58 . 2008-04-02 17:58 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-04-02 15:09 . 2008-04-23 20:36 <DIR> d-------- C:\Program Files\Wopti
2008-04-02 14:59 . 2008-04-03 21:52 <DIR> d-------- C:\Program Files\Dream Aquarium
2008-04-02 01:50 . 2008-04-23 18:08 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-02 00:58 . 2008-04-02 00:58 <DIR> d-------- C:\Documents and Settings\Xiaotle\Application Data\Nero
2008-04-02 00:52 . 2008-04-02 00:52 <DIR> d-------- C:\Program Files\Nero
2008-04-02 00:52 . 2008-04-06 14:18 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-02 00:52 . 2008-04-02 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-01 22:21 . 2008-04-01 22:21 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2008-04-01 13:24 . 2008-04-01 13:24 <DIR> d-------- C:\Program Files\PDF Password Remover v3.0
2008-03-29 12:23 . 2008-04-23 17:19 <DIR> dr------- C:\Medic Files
2008-03-26 00:35 . 2008-03-26 00:38 <DIR> d-------- C:\Program Files\intocartoonpro
2008-03-23 14:32 . 2008-03-23 14:32 <DIR> d-------- C:\Documents and Settings\Xiaotle\Application Data\3M
2008-03-23 14:31 . 2008-03-23 14:31 <DIR> d-------- C:\Program Files\3M

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 15:34 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-04-23 15:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 15:08 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\MegauploadToolbar
2008-04-23 15:02 --------- d-----w C:\Program Files\Common Files\Skyscape
2008-04-23 14:08 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\AVG7
2008-04-23 13:25 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-23 13:24 --------- d-----w C:\Program Files\GoldWave
2008-04-23 12:43 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\DMCache
2008-04-23 12:28 --------- d-----w C:\Program Files\Internet Download Manager
2008-04-23 09:19 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-23 08:56 --------- d-----w C:\Program Files\Folder Lock
2008-04-22 16:32 --------- d-----w C:\Program Files\NoAdware5.0
2008-04-21 06:11 --------- d-----w C:\Program Files\Error Repair Professional
2008-04-08 13:10 --------- d-----w C:\Program Files\DFX
2008-04-08 13:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 11:14 --------- d-----w C:\Program Files\HP
2008-04-04 09:53 --------- d-----w C:\Program Files\IObit
2008-04-03 14:05 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\HP
2008-04-03 07:10 --------- d-----w C:\Program Files\Startup Faster
2008-04-02 09:48 --------- d-----w C:\Program Files\NJStar Communicator
2008-04-02 09:48 --------- d-----w C:\Program Files\HPND10
2008-04-02 09:21 --------- d-----w C:\Program Files\SPSS
2008-04-01 04:50 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\TrojanHunter
2008-03-31 18:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 07:10 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\KeyPass
2008-03-22 04:47 --------- d-----w C:\Program Files\Icon Constructor 3
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-05 18:03 --------- d-----w C:\Program Files\Volumouse
2008-03-05 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-03-01 10:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 13:55 --------- d-----w C:\Documents and Settings\Xiaotle\Application Data\PrevxCSI
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-28 13:44 --------- d-----w C:\Program Files\Real Alternative
2008-02-28 13:17 --------- d-----w C:\Program Files\Common Files\Real
2008-02-28 13:15 --------- d-----w C:\Program Files\Disk Heal
2008-02-28 09:38 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-02-26 08:14 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-02-24 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-24 15:52 --------- d-----w C:\Program Files\Yahoo!
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-18 08:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-11-03 11:57 499,200 ----a-w C:\Program Files\Eject.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupFaster"="C:\Program Files\Startup Faster\startuploader.exe" [2007-12-07 21:19 1631456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-07 23:44 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
backup=C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Digital Notes.lnk]
backup=C:\WINDOWS\pss\Post-it® Digital Notes.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vypress Chat StartUp.lnk]
backup=C:\WINDOWS\pss\Vypress Chat StartUp.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
backup=C:\WINDOWS\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT-Watch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-09-01 17:24 684032 C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\NetWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
--a------ 2007-11-01 03:04 2510664 C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Visual Day Planner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 PCAutoShutdown_Service;PCAutoShutdown_Service;C:\Program Files\PC Auto Shutdown\ShutdownService.exe [2007-09-14 17:03]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 09:23]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:38:00 C:\WINDOWS\Tasks\WebReg Officejet 5600 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 23:34:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk error: C:\WINDOWS\system32\drivers\
disk error: C:\DOCUME~1\Xiaotle\LOCALS~1\Temp\
disk error: C:\WINDOWS\TEMP\
disk error: C:\WINDOWS\
disk error: C:\WINDOWS\system32\wbem\
disk error: C:\WINDOWS\system32\
disk error: C:\Program Files\Common Files\
disk error: C:\Documents and Settings\Xiaotle\Application Data\
disk error: C:\
disk error: C:\Program Files\
disk error: C:\Documents and Settings\Xiaotle\Local Settings\Application Data\
disk error: C:\WINDOWS\Fonts\
disk error: C:\WINDOWS\Downloaded Program Files\
disk error: C:\Documents and Settings\Xiaotle\Start Menu\Programs\Startup\
disk error: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-04-23 23:35:26
ComboFix-quarantined-files.txt 2008-04-23 15:35:22
ComboFix2.txt 2008-04-22 16:09:31

Pre-Run: 15,212,294,144 bytes free
Post-Run: 15,448,739,840 bytes free

225 --- E O F --- 2007-08-15 19:10:24
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#15
xiaotle

xiaotle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Billion thanks to you! Now i'm free from the annoying spyware trojan. I really salute you! You are my saviour! You are simply the best :)

I also download all the recommendation you suggested to prevent further infection. But i'm not quite sure about the MVP HOst file.

Can i ask you a last question? In internet explorer, when i click on certain link, it could not open in a new tab/windows. This does not happen in Netscape. I don't really know what have happen to prevent me from opening only certain underlined link. I had check the IE settings but got no idea at all. Could you help me for that? Thousand thanks!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP