You're doing a great job. I got a trojan 1 week ago. After several hours I got around 30 something viruses. I had nod32 as antivirus. I used for cure: NAV, SOphos, Trendmicro, NOD32, Bitdefender. I also used Spyboot and lavasoft adware. I cleaned almost everything, but my Zonealarm keep popping up that svchost.exe want to accept connection from outside. I read the tutorials here. I ran Combofix, SDFIX, then again Combofix, Deckard's System Scanner and Hijackthis. I will attach the reports.
Please help, this [bleep] thing stops me using normally my pc. Now it wants to change my homepage.
Hugs
============================================
SDFix: Version 1.172
Run by Sorin on Mon 04/21/2008 at 02:18 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Temporar\SDFix\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 14:27:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d1,fb,28,f7,a8,10,fb,fe,54,d8,72,c3,38,3d,a3,e0,f8,56,a8,f4,82,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:aa,6f,71,fe,17,56,eb,b4,f4,98,1b,44,01,40,02,56,6a,a1,51,84,1a,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:6bcab148
"s2"=dword:e2e39c2b
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:aa,6f,71,fe,17,56,eb,b4,f4,98,1b,44,01,40,02,56,6a,a1,51,84,1a,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000ad
"TracesSuccessful"=dword:00000001
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"H:\\Azureus\\utorrent-1.8-alpha-8205.upx.exe"="H:\\Azureus\\utorrent-1.8-alpha-8205.upx.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\CNN Desktop Alerts\\cnn.exe"="C:\\Program Files\\CNN Desktop Alerts\\cnn.exe"
"C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"="C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9"
Remaining Files :
File Backups: - C:\Temporar\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 21 Mar 2007 380 ...H. --- "C:\WINDOWS\WINRDPD40.SYS"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 31 Mar 2003 10,912 A.SH. --- "C:\WINDOWS\system32\Proxy.Dll"
Mon 31 Mar 2003 134,091 A.SH. --- "C:\WINDOWS\system32\ProxyM.dll"
Sun 20 Apr 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Wed 31 Oct 2007 678,814 ...H. --- "C:\Program Files\iolo\System Mechanic Professional 7\unins000.exe"
Finished!
============================================
ComboFix 08-04-20.2 - Sorin 2008-04-21 15:08:19.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.793 [GMT 3:00]
Running from: C:\Documents and Settings\Sorin\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.
2008-04-21 14:16 . 2008-04-21 14:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-21 12:44 . 2008-04-21 12:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 11:03 . 2008-04-21 11:03 <DIR> d-------- C:\Autoruns
2008-04-21 00:10 . 2008-04-21 00:18 446,706 --a------ C:\WINDOWS\system32\netsoft.exe
2008-04-20 23:18 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-20 23:18 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-20 23:18 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-20 23:18 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-20 18:42 . 2008-04-20 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-04-20 18:35 . 2008-04-20 18:35 <DIR> d-------- C:\savxpsa
2008-04-20 18:07 . 2008-04-20 21:32 <DIR> d-------- C:\Program Files\Sophos
2008-04-20 15:35 . 2008-04-20 15:35 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-20 08:59 . 2008-04-21 14:59 12,598 --a------ C:\WINDOWS\system32\wpa.dbl
2008-04-20 02:35 . 2008-04-20 02:35 <DIR> d-------- C:\WINDOWS\system32\backuped
2008-04-20 02:35 . 2008-04-21 13:02 <DIR> d-------- C:\Program Files\True Sword 4
2008-04-20 02:35 . 2008-04-20 02:35 <DIR> d-------- C:\Documents and Settings\Sorin\Application Data\True Sword
2008-04-20 02:35 . 2003-06-06 11:21 81,920 --a------ C:\WINDOWS\eSellerateControl350.dll
2008-04-20 02:15 . 2008-04-20 11:17 <DIR> d-------- C:\Temporar
2008-04-20 01:55 . 2008-04-20 01:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 00:36 . 2008-04-20 00:36 <DIR> d-------- C:\Documents and Settings\Sorin\Application Data\WinPatrol
2008-04-20 00:35 . 2008-04-20 00:35 <DIR> d-------- C:\Program Files\BillP Studios
2008-04-19 08:45 . 2008-04-19 08:45 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-19 08:42 . 2007-12-13 13:28 24,592 --a------ C:\WINDOWS\system32\drivers\klim5.sys
2008-04-18 22:16 . 2008-04-18 22:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-18 22:16 . 2008-04-18 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 11:28 . 2008-04-17 11:28 <DIR> d-------- C:\Documents and Settings\Sorin\Application Data\F-Secure
2008-04-17 11:22 . 2008-04-17 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-04-17 11:21 . 2008-04-17 11:57 <DIR> d-------- C:\Program Files\F-Secure Internet Security
2008-04-17 11:14 . 2008-04-17 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-04-17 11:06 . 2008-03-07 06:34 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-04-17 11:06 . 2008-03-07 06:34 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-04-17 11:06 . 2008-03-07 06:34 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-04-16 23:02 . 2008-04-16 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-16 22:45 . 2008-04-19 09:05 <DIR> d-------- C:\Documents and Settings\Sorin\.housecall6.6
2008-04-05 14:25 . 2008-04-05 14:25 <DIR> d-------- C:\Program Files\Safari
2008-04-01 23:07 . 2008-04-19 09:12 35,296 --a------ C:\WINDOWS\system32\drivers\Dvd43.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 07:22 1,202,938 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-20 20:08 3,537,408 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-20 20:08 1,659,392 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-20 15:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-20 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-20 15:00 818,688 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-20 15:00 1,612,288 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-20 14:38 273,408 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-20 14:30 1,601,536 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-20 14:07 --------- d-----w C:\Program Files\uTorrent
2008-04-19 06:34 1,409,536 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-17 07:47 --------- d-----w C:\Program Files\ARCHPR
2008-04-16 20:16 --------- d-----w C:\Documents and Settings\Sorin\Application Data\Symantec
2008-04-15 09:23 --------- d-----w C:\Program Files\CNN Desktop Alerts
2008-04-15 06:16 --------- d-----w C:\Documents and Settings\Sorin\Application Data\Azureus
2008-04-07 18:52 --------- d-----w C:\Documents and Settings\Sorin\Application Data\Skype
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 08:39 --------- d-----w C:\Documents and Settings\Sorin\Application Data\Ahead
2008-03-17 08:13 --------- d-----w C:\Program Files\Nero
2008-03-17 08:13 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-16 13:12 --------- d-----w C:\Documents and Settings\Sorin\Application Data\uTorrent
2008-03-16 07:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-13 20:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-08 16:46 --------- d-----w C:\Documents and Settings\Sorin\Application Data\GetRight
2008-03-08 07:58 --------- d-----w C:\Program Files\Azureus
2008-03-08 06:59 --------- d-----w C:\Documents and Settings\Sorin\Application Data\GetRightToGo
2008-03-08 06:58 --------- d-----w C:\Program Files\GetRight
2008-03-05 12:41 --------- d-----w C:\Program Files\iTunes
2008-03-05 12:41 --------- d-----w C:\Program Files\iPod
2008-03-05 12:39 --------- d-----w C:\Program Files\QuickTime
2008-03-01 19:01 --------- d-----w C:\Program Files\SuperBlank
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-09-02 11:42 7,780 ----a-w C:\Documents and Settings\Honey\FMCodec.dat
2007-04-20 14:15 7,780 ----a-w C:\Documents and Settings\Tata\FMCodec.dat
2003-03-31 12:00 134,091 --sha-w C:\WINDOWS\system32\ProxyM.dll
.
------- Sigcheck -------
2003-03-31 15:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 10:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 10:56 14336 cff9c179929fe016dd1b77796daff33a C:\WINDOWS\system32\svchost.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-21_14.09.19.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-21 10:58:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 12:07:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 08:17:03 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-21 11:16:35 10,108,928 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-21 11:16:35 192,512 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-20 08:17:03 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-21 11:16:34 10,108,928 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-21 11:16:34 192,512 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-21 10:58:36 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-21 12:07:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-21 10:58:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-21 12:07:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-21 10:58:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-21 12:07:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 08:38 316728]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-02-12 17:22 397312]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 06:42 577536 C:\WINDOWS\soundman.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-02 08:19 950664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)
"MaxRecentDocs"= 15 (0xf)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.MJPG"= Pvmjpg30.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
"CNN Desktop Alerts"=""
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"nwiz"=nwiz.exe /install
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"Device Detector"=DevDetect.exe -autorun
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"PinnacleDriverCheck"=C:\WINDOWS\system32\\PSDrvCheck.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe
"NSLauncher"=C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
"DVD43"=C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"H:\\Azureus\\utorrent-1.8-alpha-8205.upx.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11892:TCP"= 11892:TCP:BitComet 11892 TCP
"11892:UDP"= 11892:UDP:BitComet 11892 UDP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2008-04-19 09:12]
S2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2007-03-18 00:04]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2007-03-18 00:04]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2007-03-18 00:04]
S3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 16:01]
S3 SiSV;SiSV;C:\WINDOWS\system32\DRIVERS\SiSV.sys [2001-08-17 15:50]
S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys [2001-11-29 16:10]
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 17:55]
*Newly Created Service* - TV2KTUNR
*Newly Created Service* - TV2KXBAR
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 15:10:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-21 15:11:01
ComboFix-quarantined-files.txt 2008-04-21 12:10:43
ComboFix2.txt 2008-04-21 11:09:28
Pre-Run: 5,400,023,040 bytes free
Post-Run: 5,382,221,824 bytes free
218 --- E O F --- 2008-04-09 12:17:05
=========================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:11:40 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\WinCDG Pro 2\msdxm.ocx
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{746EE235-7CA4-4F54-9135-E2945E243183}: NameServer = 194.102.255.2,194.102.255.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
--
End of file - 6913 bytes
======================================================
StartupList report, 4/21/2008, 3:12:24 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16640)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
WinPatrol = C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
WinFast Schedule = C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
SoundMan = SOUNDMAN.EXE
nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[avp6_post_uninstall]
*No values found*
[OptionalComponents]
=
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = NOTEPAD.EXE %1
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\GetRight\xx2gr.dll - {31FF080D-12A3-439A-A2EF-4BA95A3148E8}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
--------------------------------------------------
Enumerating Download Program Files:
[{0742B9EF-8C83-41CA-BFBA-830A59E23533}]
CODEBASE = https://support.micr...veX/MSDcode.cab
[{0E5F0222-96B9-11D3-8997-00104BD12D94}]
CODEBASE = http://pcpitstop.com...p/PCPitStop.CAB
[TmHcmsX Control]
CODEBASE = http://www.trendsecu...vex/TmHcmsX.CAB
[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\BDOSCAN8\oscan82.ocx
CODEBASE = http://www.bitdefend...can8/oscan8.cab
[{644E432F-49D3-41A1-8DD5-E099162EEEC5}]
CODEBASE = http://security.syma...n/bin/cabsa.cab
[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...9273.9904050926
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://fpdownload2.m...ash/swflash.cab
[{E8F628B5-259A-4734-97EE-BA914D7BE941}]
CODEBASE = http://driveragent.c...driveragent.cab
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\test0123 => C:\Qoobox\Quarantine\C\test0123.vir||x
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 5,477 bytes
Report generated in 0.016 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
=====================================================================
Deckard's System Scanner v20071014.68
Run by Sorin on 2008-04-21 15:18:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 1 Restore Point(s) --
1: 2008-04-21 12:18:18 UTC - RP1 - Deckard's System Scanner Restore Point
Backed up registry hives.
Performed disk cleanup.
System Drive C: has 3.95 GiB (less than 15%) free.
-- HijackThis (run as Sorin.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:19:18 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sorin\Desktop\Malware tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sorin.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\WinCDG Pro 2\msdxm.ocx
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{746EE235-7CA4-4F54-9135-E2945E243183}: NameServer = 194.102.255.2,194.102.255.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
--
End of file - 7571 bytes
-- File Associations -----------------------------------------------------------
.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 BT848 (WinFast TV2000 XP WDM Video Capture) - c:\windows\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
R2 tv2ktunr (WinFast TV2000 XP WDM TVTuner) - c:\windows\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
R2 Tv2kXbar (WinFast TV2000 XP WDM Crossbar) - c:\windows\system32\drivers\wf2kxbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 Dvd43 - c:\windows\system32\drivers\dvd43.sys <Not Verified; Fengtao Software Inc.; DVD43>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys
R3 WFIOCTL - c:\program files\winfast\wftvfm\wfioctl.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S4 SANDRA - c:\program files\sisoftware\sisoftware sandra professional business xii.sp2\wnt500x86\sandra.sys (file missing)
S4 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)
S4 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper Disk Defragmenter>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 PinnacleSys.MediaServer (Pinnacle Systems Media Service) - "c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe" <Not Verified; Pinnacle Systems; Media Server>
S4 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
S4 UleadBurningHelper (Ulead Burning Helper) - c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: N82
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: N82
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
-- Files created between 2008-03-21 and 2008-04-21 -----------------------------
2008-04-21 14:16:33 0 d-------- C:\WINDOWS\ERUNT
2008-04-21 14:04:34 68096 --a------ C:\WINDOWS\zip.exe
2008-04-21 14:04:34 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-21 14:04:34 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-21 14:04:34 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-21 14:04:34 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-21 14:04:34 98816 --a------ C:\WINDOWS\sed.exe
2008-04-21 14:04:34 80412 --a------ C:\WINDOWS\grep.exe
2008-04-21 14:04:34 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-21 12:44:27 0 d-------- C:\Program Files\Trend Micro
2008-04-21 11:03:47 0 d-------- C:\Autoruns
2008-04-21 00:10:36 446706 --a------ C:\WINDOWS\system32\netsoft.exe
2008-04-20 18:42:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-04-20 18:35:39 0 d-------- C:\savxpsa
2008-04-20 18:07:18 0 d-------- C:\Program Files\Sophos
2008-04-20 15:35:21 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-20 02:35:43 0 d-------- C:\Documents and Settings\Sorin\Application Data\True Sword
2008-04-20 02:35:25 81920 --a------ C:\WINDOWS\eSellerateControl350.dll <Not Verified; eSellerate Inc.; eSellerate ActiveX Control>
2008-04-20 02:35:23 0 d-------- C:\WINDOWS\system32\backuped
2008-04-20 02:35:23 0 d-------- C:\Program Files\True Sword 4
2008-04-20 02:15:08 0 d-------- C:\Temporar
2008-04-20 01:55:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 00:36:01 0 d-------- C:\Documents and Settings\Sorin\Application Data\WinPatrol
2008-04-20 00:35:44 0 d-------- C:\Program Files\BillP Studios
2008-04-19 08:45:17 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-18 22:16:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 11:28:34 0 d-------- C:\Documents and Settings\Sorin\Application Data\F-Secure
2008-04-17 11:22:12 0 d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-04-17 11:21:40 0 d-------- C:\Program Files\F-Secure Internet Security
2008-04-17 11:14:45 0 d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-04-16 23:02:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-16 22:45:30 0 d-------- C:\Documents and Settings\Sorin\.housecall6.6
2008-04-05 14:25:46 0 d-------- C:\Program Files\Safari
2008-04-01 23:07:55 35296 --a------ C:\WINDOWS\system32\drivers\Dvd43.sys <Not Verified; Fengtao Softw
Edited by brandon22, 21 April 2008 - 07:02 AM.