Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Nasty malware - Brand name antivirus programs don't find it


  • Please log in to reply

#1
brandon22

brandon22

    Member

  • Member
  • PipPip
  • 23 posts
Hi guys,

You're doing a great job. I got a trojan 1 week ago. After several hours I got around 30 something viruses. I had nod32 as antivirus. I used for cure: NAV, SOphos, Trendmicro, NOD32, Bitdefender. I also used Spyboot and lavasoft adware. I cleaned almost everything, but my Zonealarm keep popping up that svchost.exe want to accept connection from outside. I read the tutorials here. I ran Combofix, SDFIX, then again Combofix, Deckard's System Scanner and Hijackthis. I will attach the reports.
Please help, this [bleep] thing stops me using normally my pc. Now it wants to change my homepage.

Hugs

============================================

SDFix: Version 1.172
Run by Sorin on Mon 04/21/2008 at 02:18 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Temporar\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 14:27:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d1,fb,28,f7,a8,10,fb,fe,54,d8,72,c3,38,3d,a3,e0,f8,56,a8,f4,82,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:aa,6f,71,fe,17,56,eb,b4,f4,98,1b,44,01,40,02,56,6a,a1,51,84,1a,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:6bcab148
"s2"=dword:e2e39c2b
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:aa,6f,71,fe,17,56,eb,b4,f4,98,1b,44,01,40,02,56,6a,a1,51,84,1a,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000ad
"TracesSuccessful"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ćTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"H:\\Azureus\\utorrent-1.8-alpha-8205.upx.exe"="H:\\Azureus\\utorrent-1.8-alpha-8205.upx.exe:*:Enabled:ćTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\CNN Desktop Alerts\\cnn.exe"="C:\\Program Files\\CNN Desktop Alerts\\cnn.exe"
"C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"="C:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9"

Remaining Files :


File Backups: - C:\Temporar\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 21 Mar 2007 380 ...H. --- "C:\WINDOWS\WINRDPD40.SYS"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 31 Mar 2003 10,912 A.SH. --- "C:\WINDOWS\system32\Proxy.Dll"
Mon 31 Mar 2003 134,091 A.SH. --- "C:\WINDOWS\system32\ProxyM.dll"
Sun 20 Apr 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Wed 31 Oct 2007 678,814 ...H. --- "C:\Program Files\iolo\System Mechanic Professional 7\unins000.exe"

Finished!



============================================
ComboFix 08-04-20.2 - Sorin 2008-04-21 15:08:19.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.793 [GMT 3:00]
Running from: C:\Documents and Settings\Sorin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-21 14:16 . 2008-04-21 14:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-21 12:44 . 2008-04-21 12:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 11:03 . 2008-04-21 11:03 <DIR> d-------- C:\Autoruns
2008-04-21 00:10 . 2008-04-21 00:18 446,706 --a------ C:\WINDOWS\system32\netsoft.exe
2008-04-20 23:18 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-20 23:18 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-20 23:18 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-20 23:18 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-20 18:42 . 2008-04-20 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-04-20 18:35 . 2008-04-20 18:35 <DIR> d-------- C:\savxpsa
2008-04-20 18:07 . 2008-04-20 21:32 <DIR> d-------- C:\Program Files\Sophos
2008-04-20 15:35 . 2008-04-20 15:35 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-20 08:59 . 2008-04-21 14:59 12,598 --a------ C:\WINDOWS\system32\wpa.dbl
2008-04-20 02:35 . 2008-04-20 02:35 <DIR> d-------- C:\WINDOWS\system32\backuped
2008-04-20 02:35 . 2008-04-21 13:02 <DIR> d-------- C:\Program Files\True Sword 4
2008-04-20 02:35 . 2008-04-20 02:35 <DIR> d-------- C:\Documents and Settings\Sorin\Application Data\True Sword
2008-04-20 02:35 . 2003-06-06 11:21 81,920 --a------ C:\WINDOWS\eSellerateControl350.dll
2008-04-20 02:15 . 2008-04-20 11:17 <DIR> d-------- C:\Temporar
2008-04-20 01:55 . 2008-04-20 01:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 00:36 . 2008-04-20 00:36 <DIR> d-------- C:\Documents and Settings\Sorin\Application Data\WinPatrol
2008-04-20 00:35 . 2008-04-20 00:35 <DIR> d-------- C:\Program Files\BillP Studios
2008-04-19 08:45 . 2008-04-19 08:45 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-19 08:42 . 2007-12-13 13:28 24,592 --a------ C:\WINDOWS\system32\drivers\klim5.sys
2008-04-18 22:16 . 2008-04-18 22:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-18 22:16 . 2008-04-18 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 11:28 . 2008-04-17 11:28 <DIR> d-------- C:\Documents and Settings\Sorin\Application Data\F-Secure
2008-04-17 11:22 . 2008-04-17 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-04-17 11:21 . 2008-04-17 11:57 <DIR> d-------- C:\Program Files\F-Secure Internet Security
2008-04-17 11:14 . 2008-04-17 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-04-17 11:06 . 2008-03-07 06:34 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-04-17 11:06 . 2008-03-07 06:34 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-04-17 11:06 . 2008-03-07 06:34 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-04-16 23:02 . 2008-04-16 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-16 22:45 . 2008-04-19 09:05 <DIR> d-------- C:\Documents and Settings\Sorin\.housecall6.6
2008-04-05 14:25 . 2008-04-05 14:25 <DIR> d-------- C:\Program Files\Safari
2008-04-01 23:07 . 2008-04-19 09:12 35,296 --a------ C:\WINDOWS\system32\drivers\Dvd43.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 07:22 1,202,938 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-20 20:08 3,537,408 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-20 20:08 1,659,392 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-20 15:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-20 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-20 15:00 818,688 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-20 15:00 1,612,288 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-20 14:38 273,408 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-20 14:30 1,601,536 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-20 14:07 --------- d-----w C:\Program Files\uTorrent
2008-04-19 06:34 1,409,536 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-17 07:47 --------- d-----w C:\Program Files\ARCHPR
2008-04-16 20:16 --------- d-----w C:\Documents and Settings\Sorin\Application Data\Symantec
2008-04-15 09:23 --------- d-----w C:\Program Files\CNN Desktop Alerts
2008-04-15 06:16 --------- d-----w C:\Documents and Settings\Sorin\Application Data\Azureus
2008-04-07 18:52 --------- d-----w C:\Documents and Settings\Sorin\Application Data\Skype
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 08:39 --------- d-----w C:\Documents and Settings\Sorin\Application Data\Ahead
2008-03-17 08:13 --------- d-----w C:\Program Files\Nero
2008-03-17 08:13 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-16 13:12 --------- d-----w C:\Documents and Settings\Sorin\Application Data\uTorrent
2008-03-16 07:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-13 20:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-08 16:46 --------- d-----w C:\Documents and Settings\Sorin\Application Data\GetRight
2008-03-08 07:58 --------- d-----w C:\Program Files\Azureus
2008-03-08 06:59 --------- d-----w C:\Documents and Settings\Sorin\Application Data\GetRightToGo
2008-03-08 06:58 --------- d-----w C:\Program Files\GetRight
2008-03-05 12:41 --------- d-----w C:\Program Files\iTunes
2008-03-05 12:41 --------- d-----w C:\Program Files\iPod
2008-03-05 12:39 --------- d-----w C:\Program Files\QuickTime
2008-03-01 19:01 --------- d-----w C:\Program Files\SuperBlank
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-09-02 11:42 7,780 ----a-w C:\Documents and Settings\Honey\FMCodec.dat
2007-04-20 14:15 7,780 ----a-w C:\Documents and Settings\Tata\FMCodec.dat
2003-03-31 12:00 134,091 --sha-w C:\WINDOWS\system32\ProxyM.dll
.

------- Sigcheck -------

2003-03-31 15:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 10:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 10:56 14336 cff9c179929fe016dd1b77796daff33a C:\WINDOWS\system32\svchost.exe
.
((((((((((((((((((((((((((((( [email protected]_14.09.19.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-21 10:58:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 12:07:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 08:17:03 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-21 11:16:35 10,108,928 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-21 11:16:35 192,512 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-20 08:17:03 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-21 11:16:34 10,108,928 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-21 11:16:34 192,512 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-21 10:58:36 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-21 12:07:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-21 10:58:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-21 12:07:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-21 10:58:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-21 12:07:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 08:38 316728]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-02-12 17:22 397312]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 06:42 577536 C:\WINDOWS\soundman.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-02 08:19 950664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)
"MaxRecentDocs"= 15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
"CNN Desktop Alerts"=""
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"nwiz"=nwiz.exe /install
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"Device Detector"=DevDetect.exe -autorun
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"PinnacleDriverCheck"=C:\WINDOWS\system32\\PSDrvCheck.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe
"NSLauncher"=C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
"DVD43"=C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"H:\\Azureus\\utorrent-1.8-alpha-8205.upx.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11892:TCP"= 11892:TCP:BitComet 11892 TCP
"11892:UDP"= 11892:UDP:BitComet 11892 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2008-04-19 09:12]
S2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2007-03-18 00:04]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2007-03-18 00:04]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2007-03-18 00:04]
S3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 16:01]
S3 SiSV;SiSV;C:\WINDOWS\system32\DRIVERS\SiSV.sys [2001-08-17 15:50]
S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys [2001-11-29 16:10]
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 17:55]

*Newly Created Service* - TV2KTUNR
*Newly Created Service* - TV2KXBAR
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 15:10:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-21 15:11:01
ComboFix-quarantined-files.txt 2008-04-21 12:10:43
ComboFix2.txt 2008-04-21 11:09:28

Pre-Run: 5,400,023,040 bytes free
Post-Run: 5,382,221,824 bytes free

218 --- E O F --- 2008-04-09 12:17:05

=========================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:11:40 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\WinCDG Pro 2\msdxm.ocx
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{746EE235-7CA4-4F54-9135-E2945E243183}: NameServer = 194.102.255.2,194.102.255.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 6913 bytes


======================================================
StartupList report, 4/21/2008, 3:12:24 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16640)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
WinPatrol = C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
WinFast Schedule = C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
SoundMan = SOUNDMAN.EXE
nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[avp6_post_uninstall]
*No values found*

[OptionalComponents]
=

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = NOTEPAD.EXE %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\GetRight\xx2gr.dll - {31FF080D-12A3-439A-A2EF-4BA95A3148E8}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[{0742B9EF-8C83-41CA-BFBA-830A59E23533}]
CODEBASE = https://support.micr...veX/MSDcode.cab

[{0E5F0222-96B9-11D3-8997-00104BD12D94}]
CODEBASE = http://pcpitstop.com...p/PCPitStop.CAB

[TmHcmsX Control]
CODEBASE = http://www.trendsecu...vex/TmHcmsX.CAB

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\BDOSCAN8\oscan82.ocx
CODEBASE = http://www.bitdefend...can8/oscan8.cab

[{644E432F-49D3-41A1-8DD5-E099162EEEC5}]
CODEBASE = http://security.syma...n/bin/cabsa.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...9273.9904050926

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://fpdownload2.m...ash/swflash.cab

[{E8F628B5-259A-4734-97EE-BA914D7BE941}]
CODEBASE = http://driveragent.c...driveragent.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\test0123 => C:\Qoobox\Quarantine\C\test0123.vir||x

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 5,477 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

=====================================================================

Deckard's System Scanner v20071014.68
Run by Sorin on 2008-04-21 15:18:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 1 Restore Point(s) --
1: 2008-04-21 12:18:18 UTC - RP1 - Deckard's System Scanner Restore Point


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.95 GiB (less than 15%) free.


-- HijackThis (run as Sorin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:19:18 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sorin\Desktop\Malware tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sorin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\WinCDG Pro 2\msdxm.ocx
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{746EE235-7CA4-4F54-9135-E2945E243183}: NameServer = 194.102.255.2,194.102.255.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7571 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 BT848 (WinFast TV2000 XP WDM Video Capture) - c:\windows\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
R2 tv2ktunr (WinFast TV2000 XP WDM TVTuner) - c:\windows\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
R2 Tv2kXbar (WinFast TV2000 XP WDM Crossbar) - c:\windows\system32\drivers\wf2kxbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 Dvd43 - c:\windows\system32\drivers\dvd43.sys <Not Verified; Fengtao Software Inc.; DVD43>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys
R3 WFIOCTL - c:\program files\winfast\wftvfm\wfioctl.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>

S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S4 SANDRA - c:\program files\sisoftware\sisoftware sandra professional business xii.sp2\wnt500x86\sandra.sys (file missing)
S4 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)
S4 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper ™ Disk Defragmenter>

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 PinnacleSys.MediaServer (Pinnacle Systems Media Service) - "c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe" <Not Verified; Pinnacle Systems; Media Server>
S4 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
S4 UleadBurningHelper (Ulead Burning Helper) - c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: N82
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: N82
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Files created between 2008-03-21 and 2008-04-21 -----------------------------

2008-04-21 14:16:33 0 d-------- C:\WINDOWS\ERUNT
2008-04-21 14:04:34 68096 --a------ C:\WINDOWS\zip.exe
2008-04-21 14:04:34 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-21 14:04:34 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-21 14:04:34 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-21 14:04:34 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-21 14:04:34 98816 --a------ C:\WINDOWS\sed.exe
2008-04-21 14:04:34 80412 --a------ C:\WINDOWS\grep.exe
2008-04-21 14:04:34 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-21 12:44:27 0 d-------- C:\Program Files\Trend Micro
2008-04-21 11:03:47 0 d-------- C:\Autoruns
2008-04-21 00:10:36 446706 --a------ C:\WINDOWS\system32\netsoft.exe
2008-04-20 18:42:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-04-20 18:35:39 0 d-------- C:\savxpsa
2008-04-20 18:07:18 0 d-------- C:\Program Files\Sophos
2008-04-20 15:35:21 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-20 02:35:43 0 d-------- C:\Documents and Settings\Sorin\Application Data\True Sword
2008-04-20 02:35:25 81920 --a------ C:\WINDOWS\eSellerateControl350.dll <Not Verified; eSellerate Inc.; eSellerate ActiveX Control>
2008-04-20 02:35:23 0 d-------- C:\WINDOWS\system32\backuped
2008-04-20 02:35:23 0 d-------- C:\Program Files\True Sword 4
2008-04-20 02:15:08 0 d-------- C:\Temporar
2008-04-20 01:55:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 00:36:01 0 d-------- C:\Documents and Settings\Sorin\Application Data\WinPatrol
2008-04-20 00:35:44 0 d-------- C:\Program Files\BillP Studios
2008-04-19 08:45:17 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-18 22:16:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 11:28:34 0 d-------- C:\Documents and Settings\Sorin\Application Data\F-Secure
2008-04-17 11:22:12 0 d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-04-17 11:21:40 0 d-------- C:\Program Files\F-Secure Internet Security
2008-04-17 11:14:45 0 d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-04-16 23:02:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-16 22:45:30 0 d-------- C:\Documents and Settings\Sorin\.housecall6.6
2008-04-05 14:25:46 0 d-------- C:\Program Files\Safari
2008-04-01 23:07:55 35296 --a------ C:\WINDOWS\system32\drivers\Dvd43.sys <Not Verified; Fengtao Softw

Edited by brandon22, 21 April 2008 - 07:02 AM.

  • 0

Advertisements


#2
brandon22

brandon22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi guys,

Any news? It started with very annoing popup windows. In it goes slower. I guess I got more..
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP