Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo.dll Trojan [RESOLVED]


  • This topic is locked This topic is locked

#1
kishore123

kishore123

    Member

  • Member
  • PipPip
  • 11 posts
Hey, I have a really nasty virus called a VUNDO.DLL (TROGAN), it's been on my computer for a while. My Avast Spy ware/Anti Virus deletes a sample of the virus, but it always comes back. I get at least 25 warnings from avast everyday about this virus so help would be greatly appreciated. Thanks

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:05 PM, on 5/21/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Firefox\firefox.exe
D:\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Thavamalar\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mysidesearch browser optimizer - {0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc} - C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll (file missing)
O2 - BHO: (no name) - {462AA99E-E538-45C2-BACB-997BFE943B10} - C:\WINDOWS\system32\mlJDvVlj.dll (file missing)
O2 - BHO: (no name) - {4E23F3AB-2CF6-42EA-8CD7-52B56714B835} - (no file)
O2 - BHO: (no name) - {508ccd75-289b-4c84-ae0b-2a7955be62a6} - (no file)
O2 - BHO: (no name) - {72B52281-D133-4091-8E2F-FD91E8F6601F} - C:\WINDOWS\system32\pmnkLCRj.dll (file missing)
O2 - BHO: (no name) - {810fdc45-c350-4026-9b3e-b99f87aa8cd1} - (no file)
O2 - BHO: (no name) - {9F60E186-8840-4CC0-B7DD-95773A4015B4} - C:\WINDOWS\system32\mlJCUOij.dll (file missing)
O2 - BHO: (no name) - {b9c32341-4b0b-4a9b-a8af-127d2c0e8b37} - (no file)
O2 - BHO: (no name) - {bb8253ee-a22d-480a-957e-e55ee763c78a} - C:\WINDOWS\system32\mqbdpfnk.dll (file missing)
O2 - BHO: (no name) - {BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1} - C:\WINDOWS\system32\tuvSkiff.dll (file missing)
O2 - BHO: (no name) - {C4FADC8C-7482-47F8-A079-449764815F8C} - (no file)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\opnLccyW.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{46-68-80-02-DW}] c:\windows\system32\jnwnw64p.exe DWram
O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\xikfosxt.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203212228984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O20 - Winlogon Notify: opnLccyW - C:\WINDOWS\SYSTEM32\opnLccyW.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 8107 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
kishore123

kishore123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:30 AM, on 5/24/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Thavamalar\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mysidesearch browser optimizer - {0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc} - C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll (file missing)
O2 - BHO: (no name) - {462AA99E-E538-45C2-BACB-997BFE943B10} - C:\WINDOWS\system32\mlJDvVlj.dll (file missing)
O2 - BHO: (no name) - {72B52281-D133-4091-8E2F-FD91E8F6601F} - C:\WINDOWS\system32\pmnkLCRj.dll (file missing)
O2 - BHO: (no name) - {9F60E186-8840-4CC0-B7DD-95773A4015B4} - C:\WINDOWS\system32\mlJCUOij.dll (file missing)
O2 - BHO: (no name) - {bb8253ee-a22d-480a-957e-e55ee763c78a} - C:\WINDOWS\system32\mqbdpfnk.dll (file missing)
O2 - BHO: (no name) - {BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1} - C:\WINDOWS\system32\tuvSkiff.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\xikfosxt.dll",s
O4 - HKLM\..\Run: [{46-68-80-02-DW}] c:\windows\system32\jnwnw64p.exe DWram
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203212228984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 7077 bytes

ComboFix Log:
ComboFix 08-05-21.3 - Thavamalar 2008-05-24 8:01:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.242 [GMT -4:00]
Running from: C:\Documents and Settings\Thavamalar\Desktop\ComboFix.exe
* Created a new restore point



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\winvi
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js
C:\Program Files\winvi\dsktp\desktop.html
C:\Program Files\winvi\dsktp\internetDetection.swf
C:\Program Files\winvi\dsktp\settings.sol
C:\Program Files\winvi\version.ini
C:\Temp\1cb
C:\Temp\tmpvc14
C:\WINDOWS\BMf3075b31.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\akrrctff.ini
C:\WINDOWS\system32\awttTjjH.dll
C:\WINDOWS\system32\cnnukcal.ini
C:\WINDOWS\system32\cxehwwtx.ini
C:\WINDOWS\system32\ffikSvut.ini
C:\WINDOWS\system32\ffikSvut.ini2
C:\WINDOWS\system32\gbihatir.ini
C:\WINDOWS\system32\hyhyqsbc.ini
C:\WINDOWS\system32\jiOUCJlm.ini
C:\WINDOWS\system32\jiOUCJlm.ini2
C:\WINDOWS\system32\jkigrqfq.ini
C:\WINDOWS\system32\jkkLETLE.dll
C:\WINDOWS\system32\JlSAKRqr.ini
C:\WINDOWS\system32\jlVvDJlm.ini
C:\WINDOWS\system32\jlVvDJlm.ini2
C:\WINDOWS\system32\jRCLknmp.ini
C:\WINDOWS\system32\jRCLknmp.ini2
C:\WINDOWS\system32\khfFXqnl.dll
C:\WINDOWS\system32\lonhtnfa.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nairsswa.ini
C:\WINDOWS\system32\nxgkljmy.ini
C:\WINDOWS\system32\opnLccyW.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sevqwuio.ini
C:\WINDOWS\system32\syujyxpb.ini
C:\WINDOWS\system32\tdtvfvic.ini
C:\WINDOWS\system32\tuvVOFUm.dll
C:\WINDOWS\system32\uvuyywyo.exe
C:\WINDOWS\system32\xuubcmkf.ini
C:\WINDOWS\system32\ysujgqmf.ini
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 23:02 . 2008-05-23 23:02 122 --a------ C:\WINDOWS\system32\msexcr.ini
2008-05-21 23:33 . 2008-05-21 23:33 268 --ah----- C:\sqmdata03.sqm
2008-05-21 23:33 . 2008-05-21 23:33 244 --ah----- C:\sqmnoopt02.sqm
2008-05-21 18:41 . 2008-05-21 18:41 <DIR> d-------- C:\VundoFix Backups
2008-05-16 16:01 . 2008-05-16 16:01 95,833 --a------ C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll-uninst.exe
2008-05-15 16:10 . 2008-05-15 16:10 298,311 --a------ C:\WINDOWS\system32\gside.exe
2008-05-15 16:10 . 2008-05-15 16:10 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-13 16:57 . 2003-04-09 22:21 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-05-13 16:53 . 2008-04-30 21:21 <DIR> d---s---- C:\Documents and Settings\Thavamalar\Application Data\Microsoft
2008-05-13 16:46 . 2008-05-13 16:46 <DIR> d-------- C:\Program Files\A?pPatch
2008-05-13 16:45 . 2008-05-13 16:39 <DIR> d-------- C:\WINDOWS\system32\?icrosoft.NET
2008-05-13 16:45 . 2008-05-13 16:37 <DIR> d-------- C:\WINDOWS\system32\s?curity
2008-05-13 16:45 . 2008-05-13 16:40 <DIR> d-------- C:\Program Files\Common Files\T?sks
2008-05-13 16:45 . 2008-05-13 16:45 <DIR> d-------- C:\Program Files\?racle
2008-05-13 16:44 . 2008-05-13 16:40 <DIR> d-------- C:\WINDOWS\system32\àppPatch
2008-05-13 16:44 . 2008-05-13 16:44 <DIR> d-------- C:\WINDOWS\system32\a?sembly
2008-05-13 16:44 . 2008-05-13 16:42 <DIR> d-------- C:\WINDOWS\system32\çasks
2008-05-13 16:44 . 2008-05-13 16:44 <DIR> d-------- C:\Program Files\F?nts
2008-05-13 16:44 . 2008-05-13 16:43 <DIR> d-------- C:\Program Files\Common Files\àppPatch
2008-05-13 16:44 . 2008-05-13 16:44 <DIR> d-------- C:\Program Files\Common Files\?icrosoft.NET
2008-05-13 16:44 . 2008-05-13 16:44 <DIR> d-------- C:\Program Files\?ppPatch
2008-05-13 16:44 . 2008-05-13 16:44 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?icrosoft.NET
2008-05-13 16:44 . 2008-04-30 21:21 <DIR> d---s---- C:\Documents and Settings\Thavamalar\Application Data\Microsoft
2008-05-13 16:43 . 2008-05-13 16:43 <DIR> d-------- C:\WINDOWS\system32\s?mbols
2008-05-13 16:43 . 2008-05-13 16:40 <DIR> d-------- C:\WINDOWS\system32\àppPatch
2008-05-13 16:43 . 2008-05-13 16:43 <DIR> d-------- C:\WINDOWS\system32\?ecurity
2008-05-13 16:43 . 2008-05-13 16:37 <DIR> d-------- C:\WINDOWS\system32\S?mantec
2008-05-13 16:43 . 2008-05-13 16:43 <DIR> d-------- C:\Program Files\ç?sks
2008-05-13 16:43 . 2008-05-13 16:43 <DIR> d-------- C:\Program Files\Common Files\àppPatch
2008-05-13 16:43 . 2008-05-13 16:43 <DIR> d-------- C:\Program Files\Common Files\M?crosoft
2008-05-13 16:43 . 2008-05-13 16:43 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\T?sks
2008-05-13 16:43 . 2008-05-13 16:44 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?icrosoft.NET
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\WINDOWS\system32\çasks
2008-05-13 16:42 . 2008-05-13 16:38 <DIR> d-------- C:\WINDOWS\system32\M?crosoft.NET
2008-05-13 16:42 . 2008-05-13 16:38 <DIR> d-------- C:\WINDOWS\system32\M?crosoft.NET
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\Program Files\s?stem32
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\Program Files\Common Files\s?mbols
2008-05-13 16:42 . 2008-05-13 16:40 <DIR> d-------- C:\Program Files\Common Files\s?stem32
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\Program Files\?ssembly
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\Program Files\?icrosoft.NET
2008-05-13 16:42 . 2003-04-11 06:01 <DIR> d-------- C:\Program Files\Adobe
2008-05-13 16:42 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\àppPatch
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\s?curity
2008-05-13 16:42 . 2008-04-30 21:21 <DIR> d---s---- C:\Documents and Settings\Thavamalar\Application Data\Microsoft
2008-05-13 16:42 . 2008-05-13 16:38 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\çasks
2008-05-13 16:42 . 2008-05-13 16:43 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\T?sks
2008-05-13 16:42 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\a?sembly
2008-05-13 16:42 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\M?crosoft.NET
2008-05-13 16:42 . 2008-04-30 21:21 <DIR> d---s---- C:\Documents and Settings\Thavamalar\Application Data\Microsoft
2008-05-13 16:41 . 2008-05-13 16:41 <DIR> d-------- C:\WINDOWS\system32\W?nSxS
2008-05-13 16:41 . 2008-05-13 16:39 <DIR> d-------- C:\WINDOWS\system32\T?sks
2008-05-13 16:41 . 2008-05-13 16:39 <DIR> d-------- C:\WINDOWS\system32\A?pPatch
2008-05-13 16:41 . 2008-05-13 16:43 <DIR> d-------- C:\Program Files\Common Files\àppPatch
2008-05-13 16:41 . 2008-05-13 16:41 <DIR> d-------- C:\Program Files\Common Files\?icrosoft
2008-05-13 16:41 . 2008-05-13 16:41 <DIR> d-------- C:\Program Files\Common Files\?ecurity
2008-05-13 16:41 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\çasks
2008-05-13 16:41 . 2008-05-13 16:37 <DIR> d-------- C:\Program Files\Common Files\s?curity
2008-05-13 16:41 . 2008-05-13 16:39 <DIR> d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-05-13 16:41 . 2008-05-13 16:41 <DIR> d-------- C:\Program Files\?ystem32
2008-05-13 16:41 . 2008-05-13 16:41 <DIR> d-------- C:\Program Files\?ecurity
2008-05-13 16:41 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\S?mantec
2008-05-13 16:41 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\M?crosoft
2008-05-13 16:41 . 2008-05-13 16:41 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\s?stem32
2008-05-13 16:41 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\A?pPatch
2008-05-13 16:41 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\M?crosoft.NET
2008-05-13 16:40 . 2008-05-13 16:40 <DIR> d-------- C:\WINDOWS\system32\àppPatch
2008-05-13 16:40 . 2008-05-13 16:37 <DIR> d-------- C:\WINDOWS\system32\F?nts
2008-05-13 16:40 . 2003-04-09 22:21 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-05-13 16:40 . 2003-04-09 22:21 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-05-13 16:40 . 2008-05-13 16:40 <DIR> d-------- C:\Program Files\s?curity
2008-05-13 16:40 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\çasks
2008-05-13 16:40 . 2008-05-13 16:40 <DIR> d-------- C:\Program Files\Common Files\T?sks
2008-05-13 16:40 . 2008-05-13 16:40 <DIR> d-------- C:\Program Files\Common Files\s?stem32
2008-05-13 16:40 . 2008-05-13 16:41 <DIR> d-------- C:\Program Files\Common Files\?icrosoft
2008-05-13 16:40 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\a?sembly
2008-05-13 16:40 . 2008-05-13 16:39 <DIR> d-------- C:\Program Files\Common Files\A?pPatch
2008-05-13 16:40 . 2008-05-13 16:40 <DIR> d-------- C:\Program Files\?ymantec
2008-05-13 16:40 . 2008-05-13 16:42 <DIR> d-------- C:\Program Files\s?stem32
2008-05-13 16:40 . 2008-05-13 16:38 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\F?nts
2008-05-13 16:40 . 2008-05-13 16:40 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?ystem
2008-05-13 16:40 . 2008-05-13 16:40 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?ymantec
2008-05-13 16:40 . 2008-05-13 16:37 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\S?mantec
2008-05-13 16:40 . 2008-05-13 16:40 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\WINDOWS\system32\T?sks
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\WINDOWS\system32\A?pPatch
2008-05-13 16:39 . 2008-05-13 16:37 <DIR> d-------- C:\WINDOWS\system32\?racle
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\WINDOWS\system32\?icrosoft.NET
2008-05-13 16:39 . 2008-05-13 16:37 <DIR> d-------- C:\WINDOWS\system32\àdobe
2008-05-13 16:39 . 2008-05-13 16:38 <DIR> d-------- C:\WINDOWS\system32\s?stem32
2008-05-13 16:39 . 2008-05-13 16:44 <DIR> d-------- C:\WINDOWS\system32\a?sembly
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Program Files\àdobe
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Program Files\Common Files\A?pPatch
2008-05-13 16:39 . 2003-04-11 05:52 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-13 16:39 . 2008-05-13 16:37 <DIR> d-------- C:\Program Files\Common Files\S?mantec
2008-05-13 16:39 . 2008-05-13 16:43 <DIR> d-------- C:\Program Files\Common Files\M?crosoft
2008-05-13 16:39 . 2008-05-13 16:38 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\çasks
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\àppPatch
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\àdobe
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\W?nSxS
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\s?stem
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\M?crosoft.NET
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\a?sembly
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\A?pPatch
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?ymbols
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?ssembly
2008-05-13 16:39 . 2008-02-16 20:07 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\Adobe
2008-05-13 16:39 . 2008-05-13 16:41 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\s?stem32
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\s?stem
2008-05-13 16:39 . 2008-05-13 16:42 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\s?curity
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\s?stem
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\s?mbols
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\S?mantec
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\M?crosoft.NET
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\M?crosoft
2008-05-13 16:38 . 2008-05-13 16:44 <DIR> d-------- C:\Program Files\F?nts
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\çasks
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\W?nSxS
2008-05-13 16:38 . 2008-03-23 23:36 <DIR> d-------- C:\Program Files\Common Files\System
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\F?nts
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\F?nts
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\a?sembly
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\?ystem32
2008-05-13 16:38 . 2008-03-23 23:36 <DIR> d-------- C:\Program Files\Common Files\System
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Common Files\?ymantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 20:43 --------- d-----w C:\Program Files\??sks
2008-05-11 18:24 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\teamspeak2
2008-05-08 23:27 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\DMCache
2008-04-16 00:55 --------- d-----w C:\Program Files\Vstplugins
2008-04-16 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-04-16 00:53 --------- d-----w C:\Program Files\Sony Setup
2008-04-15 18:06 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\IDM
2008-04-15 02:42 --------- d-----w C:\Program Files\DNA
2008-04-13 22:35 --------- d-----w C:\Program Files\Microsoft Bootvis
2008-04-10 03:11 --------- d-----w C:\Program Files\Alwil Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc}]
C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{462AA99E-E538-45C2-BACB-997BFE943B10}]
C:\WINDOWS\system32\mlJDvVlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72B52281-D133-4091-8E2F-FD91E8F6601F}]
C:\WINDOWS\system32\pmnkLCRj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F60E186-8840-4CC0-B7DD-95773A4015B4}]
C:\WINDOWS\system32\mlJCUOij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb8253ee-a22d-480a-957e-e55ee763c78a}]
C:\WINDOWS\system32\mqbdpfnk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1}]
C:\WINDOWS\system32\tuvSkiff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 14:59 15360]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 22:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 22:44 323584 C:\WINDOWS\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 00:00 315392]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 14:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 14:11 114688]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 15:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"BMf3075b31"="C:\WINDOWS\system32\xikfosxt.dll" [ ]
"{46-68-80-02-DW}"="c:\windows\system32\jnwnw64p.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnLccyW]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"vidc.ffds"= D:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 03:41 49152 D:\Program Files\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-02-20 10:13 2594224 D:\Image\Crack\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-06-18 01:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2003-04-20 01:08 28672 C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a--c--- 2003-03-17 14:52 1056768 c:\program files\sony\vaio survey\surveysa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
--a--c--- 2002-07-14 15:50 11406 c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZZ]
--a--c--- 2003-01-21 13:27 24576 C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WLSetupSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\ijji\\ENGLISH\\u_sf.exe"=
"D:\\Program Files\\Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 01:45:00 C:\WINDOWS\Tasks\shutdown.job"
- C:\WINDOWS\system32\shutdown.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 08:08:40
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-05-24 8:12:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 12:11:58

Pre-Run: 1,071,579,136 bytes free
Post-Run: 981,340,160 bytes free

301 --- E O F --- 2008-05-15 02:38:24

Edited by kishore123, 24 May 2008 - 06:16 AM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll-uninst.exe
    C:\WINDOWS\system32\gside.exe
    C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    C:\WINDOWS\system32\msexcr.ini
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Reboot and run ComboFix again and post the log
  • 0

#5
kishore123

kishore123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Combo Fix:
ComboFix 08-05-21.3 - Thavamalar 2008-05-24 14:04:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.198 [GMT -4:00]
Running from: C:\Documents and Settings\Thavamalar\Desktop\ComboFix.exe



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Thavamalar\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 10:57 . 2008-05-24 10:57 123 --a------ C:\WINDOWS\system32\msexcr.ini
2008-05-24 09:20 . 2008-05-24 09:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 09:20 . 2008-05-24 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 09:17 . 2008-05-24 09:17 <DIR> d-------- C:\_OTMoveIt
2008-05-21 23:33 . 2008-05-21 23:33 268 --ah----- C:\sqmdata03.sqm
2008-05-21 23:33 . 2008-05-21 23:33 244 --ah----- C:\sqmnoopt02.sqm
2008-05-21 18:41 . 2008-05-21 18:41 <DIR> d-------- C:\VundoFix Backups
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\Program Files\?ssembly
2008-05-13 16:40 . 2008-05-13 16:40 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?ssembly
2008-05-13 16:38 . 2008-05-19 19:32 <DIR> d-------- C:\WINDOWS\system32\podll
2008-05-13 16:38 . 2008-05-14 08:15 <DIR> d-------- C:\WINDOWS\system32\gcom
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\WINDOWS\system32\DFE
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\WINDOWS\system32\?ssembly
2008-05-13 16:38 . 2008-05-13 16:39 401,972 --a------ C:\WINDOWS\system32\g73.exe
2008-05-13 16:37 . 2008-05-13 16:37 <DIR> d-------- C:\WINDOWS\system32\dFrnx01
2008-05-13 16:37 . 2008-05-24 08:01 <DIR> d-------- C:\Temp
2008-05-13 16:37 . 2008-05-13 16:37 <DIR> d-------- C:\Program Files\Common Files\?ssembly
2008-05-11 18:13 . 2008-05-14 01:23 <DIR> d-------- C:\Program Files\DivX
2008-05-10 08:55 . 2008-05-14 08:19 211 --a------ C:\WINDOWS\wininit.ini
2008-05-09 22:37 . 2008-05-09 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-08 20:46 . 2008-05-08 20:46 <DIR> d-------- C:\WINDOWS\system32\ViBE
2008-05-08 19:26 . 2008-05-08 20:46 <DIR> d-------- C:\WINDOWS\system32\xIT2
2008-05-08 19:26 . 2008-05-19 19:30 <DIR> d-------- C:\WINDOWS\system32\1019b
2008-05-08 19:12 . 2008-05-08 19:12 <DIR> d-------- C:\WINDOWS\system32\bkEur01
2008-05-08 19:12 . 2008-05-08 19:26 <DIR> d-------- C:\WINDOWS\system32\ad1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 18:24 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\teamspeak2
2008-05-08 23:27 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\DMCache
2008-04-16 00:55 --------- d-----w C:\Program Files\Vstplugins
2008-04-16 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-04-16 00:53 --------- d-----w C:\Program Files\Sony Setup
2008-04-15 18:06 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\IDM
2008-04-15 02:42 --------- d-----w C:\Program Files\DNA
2008-04-13 22:35 --------- d-----w C:\Program Files\Microsoft Bootvis
2008-04-10 03:11 --------- d-----w C:\Program Files\Alwil Software
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( [email protected]_ 8.11.39.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 12:08:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 18:02:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc}]
C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{462AA99E-E538-45C2-BACB-997BFE943B10}]
C:\WINDOWS\system32\mlJDvVlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72B52281-D133-4091-8E2F-FD91E8F6601F}]
C:\WINDOWS\system32\pmnkLCRj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F60E186-8840-4CC0-B7DD-95773A4015B4}]
C:\WINDOWS\system32\mlJCUOij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb8253ee-a22d-480a-957e-e55ee763c78a}]
C:\WINDOWS\system32\mqbdpfnk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1}]
C:\WINDOWS\system32\tuvSkiff.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 14:59 15360]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 22:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 22:44 323584 C:\WINDOWS\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 00:00 315392]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 14:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 14:11 114688]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 15:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"BMf3075b31"="C:\WINDOWS\system32\xikfosxt.dll" [ ]
"{46-68-80-02-DW}"="c:\windows\system32\jnwnw64p.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"vidc.ffds"= D:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 03:41 49152 D:\Program Files\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-02-20 10:13 2594224 D:\Image\Crack\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-06-18 01:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2003-04-20 01:08 28672 C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a--c--- 2003-03-17 14:52 1056768 c:\program files\sony\vaio survey\surveysa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
--a--c--- 2002-07-14 15:50 11406 c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZZ]
--a--c--- 2003-01-21 13:27 24576 C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WLSetupSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\ijji\\ENGLISH\\u_sf.exe"=
"D:\\Program Files\\Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 01:45:00 C:\WINDOWS\Tasks\shutdown.job"
- C:\WINDOWS\system32\shutdown.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 14:06:25
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-24 14:08:08
ComboFix-quarantined-files.txt 2008-05-24 18:08:01
ComboFix2.txt 2008-05-24 12:12:05

Pre-Run: 928,505,856 bytes free
Post-Run: 926,392,320 bytes free

157 --- E O F --- 2008-05-15 02:38:24

OTMOVEIT:
Explorer killed successfully
C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll-uninst.exe moved successfully.
C:\WINDOWS\system32\gside.exe moved successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe moved successfully.
C:\WINDOWS\system32\msexcr.ini moved successfully.
< purity >
C:\WINDOWS\system32\Αdobe moved successfully.
C:\WINDOWS\system32\Аdobe moved successfully.
C:\WINDOWS\system32\АppPatch moved successfully.
C:\WINDOWS\system32\АрpPatch moved successfully.
C:\WINDOWS\system32\ΑppPatch moved successfully.
C:\WINDOWS\system32\ΑрpPatch moved successfully.
C:\WINDOWS\system32\AрpPatch moved successfully.
C:\WINDOWS\system32\aѕsembly moved successfully.
C:\WINDOWS\system32\аѕsembly moved successfully.
C:\WINDOWS\system32\Fοnts moved successfully.
C:\WINDOWS\system32\Fоnts moved successfully.
C:\WINDOWS\system32\Mіcrosoft.NET moved successfully.
C:\WINDOWS\system32\Μicrosoft.NET moved successfully.
C:\WINDOWS\system32\Μіcrosoft.NET moved successfully.
C:\WINDOWS\system32\Мicrosoft.NET moved successfully.
C:\WINDOWS\system32\Міcrosoft.NET moved successfully.
C:\WINDOWS\system32\Mіcrosoft moved successfully.
C:\WINDOWS\system32\Μicrosoft moved successfully.
C:\WINDOWS\system32\Μіcrosoft moved successfully.
C:\WINDOWS\system32\Мicrosoft moved successfully.
C:\WINDOWS\system32\Міcrosoft moved successfully.
C:\WINDOWS\system32\Οracle moved successfully.
C:\WINDOWS\system32\Оracle moved successfully.
C:\WINDOWS\system32\sеcurity moved successfully.
C:\WINDOWS\system32\ѕecurity moved successfully.
C:\WINDOWS\system32\ѕеcurity moved successfully.
C:\WINDOWS\system32\Sуmantec moved successfully.
C:\WINDOWS\system32\Ѕymantec moved successfully.
C:\WINDOWS\system32\Ѕуmantec moved successfully.
C:\WINDOWS\system32\ѕymbols moved successfully.
C:\WINDOWS\system32\sуmbols moved successfully.
C:\WINDOWS\system32\ѕуmbols moved successfully.
C:\WINDOWS\system32\ѕуstem moved successfully.
C:\WINDOWS\system32\sуstem moved successfully.
C:\WINDOWS\system32\ѕystem moved successfully.
C:\WINDOWS\system32\ѕystem32 moved successfully.
C:\WINDOWS\system32\sуstem32 moved successfully.
C:\WINDOWS\system32\ѕуstem32 moved successfully.
C:\WINDOWS\system32\Tаsks moved successfully.
C:\WINDOWS\system32\Τasks moved successfully.
C:\WINDOWS\system32\Τаsks moved successfully.
C:\WINDOWS\system32\Тasks moved successfully.
C:\WINDOWS\system32\Таsks moved successfully.
C:\WINDOWS\system32\WіnSxS moved successfully.
C:\Program Files\Αdobe moved successfully.
C:\Program Files\Аdobe moved successfully.
C:\Program Files\АppPatch moved successfully.
C:\Program Files\АрpPatch moved successfully.
C:\Program Files\AрpPatch moved successfully.
C:\Program Files\aѕsembly moved successfully.
C:\Program Files\аѕsembly moved successfully.
C:\Program Files\Fοnts moved successfully.
C:\Program Files\Fоnts moved successfully.
C:\Program Files\Mіcrosoft.NET moved successfully.
C:\Program Files\Мicrosoft.NET moved successfully.
C:\Program Files\Міcrosoft.NET moved successfully.
C:\Program Files\Mіcrosoft moved successfully.
C:\Program Files\Мicrosoft moved successfully.
C:\Program Files\Міcrosoft moved successfully.
C:\Program Files\Оracle moved successfully.
C:\Program Files\sеcurity moved successfully.
C:\Program Files\ѕecurity moved successfully.
C:\Program Files\ѕеcurity moved successfully.
C:\Program Files\Sуmantec moved successfully.
C:\Program Files\Ѕymantec moved successfully.
C:\Program Files\Ѕуmantec moved successfully.
C:\Program Files\ѕymbols moved successfully.
C:\Program Files\sуmbols moved successfully.
C:\Program Files\ѕуmbols moved successfully.
C:\Program Files\ѕуstem moved successfully.
C:\Program Files\sуstem moved successfully.
C:\Program Files\ѕystem moved successfully.
C:\Program Files\ѕystem32 moved successfully.
C:\Program Files\sуstem32 moved successfully.
C:\Program Files\ѕуstem32 moved successfully.
C:\Program Files\Tаsks moved successfully.
C:\Program Files\Τаsks moved successfully.
C:\Program Files\Тasks moved successfully.
C:\Program Files\Common Files\Αdobe moved successfully.
C:\Program Files\Common Files\Аdobe moved successfully.
C:\Program Files\Common Files\АppPatch moved successfully.
C:\Program Files\Common Files\АрpPatch moved successfully.
C:\Program Files\Common Files\ΑppPatch moved successfully.
C:\Program Files\Common Files\ΑрpPatch moved successfully.
C:\Program Files\Common Files\AрpPatch moved successfully.
C:\Program Files\Common Files\aѕsembly moved successfully.
C:\Program Files\Common Files\аѕsembly moved successfully.
C:\Program Files\Common Files\Fοnts moved successfully.
C:\Program Files\Common Files\Fоnts moved successfully.
C:\Program Files\Common Files\Mіcrosoft.NET moved successfully.
C:\Program Files\Common Files\Μicrosoft.NET moved successfully.
C:\Program Files\Common Files\Μіcrosoft.NET moved successfully.
C:\Program Files\Common Files\Мicrosoft.NET moved successfully.
C:\Program Files\Common Files\Міcrosoft.NET moved successfully.
C:\Program Files\Common Files\Mіcrosoft moved successfully.
C:\Program Files\Common Files\Μicrosoft moved successfully.
C:\Program Files\Common Files\Μіcrosoft moved successfully.
C:\Program Files\Common Files\Мicrosoft moved successfully.
C:\Program Files\Common Files\Міcrosoft moved successfully.
C:\Program Files\Common Files\Οracle moved successfully.
C:\Program Files\Common Files\Оracle moved successfully.
C:\Program Files\Common Files\sеcurity moved successfully.
C:\Program Files\Common Files\ѕecurity moved successfully.
C:\Program Files\Common Files\ѕеcurity moved successfully.
C:\Program Files\Common Files\Sуmantec moved successfully.
C:\Program Files\Common Files\Ѕymantec moved successfully.
C:\Program Files\Common Files\Ѕуmantec moved successfully.
C:\Program Files\Common Files\ѕymbols moved successfully.
C:\Program Files\Common Files\sуmbols moved successfully.
C:\Program Files\Common Files\ѕуmbols moved successfully.
C:\Program Files\Common Files\ѕуstem moved successfully.
C:\Program Files\Common Files\sуstem moved successfully.
C:\Program Files\Common Files\ѕystem moved successfully.
C:\Program Files\Common Files\ѕystem32 moved successfully.
C:\Program Files\Common Files\sуstem32 moved successfully.
C:\Program Files\Common Files\ѕуstem32 moved successfully.
C:\Program Files\Common Files\Tаsks moved successfully.
C:\Program Files\Common Files\Τasks moved successfully.
C:\Program Files\Common Files\Τаsks moved successfully.
C:\Program Files\Common Files\Тasks moved successfully.
C:\Program Files\Common Files\Таsks moved successfully.
C:\Program Files\Common Files\WіnSxS moved successfully.
C:\Documents and Settings\Thavamalar\My Documents\Fοnts moved successfully.
C:\Documents and Settings\Thavamalar\My Documents\Fоnts moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Αdobe moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Аdobe moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\АppPatch moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\АрpPatch moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ΑppPatch moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ΑрpPatch moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\AрpPatch moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\aѕsembly moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\аѕsembly moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Fοnts moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Fоnts moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Mіcrosoft.NET moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Μicrosoft.NET moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Μіcrosoft.NET moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Мicrosoft.NET moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Міcrosoft.NET moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Mіcrosoft moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Μicrosoft moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Μіcrosoft moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Мicrosoft moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Міcrosoft moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Οracle moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Оracle moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\sеcurity moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ѕecurity moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ѕеcurity moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Sуmantec moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Ѕymantec moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Ѕуmantec moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ѕymbols moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\sуmbols moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ѕуmbols moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ѕуstem moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\sуstem moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ѕystem moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ѕystem32 moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\sуstem32 moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\ѕуstem32 moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Tаsks moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Τasks moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Τаsks moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Тasks moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\Таsks moved successfully.
C:\Documents and Settings\Thavamalar\Application Data\WіnSxS moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05242008_091714

Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 24, 2008 1:58:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3, v.3311 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/05/2008
Kaspersky Anti-Virus database records: 799624
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 56935
Number of viruses found: 6
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 01:33:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Thavamalar\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\cert8.db Object is locked skipped
C:\Documents and Settings\Thavamalar\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\history.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\key3.db Object is locked skipped
C:\Documents and Settings\Thavamalar\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\parent.lock Object is locked skipped
C:\Documents and Settings\Thavamalar\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Thavamalar\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Thavamalar\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\Desktop\Snootae Bot 2.0\SnootaeBotFontChecker.exe Infected: Trojan.Win32.Shutdowner.fr skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_5CF0_3485_F034_6802\dfsr.db Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_5CF0_3485_F034_6802\fsr.log Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_5CF0_3485_F034_6802\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_5CF0_3485_F034_6802\tmp.edb Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Application Data\Mozilla\Firefox\Profiles\x6yu3ki3.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\History\History.IE5\MSHist012008052420080525\index.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Temp\~DFD36.tmp Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Temp\~DFD4C.tmp Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Thavamalar\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Thavamalar\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP233\A0024023.dll Infected: Trojan.Win32.BHO.cgy skipped
C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP237\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{558F8FAF-0D96-4358-B326-3703FFA0FECC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bkEur01\bkEur011065.exe Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\DFE\roEbdll2.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\DFE\roEbdll2.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\DFE\roEbdll2.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\DFE\roEbdll2.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\DFE\roEbdll2.exe NSIS: infected - 4 skipped
C:\WINDOWS\system32\dFrnx01\dFrnx011065.exe Infected: Trojan-Downloader.Win32.VB.ehl skipped
C:\WINDOWS\system32\g73.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g73.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g73.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\ViBE\srkawe3.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\ViBE\srkawe3.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\ViBE\srkawe3.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\ViBE\srkawe3.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\ViBE\srkawe3.exe NSIS: infected - 4 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_540.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Snootae Bot 2.0.rar/Snootae Bot 2.0/SnootaeBotFontChecker.exe Infected: Trojan.Win32.Shutdowner.fr skipped
D:\Snootae Bot 2.0.rar RAR: infected - 1 skipped
D:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP237\change.log Object is locked skipped

Scan process completed.
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Thavamalar\Desktop\Snootae Bot 2.0\SnootaeBotFontChecker.exe
    C:\WINDOWS\system32\bkEur01
    C:\WINDOWS\system32\DFE
    C:\WINDOWS\system32\dFrnx01
    C:\WINDOWS\system32\g73.exe
    C:\WINDOWS\system32\ViBE
    D:\Snootae Bot 2.0.rar
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot, run ComboFix, and post that log
  • 0

#7
kishore123

kishore123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 08-05-21.3 - Thavamalar 2008-05-24 14:23:52.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.239 [GMT -4:00]
Running from: C:\Documents and Settings\Thavamalar\Desktop\ComboFix.exe


((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 10:57 . 2008-05-24 10:57 123 --a------ C:\WINDOWS\system32\msexcr.ini
2008-05-24 09:20 . 2008-05-24 09:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 09:20 . 2008-05-24 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 09:17 . 2008-05-24 09:17 <DIR> d-------- C:\_OTMoveIt
2008-05-21 23:33 . 2008-05-21 23:33 268 --ah----- C:\sqmdata03.sqm
2008-05-21 23:33 . 2008-05-21 23:33 244 --ah----- C:\sqmnoopt02.sqm
2008-05-21 18:41 . 2008-05-21 18:41 <DIR> d-------- C:\VundoFix Backups
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\Program Files\?ssembly
2008-05-13 16:40 . 2008-05-13 16:40 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?ssembly
2008-05-13 16:38 . 2008-05-19 19:32 <DIR> d-------- C:\WINDOWS\system32\podll
2008-05-13 16:38 . 2008-05-14 08:15 <DIR> d-------- C:\WINDOWS\system32\gcom
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\WINDOWS\system32\?ssembly
2008-05-13 16:37 . 2008-05-24 08:01 <DIR> d-------- C:\Temp
2008-05-13 16:37 . 2008-05-13 16:37 <DIR> d-------- C:\Program Files\Common Files\?ssembly
2008-05-11 18:13 . 2008-05-14 01:23 <DIR> d-------- C:\Program Files\DivX
2008-05-10 08:55 . 2008-05-14 08:19 211 --a------ C:\WINDOWS\wininit.ini
2008-05-09 22:37 . 2008-05-09 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-08 19:26 . 2008-05-08 20:46 <DIR> d-------- C:\WINDOWS\system32\xIT2
2008-05-08 19:26 . 2008-05-19 19:30 <DIR> d-------- C:\WINDOWS\system32\1019b
2008-05-08 19:12 . 2008-05-08 19:26 <DIR> d-------- C:\WINDOWS\system32\ad1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 18:24 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\teamspeak2
2008-05-08 23:27 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\DMCache
2008-04-16 00:55 --------- d-----w C:\Program Files\Vstplugins
2008-04-16 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-04-16 00:53 --------- d-----w C:\Program Files\Sony Setup
2008-04-15 18:06 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\IDM
2008-04-15 02:42 --------- d-----w C:\Program Files\DNA
2008-04-13 22:35 --------- d-----w C:\Program Files\Microsoft Bootvis
2008-04-10 03:11 --------- d-----w C:\Program Files\Alwil Software
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( [email protected]_ 8.11.39.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 12:08:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 18:22:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-05-24 18:22:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_560.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc}]
C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{462AA99E-E538-45C2-BACB-997BFE943B10}]
C:\WINDOWS\system32\mlJDvVlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72B52281-D133-4091-8E2F-FD91E8F6601F}]
C:\WINDOWS\system32\pmnkLCRj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F60E186-8840-4CC0-B7DD-95773A4015B4}]
C:\WINDOWS\system32\mlJCUOij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb8253ee-a22d-480a-957e-e55ee763c78a}]
C:\WINDOWS\system32\mqbdpfnk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1}]
C:\WINDOWS\system32\tuvSkiff.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 14:59 15360]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 22:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 22:44 323584 C:\WINDOWS\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 00:00 315392]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 14:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 14:11 114688]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 15:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"BMf3075b31"="C:\WINDOWS\system32\xikfosxt.dll" [ ]
"{46-68-80-02-DW}"="c:\windows\system32\jnwnw64p.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"vidc.ffds"= D:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 03:41 49152 D:\Program Files\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-02-20 10:13 2594224 D:\Image\Crack\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-06-18 01:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2003-04-20 01:08 28672 C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a--c--- 2003-03-17 14:52 1056768 c:\program files\sony\vaio survey\surveysa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
--a--c--- 2002-07-14 15:50 11406 c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZZ]
--a--c--- 2003-01-21 13:27 24576 C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WLSetupSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\ijji\\ENGLISH\\u_sf.exe"=
"D:\\Program Files\\Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 01:45:00 C:\WINDOWS\Tasks\shutdown.job"
- C:\WINDOWS\system32\shutdown.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 14:25:44
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-24 14:27:10
ComboFix-quarantined-files.txt 2008-05-24 18:27:04
ComboFix2.txt 2008-05-24 18:08:09
ComboFix3.txt 2008-05-24 12:12:05

Pre-Run: 927,707,136 bytes free
Post-Run: 914,710,528 bytes free

149 --- E O F --- 2008-05-15 02:38:24
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\winpfz33.sys

Folder::
C:\Program Files\?ssembly
C:\Documents and Settings\Thavamalar\Application Data\?ssembly
C:\WINDOWS\system32\podll
C:\WINDOWS\system32\gcom
C:\WINDOWS\system32\?ssembly
C:\Program Files\Common Files\?ssembly
C:\WINDOWS\system32\xIT2
C:\WINDOWS\system32\1019b
C:\WINDOWS\system32\ad1

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Also post a new HijackThis log
  • 0

#9
kishore123

kishore123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 08-05-21.3 - Thavamalar 2008-05-24 16:29:53.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.236 [GMT -4:00]
Running from: C:\Documents and Settings\Thavamalar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Thavamalar\Desktop\CFScript.txt
* Created a new restore point


FILE ::
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\1019b
C:\WINDOWS\system32\ad1
C:\WINDOWS\system32\gcom
C:\WINDOWS\system32\podll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xIT2

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 16:24 . 2008-05-24 16:24 123 --a------ C:\WINDOWS\system32\msexcr.ini
2008-05-24 09:20 . 2008-05-24 09:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 09:20 . 2008-05-24 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 09:17 . 2008-05-24 09:17 <DIR> d-------- C:\_OTMoveIt
2008-05-21 23:33 . 2008-05-21 23:33 268 --ah----- C:\sqmdata03.sqm
2008-05-21 23:33 . 2008-05-21 23:33 244 --ah----- C:\sqmnoopt02.sqm
2008-05-21 18:41 . 2008-05-21 18:41 <DIR> d-------- C:\VundoFix Backups
2008-05-13 16:42 . 2008-05-13 16:42 <DIR> d-------- C:\Program Files\?ssembly
2008-05-13 16:39 . 2008-05-13 16:39 <DIR> d-------- C:\Documents and Settings\Thavamalar\Application Data\?ssembly
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\WINDOWS\system32\?ssembly
2008-05-13 16:37 . 2008-05-24 08:01 <DIR> d-------- C:\Temp
2008-05-13 16:37 . 2008-05-13 16:37 <DIR> d-------- C:\Program Files\Common Files\?ssembly
2008-05-11 18:13 . 2008-05-14 01:23 <DIR> d-------- C:\Program Files\DivX
2008-05-10 08:55 . 2008-05-14 08:19 211 --a------ C:\WINDOWS\wininit.ini
2008-05-09 22:37 . 2008-05-09 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 18:24 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\teamspeak2
2008-05-08 23:27 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\DMCache
2008-04-16 00:55 --------- d-----w C:\Program Files\Vstplugins
2008-04-16 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-04-16 00:53 --------- d-----w C:\Program Files\Sony Setup
2008-04-15 18:06 --------- d-----w C:\Documents and Settings\Thavamalar\Application Data\IDM
2008-04-15 02:42 --------- d-----w C:\Program Files\DNA
2008-04-13 22:35 --------- d-----w C:\Program Files\Microsoft Bootvis
2008-04-10 03:11 --------- d-----w C:\Program Files\Alwil Software
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( [email protected]_ 8.11.39.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 12:08:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 20:25:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-05-24 20:25:59 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_568.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc}]
C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{462AA99E-E538-45C2-BACB-997BFE943B10}]
C:\WINDOWS\system32\mlJDvVlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72B52281-D133-4091-8E2F-FD91E8F6601F}]
C:\WINDOWS\system32\pmnkLCRj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F60E186-8840-4CC0-B7DD-95773A4015B4}]
C:\WINDOWS\system32\mlJCUOij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb8253ee-a22d-480a-957e-e55ee763c78a}]
C:\WINDOWS\system32\mqbdpfnk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1}]
C:\WINDOWS\system32\tuvSkiff.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 14:59 15360]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 22:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 22:44 323584 C:\WINDOWS\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 00:00 315392]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 14:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 14:11 114688]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 15:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"BMf3075b31"="C:\WINDOWS\system32\xikfosxt.dll" [ ]
"{46-68-80-02-DW}"="c:\windows\system32\jnwnw64p.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"vidc.ffds"= D:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 03:41 49152 D:\Program Files\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-02-20 10:13 2594224 D:\Image\Crack\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-06-18 01:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2003-04-20 01:08 28672 C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a--c--- 2003-03-17 14:52 1056768 c:\program files\sony\vaio survey\surveysa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
--a--c--- 2002-07-14 15:50 11406 c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZZ]
--a--c--- 2003-01-21 13:27 24576 C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WLSetupSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\ijji\\ENGLISH\\u_sf.exe"=
"D:\\Program Files\\Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 01:45:00 C:\WINDOWS\Tasks\shutdown.job"
- C:\WINDOWS\system32\shutdown.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 16:31:17
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-24 16:33:02
ComboFix-quarantined-files.txt 2008-05-24 20:32:57
ComboFix2.txt 2008-05-24 18:27:11
ComboFix3.txt 2008-05-24 18:08:09
ComboFix4.txt 2008-05-24 12:12:05

Pre-Run: 838,021,120 bytes free
Post-Run: 838,115,328 bytes free

161 --- E O F --- 2008-05-15 02:38:24

Hijack thisl:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:23 PM, on 5/24/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Firefox\firefox.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Thavamalar\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mysidesearch browser optimizer - {0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc} - C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll (file missing)
O2 - BHO: (no name) - {462AA99E-E538-45C2-BACB-997BFE943B10} - C:\WINDOWS\system32\mlJDvVlj.dll (file missing)
O2 - BHO: (no name) - {72B52281-D133-4091-8E2F-FD91E8F6601F} - C:\WINDOWS\system32\pmnkLCRj.dll (file missing)
O2 - BHO: (no name) - {9F60E186-8840-4CC0-B7DD-95773A4015B4} - C:\WINDOWS\system32\mlJCUOij.dll (file missing)
O2 - BHO: (no name) - {bb8253ee-a22d-480a-957e-e55ee763c78a} - C:\WINDOWS\system32\mqbdpfnk.dll (file missing)
O2 - BHO: (no name) - {BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1} - C:\WINDOWS\system32\tuvSkiff.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\xikfosxt.dll",s
O4 - HKLM\..\Run: [{46-68-80-02-DW}] c:\windows\system32\jnwnw64p.exe DWram
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203212228984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 7271 bytes

Edited by kishore123, 24 May 2008 - 02:33 PM.

  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Program Files\?ssembly /s
    C:\Documents and Settings\Thavamalar\Application Data\?ssembly /s
    C:\WINDOWS\system32\?ssembly /s
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot and do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

Advertisements


#11
kishore123

kishore123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OTMOVEIT:
Explorer killed successfully
< C:\Program Files\?ssembly /s >
C:\Program Files\аssembly moved successfully.
C:\Program Files\Common Files\аssembly moved successfully.
< C:\Documents and Settings\Thavamalar\Application Data\?ssembly /s >
C:\Documents and Settings\Thavamalar\Application Data\аssembly moved successfully.
< C:\WINDOWS\system32\?ssembly /s >
C:\WINDOWS\system32\аssembly moved successfully.
< purity >
Explorer started successfully
Main.txt
Deckard's System Scanner v20071014.68
Run by Thavamalar on 2008-05-24 17:11:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
50: 2008-05-24 21:11:56 UTC - RP240 - Deckard's System Scanner Restore Point
49: 2008-05-24 20:29:30 UTC - RP239 - ComboFix created restore point
48: 2008-05-24 20:21:47 UTC - RP238 - ComboFix created restore point
47: 2008-05-24 12:00:16 UTC - RP237 - ComboFix created restore point
46: 2008-05-23 21:02:02 UTC - RP236 - System Checkpoint


-- First Restore Point --
1: 2008-05-08 23:17:58 UTC - RP191 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).
System Drive C: has 0.74 GiB (less than 15%) free.


-- HijackThis (run as Thavamalar.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:49 PM, on 5/24/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Thavamalar\Desktop\dss.exe
C:\DOCUME~1\THAVAM~1\Desktop\Thavamalar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mysidesearch browser optimizer - {0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc} - C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll (file missing)
O2 - BHO: (no name) - {462AA99E-E538-45C2-BACB-997BFE943B10} - C:\WINDOWS\system32\mlJDvVlj.dll (file missing)
O2 - BHO: (no name) - {72B52281-D133-4091-8E2F-FD91E8F6601F} - C:\WINDOWS\system32\pmnkLCRj.dll (file missing)
O2 - BHO: (no name) - {9F60E186-8840-4CC0-B7DD-95773A4015B4} - C:\WINDOWS\system32\mlJCUOij.dll (file missing)
O2 - BHO: (no name) - {bb8253ee-a22d-480a-957e-e55ee763c78a} - C:\WINDOWS\system32\mqbdpfnk.dll (file missing)
O2 - BHO: (no name) - {BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1} - C:\WINDOWS\system32\tuvSkiff.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\xikfosxt.dll",s
O4 - HKLM\..\Run: [{46-68-80-02-DW}] c:\windows\system32\jnwnw64p.exe DWram
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203212228984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 7309 bytes
Extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 503.36 MiB / 174.52 MiB
Pagefile Memory (total/avail): 4472.83 MiB / 4177.53 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.92 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 15.01 GiB total, 0.74 GiB free.
D: is Fixed (NTFS) - 92.12 GiB total, 79.06 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200BB-22DAA0 - 111.79 GiB - 3 partitions
\PARTITION0 - Unknown - 4.66 GiB
\PARTITION1 (bootable) - Installable File System - 15.01 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 92.12 GiB - D:

\\.\PHYSICALDRIVE1 - HP Photosmart 2575 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Thavamalar\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VALUED-ECECF7F4
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Thavamalar
LOGONSERVER=\\VALUED-ECECF7F4
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=D:\Program Files\Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\THAVAM~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\THAVAM~1\LOCALS~1\Temp
USERDOMAIN=VALUED-ECECF7F4
USERNAME=Thavamalar
USERPROFILE=C:\Documents and Settings\Thavamalar
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Thavamalar (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Agere Systems AC'97 Modem --> agrsmdel
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Creation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF005ABC-1422-4BEC-91C4-DD5935E56AAA}\setup.exe"
Experience VAIO --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{36FE914F-1B2B-4D83-B3E1-032A508E9EC4}\setup.exe"
ffdshow (remove only) --> "D:\Program Files\ffdshow\uninstall.exe"
Free Natural Text to Speech Reader 2007 --> MsiExec.exe /I{3E5DA526-F420-45A6-9F27-D2B5246D6823}
HijackThis 2.0.2 --> "C:\Documents and Settings\Thavamalar\Desktop\HijackThis.exe" /uninstall
Home Office Page for Experience VAIO --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{374E48BA-CBC1-4134-86B9-7A97B0E76B2E}\setup.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Customer Participation Program 7.0 --> D:\Program Files\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Document Viewer 7.0 --> D:\Program Files\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Imaging Device Functions 7.0 --> D:\Program Files\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5 --> D:\Program Files\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A --> D:\Program Files\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> D:\Program Files\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
ijji --> C:\ijji\ENGLISH\ijjiUninstall.exe
ijji FireFox Launcher 1.0 --> C:\Documents and Settings\All Users\Application Data\IJJIGame\uninst.exe
ImageStation Tour --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28336AFC-722C-4E17-B286-2A7C906183C0}\setup.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Internet Download Manager --> D:\Image\Crack\Uninstall.exe
Java 2 Runtime Environment, SE v1.4.0_03 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC1E4C93-C1E7-11D6-9D10-00010240CE95}\Setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
MapleStory --> MsiExec.exe /I{0A41BC21-EA0F-4B0B-BEA4-2997B80DB0D9}
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 /UNINSTALL
Microsoft Bootvis --> MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Upgrade Offer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDEAF307-51B7-41FF-8B08-AE646117172E}\setup.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (2.0.0.14) --> D:\Program Files\Firefox\uninstall\helper.exe
Music Visualizer Library 1.4.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}\setup.exe" -l0x9
MySidesearch Search Assistant Adzgalore --> C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll-uninst.exe
Network Smart Capture --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30642CE1-217B-40C0-92E2-6BF849599D9E}\setup.exe" -l0x9
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvsy.inf
OCR Software by I.R.I.S 7.0 --> D:\Program Files\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
OpenMG Limited Patch 3.2-03-02-21-08 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.2-03-02-21-08\HotFixSetup\setup.exe /u
OpenMG Limited Patch 3.2-03-02-25-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.2-03-02-25-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{62F33B80-6244-4A70-A233-0DA13B640364}\Setup.exe" -l0x9 UNINSTALL
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Sansa Media Converter --> "C:\Program Files\InstallShield Installation Information\{FC053571-8507-44E4-8B6D-AACEAB8CA57C}\setup.exe" --u:{FC053571-8507-44E4-8B6D-AACEAB8CA57C}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SonicStage 1.5.50 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}\setup.exe" -l0x9 UNINSTALL
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony Vegas Movie Studio 8.0 --> MsiExec.exe /X{6D3A42EA-DFD9-4E8A-A9DC-3DE9B162BEDD}
Sony Video Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
Spybot - Search & Destroy --> "D:\Spybot - Search & Destroy\unins000.exe"
VAIO DeepSea Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3147661C-2807-49EC-B971-3B0F23D95018}\setup.exe"
VAIO Help and Support --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}
VAIO Media 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EB317D8-8945-4FD6-B37F-DF470317C6AB}\setup.exe" -l0x9 UNINSTALL
VAIO Media Music Server 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF733005-0F40-11D6-9254-0000F460E7A9}\setup.exe" -l0x9 UNINSTALL
VAIO Media Photo Server 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E30D77F-CE1B-4674-8AFB-0DE22E5AC3A8}\setup.exe" -l0x9
VAIO Media Platform 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF0DD6E9-F673-4466-8353-70B50A506FD9}\setup.exe"
VAIO Media Redistribution 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7128C69B-8F7E-4336-8698-3FD3CDD955EC}\setup.exe" -l0x9 UNINSTALL
VAIO Media Setup 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CCAC48E4-4B4D-43CB-ABB5-E817E39873B3}\setup.exe" -l0x9
VAIO Registration --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{315BA29D-2644-4760-B5FD-5AC04A52B8C5}
VAIO Support --> "c:\program files\support.com\client\bin\tgfix.exe" /rm /nq
VAIO Survey Standalone --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}
VAIO System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD7D5804-C157-48A6-AEE0-4A40A4B5C054}\setup.exe"
VERITAS RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
VERITAS RecordNow Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
VideoLAN VLC media player 0.8.6d --> D:\Program Files\VLC\uninstall.exe
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type7993 / Success
Event Submitted/Written: 05/24/2008 04:26:39 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7980 / Success
Event Submitted/Written: 05/24/2008 02:23:31 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7957 / Success
Event Submitted/Written: 05/24/2008 02:02:47 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7948 / Success
Event Submitted/Written: 05/24/2008 08:11:00 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7933 / Success
Event Submitted/Written: 05/23/2008 03:59:25 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5317 / Error
Event Submitted/Written: 05/24/2008 04:26:11 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type5316 / Error
Event Submitted/Written: 05/24/2008 04:26:11 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058

Event Record #/Type5313 / Error
Event Submitted/Written: 05/24/2008 04:25:55 PM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type5269 / Error
Event Submitted/Written: 05/24/2008 02:22:38 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type5268 / Error
Event Submitted/Written: 05/24/2008 02:22:38 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058



-- End of Deckard's System Scanner: finished at 2008-05-24 17:13:47 ------------


OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05242008_171028
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: mysidesearch browser optimizer - {0cd3edf1-a2a7-24ef-f7a6-bc5a9dda91fc} - C:\WINDOWS\system32\{be24d6d6-8fdc-35f6-c21e-5fd5cbf95398}.dll (file missing)
O2 - BHO: (no name) - {462AA99E-E538-45C2-BACB-997BFE943B10} - C:\WINDOWS\system32\mlJDvVlj.dll (file missing)
O2 - BHO: (no name) - {72B52281-D133-4091-8E2F-FD91E8F6601F} - C:\WINDOWS\system32\pmnkLCRj.dll (file missing)
O2 - BHO: (no name) - {9F60E186-8840-4CC0-B7DD-95773A4015B4} - C:\WINDOWS\system32\mlJCUOij.dll (file missing)
O2 - BHO: (no name) - {bb8253ee-a22d-480a-957e-e55ee763c78a} - C:\WINDOWS\system32\mqbdpfnk.dll (file missing)
O2 - BHO: (no name) - {BD1652DC-4F6C-4B28-A23E-B179BA5DFBE1} - C:\WINDOWS\system32\tuvSkiff.dll (file missing)
O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\xikfosxt.dll",s
O4 - HKLM\..\Run: [{46-68-80-02-DW}] c:\windows\system32\jnwnw64p.exe DWram


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new DSS log
  • 0

#13
kishore123

kishore123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Deckard's System Scanner v20071014.68
Run by Thavamalar on 2008-05-24 22:56:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).
System Drive C: has 0.76 GiB (less than 15%) free.


-- HijackThis (run as Thavamalar.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:25 PM, on 5/24/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Thavamalar\Desktop\dss.exe
C:\DOCUME~1\THAVAM~1\Desktop\THAVAM~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\xikfosxt.dll",s
O4 - HKLM\..\Run: [{46-68-80-02-DW}] c:\windows\system32\jnwnw64p.exe DWram
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203212228984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 6580 bytes

-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 09:20:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 09:20:10 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 07:59:27 68096 --a------ C:\WINDOWS\zip.exe
2008-05-24 07:59:27 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-24 07:59:27 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-24 07:59:27 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-24 07:59:27 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-24 07:59:27 98816 --a------ C:\WINDOWS\sed.exe
2008-05-24 07:59:27 80412 --a------ C:\WINDOWS\grep.exe
2008-05-24 07:59:27 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-21 18:41:21 0 d-------- C:\VundoFix Backups
2008-05-13 16:37:31 0 d-------- C:\Temp
2008-05-11 18:13:17 0 d-------- C:\Program Files\DivX
2008-05-09 22:37:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2008-05-24 17:10:28 0 d-------- C:\Program Files\Common Files
2008-05-19 12:55:54 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\Real
2008-05-11 18:13:24 9654 --a----c- C:\WINDOWS\mozver.dat
2008-05-11 14:24:01 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\teamspeak2
2008-05-09 22:55:28 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\Mozilla
2008-05-08 19:27:18 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\DMCache
2008-04-15 20:55:29 0 d-------- C:\Program Files\Vstplugins
2008-04-15 20:53:37 0 d-------- C:\Program Files\Sony Setup
2008-04-15 14:06:39 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\IDM
2008-04-14 22:42:43 0 d-------- C:\Program Files\DNA
2008-04-13 18:35:44 0 d-------- C:\Program Files\Microsoft Bootvis
2008-04-09 23:11:18 0 d-------- C:\Program Files\Alwil Software


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [03/03/2003 10:44 PM]
"nwiz"="nwiz.exe" [03/03/2003 10:44 PM C:\WINDOWS\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 05:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/01/2003 12:00 AM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [03/11/2003 02:24 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [03/11/2003 02:11 PM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 01:29 PM]
"AGRSMMSG"="AGRSMMSG.exe" [02/14/2003 03:59 PM C:\WINDOWS\AGRSMMSG.exe]
"BMf3075b31"="C:\WINDOWS\system32\xikfosxt.dll" []
"{46-68-80-02-DW}"="c:\windows\system32\jnwnw64p.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/12/2008 02:59 PM]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
D:\Program Files\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
D:\Image\Crack\IDMan.exe /onboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
c:\program files\sony\vaio survey\surveysa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZZ]
C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WLSetupSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-05-24 22:57:00 ------------
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\xikfosxt.dll",s
O4 - HKLM\..\Run: [{46-68-80-02-DW}] c:\windows\system32\jnwnw64p.exe DWram


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Reboot and post a new DSS log and tell me how your PC is running
  • 0

#15
kishore123

kishore123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
MBAM Log:
Malwarebytes' Anti-Malware 1.12
Database version: 785

Scan type: Quick Scan
Objects scanned: 39634
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mySearchAssistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thavamalar\Desktop\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

DSS:
Deckard's System Scanner v20071014.68
Run by Thavamalar on 2008-05-25 10:31:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).
System Drive C: has 0.69 GiB (less than 15%) free.


-- HijackThis (run as Thavamalar.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:45 AM, on 5/25/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Firefox\firefox.exe
C:\Documents and Settings\Thavamalar\Desktop\dss.exe
C:\DOCUME~1\THAVAM~1\Desktop\THAVAM~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203212228984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 6302 bytes

-- Files created between 2008-04-25 and 2008-05-25 -----------------------------

2008-05-25 10:07:41 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\Malwarebytes
2008-05-25 10:07:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 10:07:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-24 09:20:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 09:20:10 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 07:59:27 68096 --a------ C:\WINDOWS\zip.exe
2008-05-24 07:59:27 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-24 07:59:27 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-24 07:59:27 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-24 07:59:27 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-24 07:59:27 98816 --a------ C:\WINDOWS\sed.exe
2008-05-24 07:59:27 80412 --a------ C:\WINDOWS\grep.exe
2008-05-24 07:59:27 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-21 18:41:21 0 d-------- C:\VundoFix Backups
2008-05-13 16:37:31 0 d-------- C:\Temp
2008-05-11 18:13:17 0 d-------- C:\Program Files\DivX
2008-05-09 22:37:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2008-05-24 17:10:28 0 d-------- C:\Program Files\Common Files
2008-05-19 12:55:54 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\Real
2008-05-11 18:13:24 9654 --a----c- C:\WINDOWS\mozver.dat
2008-05-11 14:24:01 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\teamspeak2
2008-05-09 22:55:28 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\Mozilla
2008-05-08 19:27:18 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\DMCache
2008-04-15 20:55:29 0 d-------- C:\Program Files\Vstplugins
2008-04-15 20:53:37 0 d-------- C:\Program Files\Sony Setup
2008-04-15 14:06:39 0 d-------- C:\Documents and Settings\Thavamalar\Application Data\IDM
2008-04-14 22:42:43 0 d-------- C:\Program Files\DNA
2008-04-13 18:35:44 0 d-------- C:\Program Files\Microsoft Bootvis
2008-04-09 23:11:18 0 d-------- C:\Program Files\Alwil Software


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [03/03/2003 10:44 PM]
"nwiz"="nwiz.exe" [03/03/2003 10:44 PM C:\WINDOWS\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 05:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/01/2003 12:00 AM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [03/11/2003 02:24 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [03/11/2003 02:11 PM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 01:29 PM]
"AGRSMMSG"="AGRSMMSG.exe" [02/14/2003 03:59 PM C:\WINDOWS\AGRSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/12/2008 02:59 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
D:\Program Files\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
D:\Image\Crack\IDMan.exe /onboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
c:\program files\sony\vaio survey\surveysa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZZ]
C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WLSetupSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-05-25 10:32:22 ------------
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP