Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't use Panda Scan + other issues [RESOLVED]

Started by MysteryMaster , May 24 2008 02:46 AM

  • This topic is locked This topic is locked

#1
MysteryMaster
Posted 24 May 2008 - 02:46 AM

MysteryMaster

    Member

  • Member
  • PipPip
  • 39 posts
Hey there,

I'm new to your page and I was gonna do all the scans you asked me to. When I tried to do the Panda scan, something really odd happened. My Anti virus guard recognized it as a virus and it froze me firefox... I basically had to crash it, because even the task manager didn't close it... I'm not gonna do this again until I get some feedback from you guys.

One of the things i was gonna ask (besides that problem with the scan :) is that I have the 'my computer' window pop up every time the computer reboots, it's nothing I can find in msconfig. Also, I have a program called registry booster and it seems to go online before my whole desktop is even uploaded, I'm not too happy about the fact that ANY program would go online without me signing on (I hope that's not something fishy...)

I did create a hijack this log file, if that's something you need to check.


Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://authoring.eonline.com
O15 - Trusted Zone: http://www.eonline.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.onlinetvrecorder.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {79E7DCE2-6306-4996-B7CB-C2601B2B7BD1} (DownloadCtrl Class) - https://stream.web.d...fy/Download.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{964682B7-8147-48DE-8934-AB2CF8C4C2C7}: NameServer = 68.94.156.1 206.13.30.12
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11061 bytes


thanks in advance for all your help :)

Edited by MysteryMaster, 24 May 2008 - 03:11 AM.

  • 0

Advertisements

#2
koko_crunch
Posted 28 May 2008 - 11:49 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello MysteryMaster and Welcome to Geeks to Go!

Sorry for the long wait, busy week.

After checking your log, I found signs of malware on your system.
Please stick with me until we get you cleaned up. :)

Please read this post completely before proceeding with the fix. If you have questions, don't hesitate to ask.

Let's start.

First,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Then,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please postback with

- MBAM log
- Sdfix log
- New HijackThis log
  • 0

#3
MysteryMaster
Posted 29 May 2008 - 01:04 AM

MysteryMaster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hey there,
thanks so much for your response, I've done what you asked me to -

here's the MBAM log:

Malwarebytes' Anti-Malware 1.12
Database version: 783

Scan type: Quick Scan
Objects scanned: 41673
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SDFix log:

SDFix: Version 1.186
Run by Silke on Wed 05/28/2008 at 11:43 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\hosts - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 23:52:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download]
"LastSuccessTime"="2008-05-29 06:51:20"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Documents and Settings\\Silke\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Silke\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"="C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe:*:Enabled:Sentinel Protection Server"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Silke\\Desktop\\utorrent161.exe"="C:\\Documents and Settings\\Silke\\Desktop\\utorrent161.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe"="C:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe:*:Enabled:DriverMagic"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 19 Jun 2007 56 A.SHR --- "C:\WINDOWS\SYSTEM32\5602B891C4.sys"
Tue 19 Jun 2007 1,890 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Tue 27 Nov 2007 393,216 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL0005.tmp"
Tue 27 Nov 2007 390,144 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL0632.tmp"
Tue 27 Nov 2007 377,856 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL0634.tmp"
Sat 24 Nov 2007 20,480 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL0824.tmp"
Tue 27 Nov 2007 390,656 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL1090.tmp"
Tue 27 Nov 2007 389,632 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL2199.tmp"
Tue 27 Nov 2007 326,144 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL2323.tmp"
Tue 27 Nov 2007 328,192 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL3077.tmp"
Tue 27 Nov 2007 390,144 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL3292.tmp"
Tue 27 Nov 2007 390,144 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL3436.tmp"
Tue 27 Nov 2007 390,144 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL3538.tmp"
Tue 27 Nov 2007 390,144 ...H. --- "C:\Documents and Settings\Silke\My Documents\~WRL3563.tmp"
Thu 13 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 20 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 12 Nov 2004 37,376 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"

Finished!

and lastly, the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:49 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://authoring.eonline.com
O15 - Trusted Zone: http://www.eonline.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.onlinetvrecorder.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {79E7DCE2-6306-4996-B7CB-C2601B2B7BD1} (DownloadCtrl Class) - https://stream.web.d...fy/Download.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{964682B7-8147-48DE-8934-AB2CF8C4C2C7}: NameServer = 68.94.156.1 206.13.30.12
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11197 bytes

Let me know what you think - window still pops up (but i guess that has a different reason (?))

:-)
  • 0

#4
koko_crunch
Posted 29 May 2008 - 01:34 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Yes, pop ups are caused by a different type. We need to do some more scan to pinpoint exactly what's causing it.
Please stick with until we get you cleaned up. :)

Next,

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Then,

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Please post back with required logs.

- Vundofix log
- Smitfraudfix log
  • 0

#5
MysteryMaster
Posted 29 May 2008 - 12:04 PM

MysteryMaster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
It doesn't let me run Vundo, it says it's not a valid Win32 application... what do I do now? Also. my computer seems to be a bit slower now... :)
  • 0

#6
koko_crunch
Posted 30 May 2008 - 01:18 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
That's okay we'll use a different tool this time.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#7
MysteryMaster
Posted 31 May 2008 - 03:32 PM

MysteryMaster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Ok, I did the scan and I'll put the results below - I had one issue though - apparently a dll file had disappeared (ymmapi.dll), but I found it online and restored it, because it messed with my internet functions... I guess it got deleted... how I don't know but anyhow, it's back now and I just figured I mention this because maybe it's related to something important :)

Also, I was wondering if this (or previous steps) restored programs I was trying to get rid of before (such as all the AOL stuff) because all of that seems to be back now (?)

So, here's the log file of the combofix scan:

ComboFix 08-05-29.1 - Silke 2008-05-31 12:02:59.1 - NTFSx86
Running from: C:\Documents and Settings\Silke\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\17o7

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-31 11:26 . 2008-05-31 11:26 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-28 23:40 . 2008-05-28 23:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 23:32 . 2008-05-28 23:56 <DIR> d-------- C:\SDFix
2008-05-24 01:48 . 2008-05-24 01:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 01:10 . 2008-05-24 01:11 <DIR> d-------- C:\Program Files\Panda Security
2008-05-23 23:50 . 2008-05-24 00:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 23:50 . 2008-05-23 23:50 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\SUPERAntiSpyware.com
2008-05-23 23:50 . 2008-05-23 23:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 23:12 . 2008-05-23 23:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 23:12 . 2008-05-23 23:12 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-23 23:12 . 2008-05-23 23:12 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\Malwarebytes
2008-05-23 23:12 . 2008-05-23 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 23:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-23 23:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-20 14:47 . 2008-03-01 06:06 6,066,176 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-05-20 14:47 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-05-20 14:47 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-05-20 14:47 . 2008-03-01 06:06 459,264 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-05-20 14:47 . 2008-03-01 06:06 383,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-05-20 14:47 . 2008-03-01 06:06 267,776 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-05-20 14:47 . 2008-03-01 06:06 63,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-05-20 14:47 . 2008-03-01 06:06 52,224 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-05-20 14:47 . 2008-02-22 03:00 13,824 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-05-20 12:56 . 2008-05-20 12:56 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\Logitech
2008-05-20 12:56 . 2008-05-20 12:56 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\ATI
2008-05-20 12:56 . 2008-05-20 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-05-20 12:54 . 2008-05-20 12:54 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-05-20 12:51 . 2008-05-20 12:51 <DIR> d-------- C:\Program Files\Logitech
2008-05-20 12:51 . 2008-05-20 12:51 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-05-20 12:50 . 2003-02-25 06:10 192,512 --a------ C:\WINDOWS\SYSTEM32\lexlmpm.dll
2008-05-20 12:49 . 2008-05-20 12:49 <DIR> d-------- C:\Program Files\ATI
2008-05-20 12:48 . 2008-05-20 12:48 <DIR> d-------- C:\LXKZ600
2008-05-20 12:47 . 2008-05-20 12:47 <DIR> d-------- C:\Program Files\D-Link
2008-05-20 12:47 . 2008-03-28 21:05 593,920 --------- C:\WINDOWS\SYSTEM32\ati2sgag.exe
2008-05-20 12:46 . 2008-05-20 12:46 <DIR> d-------- C:\ATI
2008-05-20 12:43 . 2008-05-20 12:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\ENU
2008-05-20 12:43 . 2007-02-26 11:39 126,976 --a------ C:\WINDOWS\SYSTEM32\Imsmudlg.exe
2008-05-20 11:56 . 2008-05-20 11:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-20 11:56 . 2008-05-20 11:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-20 11:53 . 2008-05-20 11:53 <DIR> d-------- C:\Program Files\SymplisIT
2008-05-20 11:53 . 2008-05-20 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SymplisIT
2008-05-20 11:25 . 2007-12-04 16:44 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2008-05-19 12:57 . 2008-05-19 12:57 13,646 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2008-05-19 12:46 . 2004-08-04 05:00 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2008-05-19 12:44 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-05-19 12:43 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2008-05-19 12:42 . 2004-08-04 05:00 768,512 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\helpctr.exe
2008-05-19 12:34 . 2004-08-04 05:00 1,086,058 -ra------ C:\WINDOWS\SET4E.tmp
2008-05-19 12:34 . 2004-08-04 05:00 1,042,903 -ra------ C:\WINDOWS\SET4C.tmp
2008-05-19 12:34 . 2004-08-04 05:00 13,753 -ra------ C:\WINDOWS\SET56.tmp
2008-05-19 05:35 . 2008-05-19 05:35 <DIR> d-------- C:\Program Files\GetData
2008-05-19 02:48 . 2006-05-04 00:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-19 02:48 . 2008-04-25 11:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-05-19 02:48 . 2006-05-04 00:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-05-19 02:48 . 2006-05-04 00:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-05-19 02:48 . 2008-05-24 01:39 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-19 01:44 . 2008-05-19 01:44 49,698 --a------ C:\WINDOWS\SYSTEM32\marscore.zip
2008-05-19 00:26 . 2008-05-19 00:26 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\Uniblue
2008-05-18 20:13 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\SYSTEM32\Startup.cpl
2008-05-17 15:59 . 2008-05-17 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-17 15:44 . 2008-05-17 15:44 <DIR> d-------- C:\Program Files\SBC Yahoo!
2008-05-17 15:42 . 2008-05-17 16:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-05 00:30 . 2008-05-05 00:30 <DIR> d-------- C:\Program Files\PrevxCSI
2008-05-05 00:30 . 2008-05-05 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-30 12:49 . 2008-04-30 12:49 61,510 --a------ C:\WINDOWS\SYSTEM32\dsGinaLoader.dll
2008-04-30 00:05 . 2008-05-13 03:42 4,096 --ahs---- C:\VSNAP.IDX
2008-04-27 22:49 . 2008-04-27 22:49 <DIR> d-------- C:\Program Files\NinjaVideo
2008-04-24 01:31 . 2008-04-24 01:31 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\Symantec
2008-04-24 00:02 . 2008-04-24 00:03 23,510,720 --a------ C:\Program Files\dotnetfx.exe
2008-04-23 23:48 . 2008-04-23 23:48 <DIR> d-------- C:\Program Files\Norton Ghost
2008-04-23 22:22 . 2008-04-23 22:35 <DIR> d-------- C:\Program Files\Norton Ghost 14
2008-04-23 00:38 . 2008-04-03 15:18 <DIR> d-a------ C:\Program Files\Multidecoder_1.0.0.42
2008-04-23 00:10 . 2008-04-23 00:10 1,802,740 --a------ C:\Program Files\Multidecoder_1.0.0.42.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 18:34 --------- d-----w C:\Documents and Settings\Silke\Application Data\Juniper Networks
2008-05-31 18:24 95,929 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_30_16_30_26_small.dmp.zip
2008-05-30 23:38 --------- d-----w C:\Program Files\Juniper Networks
2008-05-29 21:58 --------- d-----w C:\Program Files\GTS
2008-05-29 05:18 --------- d-----w C:\Documents and Settings\Silke\Application Data\DigiDelivery
2008-05-24 07:55 4,903,936 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-24 06:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 23:02 19,003,041 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_20_14_12_32_full.dmp.zip
2008-05-20 19:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 19:48 --------- d-----w C:\Program Files\ATI Technologies
2008-05-20 19:44 --------- d-----w C:\Program Files\Intel
2008-05-20 19:03 --------- d-----w C:\Program Files\Dell
2008-05-19 19:41 1,663 ----a-w C:\WINDOWS\INF\COMD4.tmp
2008-05-19 19:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 03:02 10,088,823 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-17 23:08 --------- d-----w C:\Documents and Settings\Silke\Application Data\Yahoo!
2008-05-17 22:45 4,378,112 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-17 22:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Visual Networks
2008-05-17 22:03 --------- d-----w C:\Program Files\Creative
2008-05-16 16:41 4,314,112 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-06 02:19 4,196,864 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-01 22:47 54,840 ----a-w C:\Documents and Settings\Silke\Application Data\GDIPFONTCACHEV1.DAT
2008-04-30 19:35 23,552 ----a-w C:\WINDOWS\system32\drivers\dsNcAdpt.sys
2008-04-28 05:46 --------- d-----w C:\Program Files\DivX
2008-04-24 07:27 --------- d-----w C:\Program Files\Macromedia
2008-04-24 06:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-24 06:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-21 20:15 --------- d-----w C:\Program Files\Unlocker
2008-04-19 19:55 --------- d-----w C:\Documents and Settings\Silke\Application Data\GTS
2008-04-09 07:11 3,848,192 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-03-30 20:05 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-30 20:05 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-03-30 20:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-30 20:01 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-30 19:58 --------- d-----w C:\Program Files\Avanquest update
2008-03-30 19:53 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-30 19:52 --------- d-----w C:\Documents and Settings\Silke\Application Data\InstallShield
2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\SYSTEM32\atioglx2.dll
2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\SYSTEM32\atiok3x2.dll
2008-03-29 04:05 372,736 ----a-w C:\WINDOWS\SYSTEM32\ATIDEMGX.dll
2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\SYSTEM32\ati2dvag.dll
2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\SYSTEM32\atipdlxx.dll
2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\SYSTEM32\Oemdspif.dll
2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\SYSTEM32\ati2edxx.dll
2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\SYSTEM32\Ati2mdxx.exe
2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\SYSTEM32\ati2evxx.dll
2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\SYSTEM32\ati2evxx.exe
2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\SYSTEM32\ATIDDC.DLL
2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-03-29 03:39 307,200 ----a-w C:\WINDOWS\SYSTEM32\atiiiexx.dll
2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\SYSTEM32\ativvaxx.dll
2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\SYSTEM32\amdpcom32.dll
2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\SYSTEM32\atioglxx.dll
2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\SYSTEM32\atikvmag.dll
2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\SYSTEM32\atitvo32.dll
2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\SYSTEM32\ati2cqag.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-03-01 08:21 3,125,248 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-02-14 07:37 2,853,898 ----a-w C:\Program Files\poster-forge.zip
2006-08-31 21:34 1,645,672 ----a-w C:\Program Files\soref_regclean.exe
2006-06-09 20:35 4,423,888 ----a-w C:\Program Files\SetupDigiDelivery.exe
2006-03-20 22:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
2005-09-10 03:55 35 ----a-w C:\Program Files\SCSSDist.ini
2007-06-20 06:26 56 --sha-r C:\WINDOWS\SYSTEM32\5602B891C4.sys
2007-06-20 06:26 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-29 10:14 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-24 00:50 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-29 23:00 45056]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2006-09-04 22:35 368706]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 11:10 262401]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 14:50 221184]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NetScreen-Remote.lnk - C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe [2006-08-02 16:18:41 73780]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-24 00:50 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-24 00:50 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DVIM"= dvifrmu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdateManager]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
--a------ 2007-10-04 18:38 307200 C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-08-25 10:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2002-10-29 10:18 49152 C:\Program Files\Creative\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-05 23:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMagicSchedule]
--a------ 2008-04-30 08:04 69632 C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 14:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
--a------ 2004-05-27 18:05 323584 C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-Mail Alarm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailAlarm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide-The-IP]
--a------ 2007-03-19 09:52 2405888 C:\PROGRA~1\HIDETH~1\HIDETH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-02-12 13:37 174872 C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2006-07-19 12:03 94208 C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
--a------ 2008-01-19 20:01 2245984 C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
--a------ 2008-01-19 20:01 2245984 C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2003-08-26 17:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM]
--a------ 2006-07-29 04:07 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-07-29 04:07 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-10 23:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-02-29 10:14 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BreezeApp"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe"=
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"C:\Program Files\Juniper\NetScreen-Remote\ViewLog.exe"= C:\Program Files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"C:\Program Files\Juniper\NetScreen-Remote\CmonApp.exe"= C:\Program Files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"C:\Program Files\Juniper\NetScreen-Remote\vpn.exe"= C:\Program Files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R1 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\system32\Drivers\IPSECDRV.sys [2006-02-01 11:38]
R2 Crypto;Crypto;C:\WINDOWS\system32\Drivers\Crypto.sys [2005-08-15 08:27]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]
R3 DniVap;Deterministic Networks WAN Miniport (Virtual);C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 15:26]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2008-04-30 12:35]
R3 SymSnapService;SymSnapService;"C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe" [2007-12-20 17:13]
S3 pmxscan;Memorex USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 18:25:55 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-25 10:05:39 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 12:08:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 12:09:31
ComboFix-quarantined-files.txt 2008-05-31 19:09:06

Pre-Run: 48,405,372,928 bytes free
Post-Run: 48,437,751,808 bytes free

322 --- E O F --- 2008-05-31 04:19:46

and here's the new HijackThis log:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://authoring.eonline.com
O15 - Trusted Zone: http://www.eonline.com
O15 - Trusted Zone: www.germandeli.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.onlinetvrecorder.com
O15 - Trusted Zone: http://order.store.yahoo.net
O15 - Trusted Zone: http://us-dc2-order.store.yahoo.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {79E7DCE2-6306-4996-B7CB-C2601B2B7BD1} (DownloadCtrl Class) - https://stream.web.d...fy/Download.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{964682B7-8147-48DE-8934-AB2CF8C4C2C7}: NameServer = 68.94.156.1 206.13.30.12
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10802 bytes


Let me know what's next - thanks for all your help,

S.

Edited by MysteryMaster, 31 May 2008 - 03:34 PM.

  • 0

#8
koko_crunch
Posted 01 June 2008 - 06:21 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Ok.. next,

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\SYSTEM32\dvifrmu.dll
  • Click on the submit button
  • Please post the results in your next reply.

Then,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SET4E.tmp
C:\WINDOWS\SET4C.tmp
C:\WINDOWS\SET56.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\INF\COMD4.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\SYSTEM32\5602B891C4.sys
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Program Files\SCSSDist.ini



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please post back with

- Virus total log
- CF log
- New HijackThis log
  • 0

#9
MysteryMaster
Posted 02 June 2008 - 12:24 AM

MysteryMaster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hey there,

here are the results:

Jottis Malware:

Scan taken on 02 Jun 2008 05:08:39 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

ComboFix:

ComboFix 08-05-29.1 - Silke 2008-06-01 22:43:57.2 - NTFSx86



WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\SCSSDist.ini
C:\WINDOWS\INF\COMD4.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\SET4C.tmp
C:\WINDOWS\SET4E.tmp
C:\WINDOWS\SET56.tmp
C:\WINDOWS\SYSTEM32\5602B891C4.sys
C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SCSSDist.ini
C:\WINDOWS\INF\COMD4.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\SET4C.tmp
C:\WINDOWS\SET4E.tmp
C:\WINDOWS\SET56.tmp
C:\WINDOWS\SYSTEM32\5602B891C4.sys
C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-01 21:44 . 2008-06-01 21:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-31 12:19 . 2008-05-31 12:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\vmm32
2008-05-28 23:40 . 2008-05-28 23:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 23:32 . 2008-05-28 23:56 <DIR> d-------- C:\SDFix
2008-05-24 01:48 . 2008-05-24 01:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 01:10 . 2008-05-24 01:11 <DIR> d-------- C:\Program Files\Panda Security
2008-05-23 23:50 . 2008-05-24 00:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 23:50 . 2008-05-23 23:50 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\SUPERAntiSpyware.com
2008-05-23 23:50 . 2008-05-23 23:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 23:12 . 2008-05-23 23:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 23:12 . 2008-05-23 23:12 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-23 23:12 . 2008-05-23 23:12 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\Malwarebytes
2008-05-23 23:12 . 2008-05-23 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 23:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-23 23:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-20 14:47 . 2008-03-01 06:06 6,066,176 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-05-20 14:47 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-05-20 14:47 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-05-20 14:47 . 2008-03-01 06:06 459,264 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-05-20 14:47 . 2008-03-01 06:06 383,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-05-20 14:47 . 2008-03-01 06:06 267,776 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-05-20 14:47 . 2008-03-01 06:06 63,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-05-20 14:47 . 2008-03-01 06:06 52,224 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-05-20 14:47 . 2008-02-22 03:00 13,824 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-05-20 12:56 . 2008-05-20 12:56 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\Logitech
2008-05-20 12:56 . 2008-05-20 12:56 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\ATI
2008-05-20 12:56 . 2008-05-20 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-05-20 12:54 . 2008-05-20 12:54 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-05-20 12:51 . 2008-05-20 12:51 <DIR> d-------- C:\Program Files\Logitech
2008-05-20 12:51 . 2008-05-20 12:51 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-05-20 12:50 . 2003-02-25 06:10 192,512 --a------ C:\WINDOWS\SYSTEM32\lexlmpm.dll
2008-05-20 12:49 . 2008-05-20 12:49 <DIR> d-------- C:\Program Files\ATI
2008-05-20 12:48 . 2008-05-20 12:48 <DIR> d-------- C:\LXKZ600
2008-05-20 12:47 . 2008-05-20 12:47 <DIR> d-------- C:\Program Files\D-Link
2008-05-20 12:47 . 2008-03-28 21:05 593,920 --------- C:\WINDOWS\SYSTEM32\ati2sgag.exe
2008-05-20 12:46 . 2008-05-20 12:46 <DIR> d-------- C:\ATI
2008-05-20 12:43 . 2008-05-20 12:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\ENU
2008-05-20 12:43 . 2007-02-26 11:39 126,976 --a------ C:\WINDOWS\SYSTEM32\Imsmudlg.exe
2008-05-20 11:56 . 2008-05-20 11:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-20 11:56 . 2008-05-20 11:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-20 11:53 . 2008-05-20 11:53 <DIR> d-------- C:\Program Files\SymplisIT
2008-05-20 11:53 . 2008-05-20 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SymplisIT
2008-05-20 11:25 . 2007-12-04 16:44 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2008-05-19 12:57 . 2008-05-19 12:57 13,646 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2008-05-19 12:46 . 2004-08-04 05:00 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2008-05-19 12:44 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-05-19 12:43 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2008-05-19 12:42 . 2004-08-04 05:00 768,512 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\helpctr.exe
2008-05-19 12:23 . 2004-08-04 05:00 2,012,670 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5.CAT
2008-05-19 05:35 . 2008-05-19 05:35 <DIR> d-------- C:\Program Files\GetData
2008-05-19 02:48 . 2006-05-04 00:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-19 02:48 . 2008-04-25 11:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-05-19 02:48 . 2006-05-04 00:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-05-19 02:48 . 2006-05-04 00:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-05-19 02:48 . 2008-05-24 01:39 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-19 01:44 . 2008-05-19 01:44 49,698 --a------ C:\WINDOWS\SYSTEM32\marscore.zip
2008-05-19 00:26 . 2008-05-19 00:26 <DIR> d-------- C:\Documents and Settings\Silke\Application Data\Uniblue
2008-05-18 20:13 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\SYSTEM32\Startup.cpl
2008-05-17 15:59 . 2008-05-17 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-17 15:44 . 2008-05-17 15:44 <DIR> d-------- C:\Program Files\SBC Yahoo!
2008-05-17 15:42 . 2008-05-17 16:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-05 00:30 . 2008-05-05 00:30 <DIR> d-------- C:\Program Files\PrevxCSI
2008-05-05 00:30 . 2008-05-05 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 05:02 --------- d-----w C:\Documents and Settings\Silke\Application Data\Juniper Networks
2008-06-02 04:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-06-01 07:14 --------- d-----w C:\Documents and Settings\Silke\Application Data\DigiDelivery
2008-05-31 19:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-31 18:24 95,929 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_30_16_30_26_small.dmp.zip
2008-05-30 23:38 --------- d-----w C:\Program Files\Juniper Networks
2008-05-29 21:58 --------- d-----w C:\Program Files\GTS
2008-05-24 06:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 23:02 19,003,041 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_20_14_12_32_full.dmp.zip
2008-05-20 19:48 --------- d-----w C:\Program Files\ATI Technologies
2008-05-20 19:44 --------- d-----w C:\Program Files\Intel
2008-05-20 19:03 --------- d-----w C:\Program Files\Dell
2008-05-19 19:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 03:02 10,088,823 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-17 23:08 --------- d-----w C:\Documents and Settings\Silke\Application Data\Yahoo!
2008-05-17 22:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Visual Networks
2008-05-17 22:03 --------- d-----w C:\Program Files\Creative
2008-05-01 22:47 54,840 ----a-w C:\Documents and Settings\Silke\Application Data\GDIPFONTCACHEV1.DAT
2008-04-30 19:49 61,510 ----a-w C:\WINDOWS\SYSTEM32\dsGinaLoader.dll
2008-04-30 19:35 23,552 ----a-w C:\WINDOWS\system32\drivers\dsNcAdpt.sys
2008-04-28 05:49 --------- d-----w C:\Program Files\NinjaVideo
2008-04-28 05:46 --------- d-----w C:\Program Files\DivX
2008-04-24 08:31 --------- d-----w C:\Documents and Settings\Silke\Application Data\Symantec
2008-04-24 07:27 --------- d-----w C:\Program Files\Macromedia
2008-04-24 07:03 23,510,720 ----a-w C:\Program Files\dotnetfx.exe
2008-04-24 06:48 --------- d-----w C:\Program Files\Norton Ghost
2008-04-24 06:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-24 06:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 05:35 --------- d-----w C:\Program Files\Norton Ghost 14
2008-04-23 07:10 1,802,740 ----a-w C:\Program Files\Multidecoder_1.0.0.42.zip
2008-04-21 20:15 --------- d-----w C:\Program Files\Unlocker
2008-04-19 19:55 --------- d-----w C:\Documents and Settings\Silke\Application Data\GTS
2008-04-03 22:18 --------- d---a-w C:\Program Files\Multidecoder_1.0.0.42
2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\SYSTEM32\atioglx2.dll
2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\SYSTEM32\atiok3x2.dll
2008-03-29 04:05 372,736 ----a-w C:\WINDOWS\SYSTEM32\ATIDEMGX.dll
2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\SYSTEM32\ati2dvag.dll
2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\SYSTEM32\atipdlxx.dll
2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\SYSTEM32\Oemdspif.dll
2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\SYSTEM32\ati2edxx.dll
2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\SYSTEM32\Ati2mdxx.exe
2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\SYSTEM32\ati2evxx.dll
2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\SYSTEM32\ati2evxx.exe
2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\SYSTEM32\ATIDDC.DLL
2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-03-29 03:39 307,200 ----a-w C:\WINDOWS\SYSTEM32\atiiiexx.dll
2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\SYSTEM32\ativvaxx.dll
2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\SYSTEM32\amdpcom32.dll
2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\SYSTEM32\atioglxx.dll
2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\SYSTEM32\atikvmag.dll
2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\SYSTEM32\atitvo32.dll
2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\SYSTEM32\ati2cqag.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-02-14 07:37 2,853,898 ----a-w C:\Program Files\poster-forge.zip
2006-08-31 21:34 1,645,672 ----a-w C:\Program Files\soref_regclean.exe
2006-06-09 20:35 4,423,888 ----a-w C:\Program Files\SetupDigiDelivery.exe
2006-03-20 22:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-29 10:14 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-24 00:50 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-29 23:00 45056]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2006-09-04 22:35 368706]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 11:10 262401]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 14:50 221184]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NetScreen-Remote.lnk - C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe [2006-08-02 16:18:41 73780]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-24 00:50 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DVIM"= dvifrmu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdateManager]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
--a------ 2007-10-04 18:38 307200 C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-08-25 10:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2002-10-29 10:18 49152 C:\Program Files\Creative\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-05 23:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMagicSchedule]
--a------ 2008-04-30 08:04 69632 C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 14:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
--a------ 2004-05-27 18:05 323584 C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-Mail Alarm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailAlarm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide-The-IP]
--a------ 2007-03-19 09:52 2405888 C:\PROGRA~1\HIDETH~1\HIDETH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-02-12 13:37 174872 C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2006-07-19 12:03 94208 C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
--a------ 2008-01-19 20:01 2245984 C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
--a------ 2008-01-19 20:01 2245984 C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2003-08-26 17:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM]
--a------ 2006-07-29 04:07 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-07-29 04:07 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-10 23:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-02-29 10:14 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BreezeApp"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe"=
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"C:\Program Files\Juniper\NetScreen-Remote\ViewLog.exe"= C:\Program Files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"C:\Program Files\Juniper\NetScreen-Remote\CmonApp.exe"= C:\Program Files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"C:\Program Files\Juniper\NetScreen-Remote\vpn.exe"= C:\Program Files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R1 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\system32\Drivers\IPSECDRV.sys [2006-02-01 11:38]
R2 Crypto;Crypto;C:\WINDOWS\system32\Drivers\Crypto.sys [2005-08-15 08:27]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]
R3 DniVap;Deterministic Networks WAN Miniport (Virtual);C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 15:26]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2008-04-30 12:35]
R3 SymSnapService;SymSnapService;"C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe" [2007-12-20 17:13]
S3 pmxscan;Memorex USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 04:43:56 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-25 10:05:39 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 22:47:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 22:48:43
ComboFix-quarantined-files.txt 2008-06-02 05:48:28
ComboFix2.txt 2008-05-31 19:09:32

Pre-Run: 49,099,948,032 bytes free
Post-Run: 49,182,588,928 bytes free

329 --- E O F --- 2008-06-01 07:23:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:02 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://authoring.eonline.com
O15 - Trusted Zone: http://www.eonline.com
O15 - Trusted Zone: www.germandeli.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.onlinetvrecorder.com
O15 - Trusted Zone: http://order.store.yahoo.net
O15 - Trusted Zone: http://us-dc2-order.store.yahoo.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {79E7DCE2-6306-4996-B7CB-C2601B2B7BD1} (DownloadCtrl Class) - https://stream.web.d...fy/Download.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{964682B7-8147-48DE-8934-AB2CF8C4C2C7}: NameServer = 68.94.156.1 206.13.30.12
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10894 bytes

Let me know what's next
  • 0

#10
koko_crunch
Posted 02 June 2008 - 05:59 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Looks goods.
We're almost done here. How's computer running?

Next,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O15 - Trusted Zone: http://authoring.eonline.com
O15 - Trusted Zone: http://www.eonline.com
O15 - Trusted Zone: www.germandeli.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.onlinetvrecorder.com
O15 - Trusted Zone: http://order.store.yahoo.net
O15 - Trusted Zone: http://us-dc2-order.store.yahoo.net

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Then,


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Finally,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please post back with

- SuperAntispyware log
- DSS main and extra
  • 0

Advertisements

#11
MysteryMaster
Posted 02 June 2008 - 11:09 AM

MysteryMaster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hey there,

I have a question about the website fxes you want me to do -the site: O15 - Trusted Zone: http://authoring.eonline.com is related to my work, I'm working from home and it's crucial that this functions, is this gonna remove this from the trusted zone or anything else? I have to have that in there, otherwise I can't use all the functios, could you explain me what this step will do? Thank you :)

Edited by MysteryMaster, 02 June 2008 - 11:09 AM.

  • 0

#12
koko_crunch
Posted 02 June 2008 - 03:03 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts

Hey there,

I have a question about the website fxes you want me to do -the site: O15 - Trusted Zone: http://authoring.eonline.com is related to my work, I'm working from home and it's crucial that this functions, is this gonna remove this from the trusted zone or anything else? I have to have that in there, otherwise I can't use all the functios, could you explain me what this step will do? Thank you yes.gif


From Bleeping Computers Tutorial:

Trusted Zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge.


I usually remove sites from the trusted zone since it can be a security threat. Basically, you can Add/Remove any site on this zone. The previous instruction would, yes, remove indicated sites on your trusted zone. You will still be able to access those sites but it'll usually be coupled with notifications/alerts. It can however, like you said, limits functionality and efficiency on a particular site. Seeing that you understand this. I will now make the O15 entries optional.

Hope my explanation was helpful. :)

Edited by koko_crunch, 02 June 2008 - 03:04 PM.

  • 0

#13
MysteryMaster
Posted 02 June 2008 - 03:12 PM

MysteryMaster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Thanks, I put these pages into the trusted zone because it did disable functions... and the Zone Alarm firewall is pretty aggressive as it is ;-) I will go ahead and do these scans in a bit (when I'm taking a break from working :) E Online is also work related and the german deli site wouldn't let me order when it wasn't in the trusted category, I guess I will have to take it in and out manually then ;-)
  • 0

#14
MysteryMaster
Posted 03 June 2008 - 12:11 AM

MysteryMaster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
When I performed the HijackThis task and when it was done, I had trouble with my explorer, I basically couldn't use some of the features for work program (even though I only used only the R0 and R1 files), so I rolled the system back to before that...

Results SuperAntiSyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/02/2008 at 08:28 PM

Application Version : 4.1.1046

Core Rules Database Version : 3190
Trace Rules Database Version: 1459

Scan type : Complete Scan
Total Scan Time : 00:44:26

Memory items scanned : 430
Memory threats detected : 0
Registry items scanned : 6428
Registry threats detected : 0
File items scanned : 79664
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Silke\Cookies\[email protected][2].txt
C:\Documents and Settings\Silke\Cookies\[email protected][1].txt
C:\Documents and Settings\Silke\Cookies\silke@windowsmedia[1].txt

Log files dss:

main.txt:

Deckard's System Scanner v20071014.68
Run by Silke on 2008-06-02 22:47:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
63: 2008-06-03 05:47:59 UTC - RP63 - Deckard's System Scanner Restore Point
62: 2008-06-02 23:40:28 UTC - RP62 - Restore Operation
61: 2008-06-02 23:28:53 UTC - RP61 - BeforeHijackThis
60: 2008-06-02 06:49:51 UTC - RP60 - Software Distribution Service 3.0
59: 2008-06-02 05:43:38 UTC - RP59 - ComboFix created restore point


-- First Restore Point --
1: 2008-05-19 19:57:23 UTC - RP1 - Unsigned driver install


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Silke.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:23 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Documents and Settings\Silke\Desktop\dss.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Silke.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://authoring.eonline.com
O15 - Trusted Zone: http://www.eonline.com
O15 - Trusted Zone: www.germandeli.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.onlinetvrecorder.com
O15 - Trusted Zone: http://order.store.yahoo.net
O15 - Trusted Zone: http://us-dc2-order.store.yahoo.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {79E7DCE2-6306-4996-B7CB-C2601B2B7BD1} (DownloadCtrl Class) - https://stream.web.d...fy/Download.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{964682B7-8147-48DE-8934-AB2CF8C4C2C7}: NameServer = 68.94.156.1 206.13.30.12
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10615 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080602-163026-637 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080602-163026-708 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
backup-20080602-163026-866 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 IPSECDRV (SafeNet IPSec Plugin) - c:\windows\system32\drivers\ipsecdrv.sys <Not Verified; SafeNet; SafeNet VPN Client>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 Crypto - c:\windows\system32\drivers\crypto.sys <Not Verified; SafeNet; SafeNet CSP>
R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
R3 DNE (Deterministic Network Enhancer Miniport) - c:\windows\system32\drivers\dne2000.sys <Not Verified; Deterministic Networks, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - c:\program files\antivir personaledition classic\sched.exe <Not Verified; Avira GmbH; AntiVir Workstation>
R2 dsNcService (Juniper Network Connect Service) - c:\program files\juniper networks\common files\dsncservice.exe
R2 FlashCom (Flash Communication Server) - "c:\program files\macromedia\flash communication server mx\flashcom.exe" <Not Verified; Macromedia, Inc.; Flash Communication Server 1.0>
R2 FlashComAdmin (Flash Communication Admin Service) - "c:\program files\macromedia\flash communication server mx\flashcomadmin.exe" <Not Verified; Macromedia, Inc.; Flash Communication Server 1.0>
R2 IPSECMON (SafeNet Monitor Service) - "c:\program files\juniper\netscreen-remote\ipsecmon.exe" <Not Verified; SafeNet; SafeNet VPN Client>
R2 IreIKE (SafeNet IKE Service) - "c:\program files\juniper\netscreen-remote\ireike.exe" <Not Verified; SafeNet; SafeNet VPN Client>

S4 BreezeApp (Macromedia Breeze Application Service) -


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-02 17:00:45 438 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-02-25 03:05:39 372 --a------ C:\WINDOWS\Tasks\RegCure.job


-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-02 16:43:18 0 d-------- C:\WINDOWS\LastGood
2008-06-02 16:28:50 6684672 --a------ C:\Documents and Settings\Silke\ntuser.dat
2008-05-31 19:22:58 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2008-05-31 12:19:03 0 d-------- C:\WINDOWS\system32\vmm32
2008-05-31 12:01:54 68096 --a------ C:\WINDOWS\zip.exe
2008-05-31 12:01:54 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-31 12:01:54 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-31 12:01:54 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-31 12:01:54 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-31 12:01:54 98816 --a------ C:\WINDOWS\sed.exe
2008-05-31 12:01:54 80412 --a------ C:\WINDOWS\grep.exe
2008-05-31 12:01:54 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-28 23:40:35 0 d-------- C:\WINDOWS\ERUNT
2008-05-24 01:48:21 0 d-------- C:\Program Files\Trend Micro
2008-05-24 01:10:46 0 d-------- C:\Program Files\Panda Security
2008-05-23 23:50:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 23:50:22 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 23:50:22 0 d-------- C:\Documents and Settings\Silke\Application Data\SUPERAntiSpyware.com
2008-05-23 23:12:41 0 d-------- C:\Documents and Settings\Silke\Application Data\Malwarebytes
2008-05-23 23:12:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 23:12:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 23:12:02 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-20 12:56:14 0 d-------- C:\Documents and Settings\Silke\Application Data\Logitech
2008-05-20 12:56:10 0 d-------- C:\Documents and Settings\Silke\Application Data\ATI
2008-05-20 12:56:10 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-05-20 12:54:35 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-05-20 12:51:25 3712 --a------ C:\WINDOWS\system32\drivers\LBeepKE.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-05-20 12:51:24 69632 --a------ C:\WINDOWS\system32\KemXML.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-05-20 12:51:24 110592 --a------ C:\WINDOWS\system32\KemWnd.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-05-20 12:51:24 131072 --a------ C:\WINDOWS\system32\KemUtil.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-05-20 12:51:24 155648 --a------ C:\WINDOWS\system32\kemutb.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-05-20 12:51:13 0 d-------- C:\Program Files\Logitech
2008-05-20 12:51:12 0 d-------- C:\Program Files\Common Files\Logitech
2008-05-20 12:49:10 0 d-------- C:\Program Files\ATI
2008-05-20 12:48:28 0 d-------- C:\LXKZ600
2008-05-20 12:47:43 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-20 12:47:34 0 d-------- C:\Program Files\D-Link
2008-05-20 12:46:36 0 d-------- C:\ATI
2008-05-20 12:43:04 126976 --a------ C:\WINDOWS\system32\Imsmudlg.exe <Not Verified; Intel® Corporation; Uninstset Installation Utility>
2008-05-20 12:43:04 0 d-------- C:\WINDOWS\system32\ENU
2008-05-20 11:53:14 0 d-------- C:\Program Files\SymplisIT
2008-05-20 11:53:14 0 d-------- C:\Documents and Settings\All Users\Application Data\SymplisIT
2008-05-20 11:25:16 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-05-19 12:48:59 0 d-------- C:\WINDOWS\Prefetch
2008-05-19 05:35:08 0 d-------- C:\Program Files\GetData
2008-05-19 03:16:54 0 d-------- C:\WINDOWS\setup.pss
2008-05-19 02:48:54 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-19 02:48:54 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-19 02:48:54 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-19 02:48:54 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-19 02:48:54 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-19 02:48:54 1048576 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-05-19 02:48:54 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-19 02:48:54 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-19 02:48:54 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-19 02:48:54 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-19 02:48:54 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-19 02:48:54 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-19 02:48:54 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-19 02:48:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-19 02:48:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-05-19 02:48:54 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-19 02:48:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-05-19 02:48:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-05-19 02:48:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-19 02:48:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-05-19 00:26:16 0 d-------- C:\Documents and Settings\Silke\Application Data\Uniblue
2008-05-17 15:59:41 0 d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-17 15:44:45 0 d-------- C:\Program Files\SBC Yahoo!
2008-05-17 15:42:22 0 d-------- C:\Program Files\Yahoo!
2008-05-05 00:30:41 0 d-------- C:\Program Files\PrevxCSI
2008-05-05 00:30:39 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI


-- Find3M Report ---------------------------------------------------------------

2008-06-02 21:01:15 0 d-------- C:\Documents and Settings\Silke\Application Data\Juniper Networks
2008-06-02 16:21:21 0 d-------- C:\Program Files\GTS
2008-06-01 00:14:53 0 d-------- C:\Documents and Settings\Silke\Application Data\DigiDelivery
2008-05-31 12:52:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-30 16:38:21 0 d-------- C:\Program Files\Juniper Networks
2008-05-24 01:10:47 4306 --a------ C:\WINDOWS\mozver.dat
2008-05-23 23:49:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 23:12:02 0 d-------- C:\Program Files\Common Files
2008-05-20 12:48:52 0 d-------- C:\Program Files\ATI Technologies
2008-05-20 12:44:55 0 d-------- C:\Program Files\Intel
2008-05-20 12:03:39 0 d-------- C:\Program Files\Dell
2008-05-19 12:55:30 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-19 12:41:45 24808 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-17 16:08:35 0 d-------- C:\Documents and Settings\Silke\Application Data\Yahoo!
2008-05-17 15:03:01 0 d-------- C:\Program Files\Creative
2008-05-13 11:58:04 0 d-------- C:\Documents and Settings\Silke\Application Data\Adobe
2008-05-01 15:47:27 54840 --a------ C:\Documents and Settings\Silke\Application Data\GDIPFONTCACHEV1.DAT
2008-04-30 12:49:52 61510 --a------ C:\WINDOWS\system32\dsGinaLoader.dll <Not Verified; Juniper Networks; Network Connect GINA>
2008-04-27 22:46:29 0 d-------- C:\Program Files\DivX
2008-04-24 01:31:58 0 d-------- C:\Documents and Settings\Silke\Application Data\Symantec
2008-04-24 00:27:59 0 d-------- C:\Program Files\Macromedia
2008-04-23 23:48:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 23:48:11 0 d-------- C:\Program Files\Norton Ghost
2008-04-23 22:35:16 0 d-------- C:\Program Files\Norton Ghost 14
2008-04-23 00:10:37 1802740 --a------ C:\Program Files\Multidecoder_1.0.0.42.zip
2008-04-19 12:55:10 0 d-------- C:\Documents and Settings\Silke\Application Data\GTS
2008-04-03 15:18:52 0 d-a------ C:\Program Files\Multidecoder_1.0.0.42


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/16/2006 11:34 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 02:50 PM]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [09/29/2002 11:00 PM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/04/2006 10:35 PM]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [04/17/2008 11:10 AM]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [07/27/2004 02:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [02/29/2008 10:14 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/24/2008 12:50 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 05/24/2008 12:50 AM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdateManager]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
"C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMagicSchedule]
"C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-Mail Alarm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailAlarm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide-The-IP]
"C:\PROGRA~1\HIDETH~1\HIDETH~1.EXE" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
"C:\Program Files\Norton Ghost\Agent\VProTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
"C:\Program Files\Norton Ghost\Agent\VProTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BreezeApp"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SharedAccess"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-06-02 22:50:25 ------------

extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 1022.09 MiB / 470.29 MiB
Pagefile Memory (total/avail): 2461.07 MiB / 1925.08 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.39 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.45 GiB total, 45.64 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080M0 - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 74.45 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Pro Firewall v6.1.744.001 (Zone Labs, Inc.)
AV: Avira AntiVir PersonalEdition v8.0.1.18 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"="C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe:*:Enabled:Sentinel Protection Server"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe"="C:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe:*:Enabled:DriverMagic"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Silke\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SILKE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Silke
LOGONSERVER=\\SILKE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Silke\LOCALS~1\Temp
TMP=C:\DOCUME~1\Silke\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=SILKE
USERNAME=Silke
USERPROFILE=C:\Documents and Settings\Silke
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Silke (admin)
Administrator (new local, admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2\Program\SETUP.EXE" /S /U /W
--> "C:\Program Files\SBC Yahoo!\umuninst.exe" /S
--> C:\PROGRA~1\Yahoo!\Common\unybase.exe
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{0CDCA5CD-C404-41FD-9216-9B4B3D24A7AA}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{363435F2-7426-11D8-9966-00A0C9663221}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\Setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\Setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\Setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
530TX+ --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Ahead InCD EasyWrite Reader --> C:\WINDOWS\unmrw.exe /UNINSTALL
Ahead Nero - Burning Rom --> C:\WINDOWS\UNNERO.exe /UNINSTALL
AKAI professional DCVocoder 1.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\AKAI professional M.I. Corp.\AKAI professional DCVocoder\UninstDCVocoder.isu"
AKAI professional PitchRight v1.01-OxYGeN --> C:\PROGRA~1\VSTPLU~1\PITCHR~1.01\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\PITCHR~1.01\INSTALL.LOG
AKAI professional QuadComp 1.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\AKAI professional M.I. Corp.\AKAI professional QuadComp\UninstQuadComp.isu"
AltoMP3 Gold 5.20 --> C:\Program Files\AltoMP3 Gold\uninst.exe
AT&T Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\install.log
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallSh

Edited by MysteryMaster, 03 June 2008 - 12:22 AM.

  • 0

#15
koko_crunch
Posted 03 June 2008 - 04:51 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts

When I performed the HijackThis task and when it was done, I had trouble with my explorer, I basically couldn't use some of the features for work program (even though I only used only the R0 and R1 files), so I rolled the system back to before that...


How about now? Are you still having problems with your work program?

Also, the extra.txt got cut off, could you please re-post the log. You would be able to find it under c:\deckard.
Thanks. :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP