Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help removing spyware [RESOLVED]


  • This topic is locked This topic is locked

#1
AlphaFloor

AlphaFloor

    Member

  • Member
  • PipPip
  • 22 posts
Hello

I would really appreciate some help removing this spyware. Ive tried Kaspersky, Spybot S&D and SuperAntiSpyware but im still getting "false" notifications. Also i notice IEUpdate keeps adding itself to the registry each time the notification comes up saying ive been infected with "Spyware.cyberlog-x". Here is my HijackThis Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:00 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\acledith.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
D:\Programs\Free Download Manager\FUM\fumoei.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programs\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Free Uploader Oe Integration] D:\Programs\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Programs\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - D:\Programs\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185981081156
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvUnKecb - C:\WINDOWS\
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6019 bytes

Also note that this entry "C:\WINDOWS\system32\acledith.exe" is the IEUpdate path that keeps adding itself each time the notification comes up but when i perform a search it does not exist.

Edited by AlphaFloor, 31 May 2008 - 03:41 PM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello AlphaFloor

Welcome to G2Go. :)
=====================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
AlphaFloor

AlphaFloor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello!

Here is Main.txt

Deckard's System Scanner v20071014.68
Run by Bryan on 2008-05-31 17:12:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x0000007E


-- Last 4 Restore Point(s) --
4: 2008-05-31 22:12:38 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-05-31 20:39:08 UTC - RP3 - Installed SUPERAntiSpyware Professional
2: 2008-05-31 19:49:01 UTC - RP2 - Last known good configuration
1: 2008-05-31 19:48:58 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Bryan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:58 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\acledith.exe
D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
D:\Programs\Free Download Manager\FUM\fumoei.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\VRC\VRC.exe
D:\Misc Stuff\Hyper Backup\Lawd flightsim again!!!\Misc\vatsim\si202\ServInfo.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bryan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bryan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programs\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Free Uploader Oe Integration] D:\Programs\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Programs\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - D:\Programs\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185981081156
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvUnKecb - C:\WINDOWS\
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6325 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 papycpu2 - c:\windows\system32\drivers\papycpu2.sys
R1 papyjoy - c:\windows\system32\drivers\papyjoy.sys
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
R3 SaiMini - c:\windows\system32\drivers\saimini.sys <Not Verified; Saitek; Configuration Software>
R3 SaiNtBus - c:\windows\system32\drivers\saibus.sys <Not Verified; Saitek; Configuration Software>

S0 protect - c:\windows\system32\drivers\protect.sys (file missing)
S0 viaagp1 (VIA AGP Filter) - c:\windows\system32\drivers\viaagp1.sys (file missing)
S3 CM1083264 (C-Media CM108 Like Sound UDAX Interface) - c:\windows\system32\drivers\cm108.sys (file missing)
S3 PciCon - f:\pcicon.sys (file missing)
S3 SE27bus (Sony Ericsson Device 039 Driver driver (WDM)) - c:\windows\system32\drivers\se27bus.sys <Not Verified; MCCI; Sony Ericsson Device 039 Driver>
S3 SE27mdfl (Sony Ericsson Device 039 USB WMC Modem Filter) - c:\windows\system32\drivers\se27mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Modem Filter Driver>
S3 SE27mdm (Sony Ericsson Device 039 USB WMC Modem Driver) - c:\windows\system32\drivers\se27mdm.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Data Modem>
S3 SE27mgmt (Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se27mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Device Management>
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\windows\system32\drivers\se27nd5.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 SE27obex (Sony Ericsson Device 039 USB WMC OBEX Interface) - c:\windows\system32\drivers\se27obex.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC OBEX Interface>
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\windows\system32\drivers\se27unic.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-31 16:39:47 0 d-------- C:\Program Files\Trend Micro
2008-05-31 15:39:36 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-31 15:39:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 15:39:10 0 d-------- C:\Documents and Settings\Bryan\Application Data\SUPERAntiSpyware.com
2008-05-31 15:38:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 14:48:48 6006 --ahs---- C:\WINDOWS\system32\rtwvvGgh.ini2
2008-05-31 14:38:42 2692 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 09:12:08 0 d-------- C:\!KillBox
2008-05-31 08:31:19 0 --a------ C:\WINDOWS\svcinit.exe
2008-05-31 08:31:17 0 --a------ C:\WINDOWS\svchost32.exe
2008-05-31 08:31:14 0 --a------ C:\WINDOWS\searchword.dll
2008-05-31 08:31:10 0 --a------ C:\WINDOWS\quicken.exe
2008-05-31 08:31:09 0 --a------ C:\WINDOWS\qttasks.exe
2008-05-31 08:31:04 0 --a------ C:\WINDOWS\mswsc20.dll
2008-05-31 08:31:02 0 --a------ C:\WINDOWS\mswsc10.dll
2008-05-31 08:30:59 0 --a------ C:\WINDOWS\msspi.dll
2008-05-31 08:30:59 0 --a------ C:\WINDOWS\msconfd.dll
2008-05-31 08:30:45 0 --a------ C:\WINDOWS\dnsrelay.dll
2008-05-31 08:30:44 0 --a------ C:\WINDOWS\ctrlpan.dll
2008-05-31 08:24:39 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-31 08:24:39 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-31 08:23:31 19744 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-31 08:23:31 4478240 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-31 08:23:30 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-31 08:23:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 08:20:51 96768 -r-hs---- C:\WINDOWS\system32\acledith.exe
2008-05-31 08:20:50 0 d--hs---- C:\WINDOWS\QnJ5YW4
2008-05-31 08:20:42 0 d-------- C:\WINDOWS\system32\z1
2008-05-31 08:20:42 0 d-------- C:\WINDOWS\system32\ps5
2008-05-31 08:20:40 0 d-------- C:\WINDOWS\system32\vntiho06
2008-05-31 08:20:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-31 08:20:13 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-31 08:20:12 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-17 20:34:09 0 d-------- C:\Digital Aviation


-- Find3M Report ---------------------------------------------------------------

2008-05-31 15:38:55 0 d-------- C:\Program Files\Common Files
2008-05-31 08:17:21 0 d-------- C:\Documents and Settings\Bryan\Application Data\Azureus
2008-05-30 20:10:59 0 d-------- C:\Program Files\TOPCAT
2008-05-30 19:54:36 0 d-------- C:\Program Files\FSBuild
2008-05-20 16:12:08 0 d-------- C:\Program Files\Messenger Plus! Live
2008-05-20 16:12:07 0 d-------- C:\Program Files\MSN Messenger
2008-05-18 14:34:59 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-05-18 14:25:06 0 d-------- C:\Documents and Settings\Bryan\Application Data\teamspeak2
2008-05-07 17:23:52 0 d-------- C:\Documents and Settings\Bryan\Application Data\Free Download Manager
2008-04-26 09:12:04 0 d-------- C:\Program Files\MagicDisc
2008-03-22 19:27:34 100883 -r-hs---- C:\cb.bat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [11/03/2005 11:09 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 03:01 AM]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [10/18/2005 02:34 PM]
"nwiz"="nwiz.exe" [04/19/2007 01:26 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [04/19/2007 01:26 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/19/2007 01:26 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\WINDOWS\KHALMNPR.Exe]
"AGRSMMSG"="AGRSMMSG.exe" [10/07/2004 09:50 PM C:\WINDOWS\AGRSMMSG.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" [05/31/2008 08:20 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Programs\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM]
"Free Uploader Oe Integration"="D:\Programs\Free Download Manager\FUM\fumoei.exe" [06/10/2007 07:02 PM]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" [05/31/2008 08:20 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/13/2008 12:43 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"IEUpdate"=C:\WINDOWS\system32\acledith.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IEUpdate"=C:\WINDOWS\system32\acledith.exe

C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [4/26/2008 9:11:55 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnKecb]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGvvwtr
"IEUpdate"= C:\WINDOWS\system32\acledith.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab4e-125c-11dd-85c4-00138f037a10}]
AutoRun\command- cb.bat
explore\Command- cb.bat
open\Command- cb.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab54-125c-11dd-85c4-00138f037a10}]
AutoRun\command- cb.bat
explore\Command- cb.bat
open\Command- cb.bat




-- End of Deckard's System Scanner: finished at 2008-05-31 17:15:21 ------------

and Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ 2400+
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 767.48 MiB / 397.77 MiB
Pagefile Memory (total/avail): 1874.29 MiB / 1445.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.18 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 25.75 GiB free.
D: is Fixed (NTFS) - 37.24 GiB total, 17.11 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - ST380215A - 74.53 GiB - 1 partition
\PARTITION0 - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE0 - WDC WD400BB-18DEA0 - 37.25 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.24 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab)
AV: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"E:\\STHIW\\stInstall.exe"="E:\\STHIW\\stInstall.exe:*:Enabled:SpeedTouch Home Install Wizard"
"F:\\STHIW\\stInstall.exe"="F:\\STHIW\\stInstall.exe:*:Enabled:SpeedTouch Home Install Wizard"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bryan\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-B05B31F042
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bryan
LOGONSERVER=\\HOME-B05B31F042
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Bryan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Bryan\LOCALS~1\Temp
USERDOMAIN=HOME-B05B31F042
USERNAME=Bryan
USERPROFILE=C:\Documents and Settings\Bryan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bryan (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> D:\Programs\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> D:\Programs\DivX\ConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
737-300 Pilot in Command --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal_737-300PIC.exe
737 Pilot in Command - 400/500 Upgrade --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal_737PIC.exe
ActiveSky Version 6 and ActiveSky Graphics --> MsiExec.exe /X{1819F22A-8B42-4CF5-88C1-97B6F4A7849A}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-000000000001}
Advanced Voice Client 1.0 --> "C:\Program Files\Advanced Voice Client\unins000.exe"
aerosoft's - Balearen-Gibraltar - FS2004 --> "C:\Program Files\Microsoft Games\Flight Simulator 9\aerosoft\Uninstall.exe" "uninstall_Balearen-Gibraltar.ini" "C:\Program Files\Microsoft Games\Flight Simulator 9"
aerosoft's - Budapest 2007 - FS2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0976C02C-0F73-447D-9657-5318C0C45A05}\Setup.exe" -uninst
aerosoft's - Wonderful Madeira - FS2004 --> "C:\Program Files\Microsoft Games\Flight Simulator 9\uninstall_Wonderful Madeira.exe"
Agere Systems PCI Soft Modem --> agrsmdel
Airbus Series Vol.2 (FS2004) --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal_Airbus2_wilco.exe
AVC Tuner --> C:\Program Files\Advanced Voice Client Tuner\Uninstal.exe
Azureus --> D:\Programs\Azureus\Uninstall.exe
BearShare --> D:\Programs\BEARSH~1\UNWISE.EXE D:\Programs\BEARSH~1\INSTALL.LOG
Ben Gurion Airport 2006 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal.exe
BF-Quito 2005 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Addon Scenery\Forero\Quito2005\UnInstall_quito2005.exe
Call of Duty --> D:\Programs\CALLOF~1\Uninstall\Unwise.exe /u D:\Programs\CALLOF~1\Uninstall\Install.log
CCleaner (remove only) --> "D:\Programs\CCleaner\uninst.exe"
China-Macau scenery for FS2004 --> c:\Program Files\Microsoft Games\Flight Simulator 9\Addon Scenery\macau2005\Uninstal.exe
COLOMBIA VIRTUAL P.E. 2005 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal.exe
CRJ Experience --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal.exe
CRJ New Generation --> C:\Program Files\Microsoft Games\Flight Simulator 9\crjng_uninstal.exe
DivX Codec --> D:\Programs\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> D:\Programs\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> D:\Programs\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> D:\Programs\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> D:\Programs\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EditVoicepack --> MsiExec.exe /I{1EC65D1D-3911-4F7D-8B6A-63C69EDBFC6E}
eMule --> "D:\Programs\eMule\Uninstall.exe"
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
Flight One ATR 72-500 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\ATR_Beta.ini"
Fly the MADDOG 2006 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall Fly the Maddog 2006.exe
Fly the MADDOG 2006 liveries --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall Liveries.exe
Fly to Brazil #6 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\irunin.ini"
Fokker 70-100 --> C:\Program Files\Microsoft Games\Flight Simulator 9\UnFokker70-FS9.exe
Follow Me Multiplayer --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal.exe
Free Download Manager 2.5 --> "D:\Programs\Free Download Manager\unins000.exe"
FS Global 2005 --> C:\PROGRA~1\MICROS~4\FLIGHT~1\pilotsSW\fsg2k5\uninstal.exe C:\PROGRA~1\MICROS~4\FLIGHT~1\pilotsSW\fsg2k5
FS Real Time v1.62.2 --> C:\WINDOWS\iun6002.exe "C:\Program Files\FS Real Time\irunin.ini"
FSBuild 2 --> C:\Program Files\FSBuild\UnInstall_19636.exe
FSNavigator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F76FF6D-B992-4FD9-8686-F09F868B2C58}\Setup.exe" -l0x9
FSPause12 --> MsiExec.exe /I{94147A93-0288-42D6-8DCC-D35CBA84FC3A}
Fuel Loader --> C:\Program Files\Simulation Hardware\Fuel Loader\Uninstal.exe
Greatest Airliners: 727 --> "C:\Program Files\Microsoft Games\Flight Simulator 9\uninstall_GA727.exe" "/U:C:\Program Files\Microsoft Games\Flight Simulator 9\F1DF_GA727.xml"
GUARULHOS INTERNATIONAL AIRPORT --> C:\WINDOWS\iun6002.exe "C:\Documents and Settings\Bryan\Desktop\Fs2004 - WorldSceneries - Guarulhos Sao Paulo\wsuninstall\irunin_GR.ini"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IFSD Irish Scenery --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\Addon Scenery\ifsd_scenery\IFSD\installer\irunin.ini"
Ivalo 2.0 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal_Ivalo2.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
KEWR Newark --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall KEWR.exe
KLGA La Guardia --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall KLGA.exe
LAGO Male Scenery FS2004 2.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35E853C8-8E86-4259-B4D6-E2B5BEDDABCD}\Setup.exe" -l0x9
LAGO Twin Otter Version 2.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0663708C-35D2-4A9B-AD98-2D49FB6729B6}\Setup.exe" -l0x9
Legendary C-130 --> C:\Program Files\Microsoft Games\Flight Simulator 9\csC130_uninstall.exe
Level-D Simulations 767-300 --> C:\Program Files\Microsoft Games\Flight Simulator 9\UnLvld767.exe
Magic ISO Maker v5.4 (build 0237) --> D:\Programs\MagicISO\UNWISE.EXE D:\Programs\MagicISO\INSTALL.LOG
MagicDisc 2.6.93 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Media Converter SA Edition 0.8 --> D:\Programs\Media Converter SA Edition\uninst.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator 2004 A Century of Flight --> "C:\Program Files\Microsoft Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 --> MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NCalc 5.1.0 --> "C:\Program Files\NCalc5\unins000.exe"
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OCS PT-154 --> C:\WINDOWS\OCS PT-154 Uninstaller.exe
Photohands 1.0E --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{544FB392-069D-4BA5-9DC7-FFD47230AEE5}\Setup.exe"
PMDG 747-400 FS9 Update V1R12 (Unifies to FSX) --> C:\Program Files\InstallShield Installation Information\{304DAE83-906F-4005-BA09-2870349ABD14}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDG 747-400F GE Atlas --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{044DB990-522B-4E0E-90E0-9868576D567A}\setup.exe" -l0x9 -removeonly
PMDG 747-400F GE Polar Air Cargo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F091397A-BAF6-428D-B278-19541A83BBAE}\setup.exe" -l0x9 -removeonly
PMDG 747-400F PW FedEx --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9CDD8DA2-7BFE-40FD-AEC8-5A48B7C88BFB}\setup.exe" -l0x9 -removeonly
PMDG 747-400F RR Cargolux VCV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0781BF9-33E6-442B-8167-D60F01E34F6E}\setup.exe" -l0x9 -removeonly
PMDG_747-400_Sound_Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2758F387-D016-4725-9D03-AB039364DF3D}\setup.exe" -l0x9 -removeonly
PMDG747_400 Queen of the Skies --> C:\Program Files\InstallShield Installation Information\{97679567-0095-464E-B5F2-E218A1CF3421}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDG747_400_PW_Singapore --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1BF1967F-7879-494C-BB0A-493653C90857}\setup.exe" -l0x9 -removeonly
PMDG747_400F --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{164360E5-0AAD-48AD-8A36-3F8A859FAB6F}\setup.exe" -l0x9 -removeonly
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PSS B777 Professional 2004 (777-200 LR) 2.1 --> C:\WINDOWS\iun6002.exe "C:\Documents and Settings\Bryan\Desktop\777\PSS\772LR_uni.ini"
PSS Boeing 757 Pro 2006 1.3 --> C:\WINDOWS\iun6002.exe "C:\Documents and Settings\Bryan\Desktop\757\PSS\757_ALL.ini"
PT Tu154M --> MsiExec.exe /I{9A9DC850-9444-4DB0-A364-B0F6B555A647}
Radar Contact Version 4.0 --> "C:\Program Files\rcv4\unins000.exe"
Radar Contact Version 4.01 --> "C:\Program Files\rcv4\unins001.exe"
Ready for Pushback V2_10 Full Version --> C:\Program Files\Microsoft Games\Flight Simulator 9\RFP_V2_Upgrade_Unistaller.exe
Remove UK2000 Part 1 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 1\irunin.ini
Remove UK2000 Part 2 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 2\irunin.ini
Remove UK2000 Part 3 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 3\irunin.ini
Remove UK2000 Part 4 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 4\irunin.ini
Remove UK2000 Part 5 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 5\irunin.ini
Remove UK2000 Part 6 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 6\irunin.ini
Remove UK2000 Part7 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part7\irunin.ini
Rovaniemi 4.1 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall_Rovaniemi41.exe
Saitek SST Programming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{967FB80D-56BD-42EF-A942-9E8C78F984A4}\Setup.exe" -l0x9 -removeonly
SimCharts 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{61812F6F-0705-4B20-B914-32C1E3C155C7}\Setup.exe" -l0x9
Spybot - Search & Destroy 1.4 --> "D:\Programs\Spybot - Search & Destroy\unins000.exe"
SquawkBox 3 --> C:\Program Files\SquawkBox3\sbuninstall.exe SquawkBox 3
SSTSIM --> "C:\WINDOWS\SSTSIM\uninstall.exe" "/U:C:\Program Files\Microsoft Games\Flight Simulator 9\SSTSIM\data\Uninstall\uninstall.xml"
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SWAT 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8} uninstall
Săo Paulo - Congonhas Airport X-Generation --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\sbspx9unin.ini"
TeamSpeak 2 RC2 --> D:\Programs\Teamspeak2_RC2\unins000.exe
TeamSpeak 2 Server RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TJSJ San Juan --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall TJSJ.exe
TOPCAT 2.20 (26MAR08) --> C:\Program Files\TOPCAT\uninst.exe
TTS_Technology --> MsiExec.exe /I{AC696733-F8C5-4EAD-B165-AC8AB8C2A755}
Ultimate Traffic --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\UT13.ini"
UPDATE 01 COLVIRTUAL PE 2005 --> C:\Program Files\Microsoft Games\Flight Simulator 9\desinstalar_colvape2k5.exe
UPDATE 02 COLVIRTUAL PE 2005 --> C:\Program Files\Microsoft Games\Flight Simulator 9\uninstallupd2.exe
UPDATE 03 COLVIRTUAL PE 2005 (FS2004) --> C:\Program Files\Microsoft Games\Flight Simulator 9\uninstallupd2.exe
VRC --> "C:\Program Files\VRC\uninstall.exe"
vroute.info --> rundll32.exe dfshim.dll,ShArpMaintain vroute.info.application, Culture=en, PublicKeyToken=5accc01de4247373, processorArchitecture=msil
Winamp --> "D:\Programs\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wonderful Rio Full Pack --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9/wsuninstall\Wonderful Rio Full Packirunin.ini"


-- Application Event Log -------------------------------------------------------

Event Record #/Type14727 / Warning
Event Submitted/Written: 05/31/2008 04:53:47 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type14726 / Warning
Event Submitted/Written: 05/31/2008 04:53:47 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 800401E4.

Event Record #/Type14725 / Error
Event Submitted/Written: 05/31/2008 04:47:18 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application profileru.exe, version 4.3.3.2059, faulting module profileru.exe, version 4.3.3.2059, fault address 0x00006832.
Processing media-specific event for [profileru.exe!ws!]

Event Record #/Type14724 / Warning
Event Submitted/Written: 05/31/2008 04:46:50 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type14723 / Warning
Event Submitted/Written: 05/31/2008 04:46:50 PM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type37192 / Error
Event Submitted/Written: 05/31/2008 04:23:57 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type37161 / Error
Event Submitted/Written: 05/31/2008 03:19:49 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type37144 / Error
Event Submitted/Written: 05/31/2008 02:59:21 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
oreans32

Event Record #/Type37139 / Error
Event Submitted/Written: 05/31/2008 02:57:53 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type37138 / Error
Event Submitted/Written: 05/31/2008 02:57:12 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-05-31 17:15:21 ------------
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe



Now click on Fix Checked and then close Hijackthis.
=====================================================
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
  • 0

#5
AlphaFloor

AlphaFloor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
heres hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:43 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
D:\Programs\Free Download Manager\FUM\fumoei.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programs\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Free Uploader Oe Integration] D:\Programs\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Programs\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - D:\Programs\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185981081156
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvUnKecb - C:\WINDOWS\
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5693 bytes


And the Combofix

ComboFix 08-05-29.1 - Bryan 2008-05-31 18:20:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.423 [GMT -5:00]
Running from: C:\Documents and Settings\Bryan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\searchword.dll
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rtwvvGgh.ini
C:\WINDOWS\system32\rtwvvGgh.ini2
C:\WINDOWS\system32\spywarewarning.mht
C:\WINDOWS\system32\z1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_PROTECT
-------\Service_clbdriver
-------\Service_protect


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-31 17:09 . 2008-05-31 17:09 <DIR> d-------- C:\Deckard
2008-05-31 16:39 . 2008-05-31 16:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Documents and Settings\Bryan\Application Data\SUPERAntiSpyware.com
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-31 15:38 . 2008-05-31 15:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 14:51 . 2004-05-13 15:17 10,752 --a------ C:\WINDOWS\clb.dll
2008-05-31 14:38 . 2008-05-31 14:55 2,692 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 09:12 . 2008-05-31 09:12 <DIR> d-------- C:\!KillBox
2008-05-31 08:24 . 2008-05-31 13:46 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-31 08:24 . 2008-05-31 13:46 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-31 08:23 . 2008-05-31 08:23 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-31 08:23 . 2008-05-31 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 08:23 . 2008-05-31 18:29 5,686,048 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-31 08:23 . 2008-05-31 18:27 81,284 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-31 08:23 . 2008-05-31 18:29 46,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-31 08:23 . 2008-05-31 18:27 6,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-31 08:20 . 2008-05-31 08:20 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-31 08:20 . 2008-05-31 08:20 <DIR> d-------- C:\WINDOWS\system32\ps5
2008-05-31 08:20 . 2008-05-31 08:37 <DIR> d--hs---- C:\WINDOWS\QnJ5YW4
2008-05-31 08:20 . 2008-05-31 08:20 96,768 -r-hs---- C:\WINDOWS\system32\acledith.exe
2008-05-31 08:20 . 2008-05-31 18:06 78,378 --a------ C:\WINDOWS\system32\spywarewarning2.mht
2008-05-31 08:20 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-31 08:20 . 2008-05-31 08:20 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-20 16:05 . 2008-05-20 16:05 32,768 --a------ C:\WINDOWS\system32\vntiho06\vntiho061083.exe
2008-05-17 20:34 . 2008-05-17 20:35 <DIR> d-------- C:\Digital Aviation
2008-05-17 20:34 . 2008-05-17 20:34 2,048 --a------ C:\WINDOWS\f70100fs9.lic
2008-04-26 09:11 . 2008-04-26 09:12 <DIR> d-------- C:\Program Files\MagicDisc
2008-04-25 18:11 . 2008-05-31 08:21 <DIR> d-------- C:\kav
2008-04-24 19:17 . 2008-03-22 19:27 100,883 -r-hs---- C:\cb.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 18:46 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-31 13:17 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Azureus
2008-05-31 01:10 --------- d-----w C:\Program Files\TOPCAT
2008-05-31 00:54 --------- d-----w C:\Program Files\FSBuild
2008-05-20 21:12 --------- d-----w C:\Program Files\MSN Messenger
2008-05-20 21:12 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-18 19:34 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-05-18 19:25 --------- d-----w C:\Documents and Settings\Bryan\Application Data\teamspeak2
2008-05-07 22:23 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Free Download Manager
2008-03-29 02:16 --------- d-----w C:\Program Files\EuroScope
2008-02-27 01:58 286,720 ----a-w C:\WINDOWS\iun506.exe
2008-02-08 23:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2008-02-05 22:05 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-03 22:05 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-11 21:33 305 ----a-w C:\Program Files\FSBuildEKCH-EGBB.RTE
2007-07-03 04:00 90 --sh--w C:\WINDOWS\cnerolf.dat
2005-07-29 21:24 472 --sha-r C:\WINDOWS\QnJ5YW4\kBLcsqb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Programs\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"Free Uploader Oe Integration"="D:\Programs\Free Download Manager\FUM\fumoei.exe" [2007-06-10 19:02 40960]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 11:09 126976]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 14:34 163840]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 21:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" [2008-05-31 08:20 96768]

C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-26 09:11:55 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnKecb]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38859:TCP"= 38859:TCP:PORT_38859
"41344:TCP"= 41344:TCP:PORT_41344

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 SaiH075C;SaiH075C;C:\WINDOWS\system32\DRIVERS\SaiH075C.sys [2006-07-27 06:49]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;C:\WINDOWS\system32\drivers\CM108.sys []
S3 PciCon;PciCon;F:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab4e-125c-11dd-85c4-00138f037a10}]
\Shell\AutoRun\command - cb.bat
\Shell\explore\Command - cb.bat
\Shell\open\Command - cb.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab54-125c-11dd-85c4-00138f037a10}]
\Shell\AutoRun\command - cb.bat
\Shell\explore\Command - cb.bat
\Shell\open\Command - cb.bat

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 18:29:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-31 18:36:58 - machine was rebooted [Bryan]
ComboFix-quarantined-files.txt 2008-05-31 23:36:44

Pre-Run: 27,501,387,776 bytes free
Post-Run: 27,763,519,488 bytes free

180


That IEUpdate thing is back i noticed in the log, but the notifications are now gone.

EDIT: Nevermind, they are back :)

Edited by AlphaFloor, 31 May 2008 - 06:13 PM.

  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
C:\WINDOWS\clb.dll
C:\WINDOWS\system32\acledith.exe
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\hljwugsf.bin
C:\cb.bat
C:\WINDOWS\cnerolf.dat
C:\WINDOWS\system32\wvUnKecb.dll
E:\Autorun.exe
Folder::
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\ps5
C:\WINDOWS\QnJ5YW4
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IEUpdate"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUnKecb]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab4e-125c-11dd-85c4-00138f037a10}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab54-125c-11dd-85c4-00138f037a10}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
AlphaFloor

AlphaFloor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for your help and patience.

Combofix log

ComboFix 08-05-29.1 - Bryan 2008-06-01 12:25:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.467 [GMT -5:00]
Running from: C:\Documents and Settings\Bryan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bryan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\cb.bat
C:\WINDOWS\clb.dll
C:\WINDOWS\cnerolf.dat
C:\WINDOWS\system32\acledith.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\wvUnKecb.dll
E:\Autorun.exe
E:\autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cb.bat
C:\WINDOWS\clb.dll
C:\WINDOWS\cnerolf.dat
C:\WINDOWS\QnJ5YW4
C:\WINDOWS\QnJ5YW4\kBLcsqb.vbs
C:\WINDOWS\system32\acledith.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\ps5
C:\WINDOWS\system32\ps5\dutdtx2.exe
C:\WINDOWS\system32\spywarewarning.mht
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\vntiho06\vntiho061083.exe
E:\autorun.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 19:51 . 2008-05-31 19:51 501,248 --a------ C:\WINDOWS\clbcatq.dll
2008-05-31 19:36 . 2008-05-31 20:06 107 --a------ C:\loadit.ini
2008-05-31 17:09 . 2008-05-31 17:09 <DIR> d-------- C:\Deckard
2008-05-31 16:39 . 2008-05-31 16:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Documents and Settings\Bryan\Application Data\SUPERAntiSpyware.com
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-31 15:38 . 2008-05-31 15:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 14:38 . 2008-05-31 14:55 2,692 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 09:12 . 2008-05-31 09:12 <DIR> d-------- C:\!KillBox
2008-05-31 08:24 . 2008-05-31 13:46 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-31 08:24 . 2008-05-31 13:46 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-31 08:23 . 2008-05-31 08:23 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-31 08:23 . 2008-06-01 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 08:23 . 2008-06-01 12:35 6,630,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-31 08:23 . 2008-06-01 12:31 93,956 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-31 08:23 . 2008-06-01 12:34 57,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-31 08:23 . 2008-06-01 12:31 7,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-31 08:20 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-17 20:34 . 2008-05-17 20:35 <DIR> d-------- C:\Digital Aviation
2008-05-17 20:34 . 2008-05-17 20:34 2,048 --a------ C:\WINDOWS\f70100fs9.lic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 01:17 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-06-01 01:17 --------- d-----w C:\Documents and Settings\Bryan\Application Data\teamspeak2
2008-06-01 00:25 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Azureus
2008-05-31 18:46 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-31 01:10 --------- d-----w C:\Program Files\TOPCAT
2008-05-31 00:54 --------- d-----w C:\Program Files\FSBuild
2008-05-20 21:12 --------- d-----w C:\Program Files\MSN Messenger
2008-05-20 21:12 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-07 22:23 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Free Download Manager
2008-04-26 14:12 --------- d-----w C:\Program Files\MagicDisc
2008-01-11 21:33 305 ----a-w C:\Program Files\FSBuildEKCH-EGBB.RTE
.

((((((((((((((((((((((((((((( [email protected]_18.35.30.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-31 23:28:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 17:32:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-18 12:46:53 129,296 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-01 17:17:31 130,888 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2000-04-26 08:34:56 39,424 ----a-w C:\WINDOWS\system32\JETCOMP.exe
+ 2002-01-04 23:48:16 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
+ 2002-01-04 23:10:06 40,960 ----a-w C:\WINDOWS\system32\mfc70chs.dll
+ 2002-01-04 23:10:06 45,056 ----a-w C:\WINDOWS\system32\mfc70cht.dll
+ 2002-01-05 10:54:06 1,933,312 ----a-w C:\WINDOWS\system32\mfc70d.dll
+ 2002-01-04 23:10:04 61,440 ----a-w C:\WINDOWS\system32\mfc70deu.dll
+ 2002-01-05 11:10:06 57,344 ----a-w C:\WINDOWS\system32\mfc70enu.dll
+ 2002-01-04 23:10:06 61,440 ----a-w C:\WINDOWS\system32\mfc70esp.dll
+ 2002-01-04 23:10:04 61,440 ----a-w C:\WINDOWS\system32\mfc70fra.dll
+ 2002-01-04 23:10:06 61,440 ----a-w C:\WINDOWS\system32\mfc70ita.dll
+ 2002-01-04 23:10:04 49,152 ----a-w C:\WINDOWS\system32\mfc70jpn.dll
+ 2002-01-04 23:10:08 49,152 ----a-w C:\WINDOWS\system32\mfc70kor.dll
+ 2002-01-04 23:36:38 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
+ 2002-01-05 10:56:56 1,927,680 ----a-w C:\WINDOWS\system32\mfc70ud.dll
+ 2000-04-26 08:34:44 344,064 ----a-w C:\WINDOWS\system32\msexch35.dll
+ 2000-04-26 08:34:46 252,688 ----a-w C:\WINDOWS\system32\msexcl35.dll
+ 2000-04-26 08:34:48 1,050,896 ----a-w C:\WINDOWS\system32\msjet35.dll
+ 2000-04-26 08:35:02 139,264 ----a-w C:\WINDOWS\system32\msjint35.dll
+ 2000-04-26 08:34:48 1,238,288 ----a-w C:\WINDOWS\system32\msjt4jlt.dll
+ 2000-04-26 08:34:56 24,848 ----a-w C:\WINDOWS\system32\msjter35.dll
+ 2000-04-26 08:34:50 168,720 ----a-w C:\WINDOWS\system32\msltus35.dll
+ 2000-04-26 08:34:50 250,128 ----a-w C:\WINDOWS\system32\mspdox35.dll
+ 2000-04-26 08:34:50 262,144 ----a-w C:\WINDOWS\system32\msrd2x35.dll
+ 2000-04-26 08:34:56 415,504 ----a-w C:\WINDOWS\system32\msrepl35.dll
+ 2000-04-26 08:34:58 44,304 ----a-w C:\WINDOWS\system32\msrpfs35.dll
+ 2000-04-26 08:34:52 166,672 ----a-w C:\WINDOWS\system32\mstext35.dll
+ 2002-01-05 10:38:36 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
+ 2002-01-05 09:17:00 94,208 ----a-w C:\WINDOWS\system32\msvci70d.dll
+ 2002-01-04 22:40:20 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
+ 2002-01-05 09:16:10 536,576 ----a-w C:\WINDOWS\system32\msvcr70d.dll
+ 2000-04-26 08:34:52 294,912 ----a-w C:\WINDOWS\system32\msxbse35.dll
+ 2000-04-26 08:34:58 368,912 ----a-w C:\WINDOWS\system32\VBAR332.DLL
+ 2008-06-01 17:32:22 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_178.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Programs\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"Free Uploader Oe Integration"="D:\Programs\Free Download Manager\FUM\fumoei.exe" [2007-06-10 19:02 40960]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 11:09 126976]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 14:34 163840]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 21:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"combofix"="C:\WINDOWS\system32\CF31419.exe" [2004-08-04 07:00 388608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" [ ]

C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-26 09:11:55 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnKecb]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
IEUpdate REG_SZ C:\WINDOWS\system32\acledith.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38859:TCP"= 38859:TCP:PORT_38859
"41344:TCP"= 41344:TCP:PORT_41344

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 SaiH075C;SaiH075C;C:\WINDOWS\system32\DRIVERS\SaiH075C.sys [2006-07-27 06:49]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;C:\WINDOWS\system32\drivers\CM108.sys []
S3 PciCon;PciCon;F:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab4e-125c-11dd-85c4-00138f037a10}]
\Shell\AutoRun\command - cb.bat
\Shell\explore\Command - cb.bat
\Shell\open\Command - cb.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab54-125c-11dd-85c4-00138f037a10}]
\Shell\AutoRun\command - cb.bat
\Shell\explore\Command - cb.bat
\Shell\open\Command - cb.bat

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 12:33:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-01 12:39:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 17:39:29
ComboFix2.txt 2008-05-31 23:37:08

Pre-Run: 27,408,932,864 bytes free
Post-Run: 27,452,272,640 bytes free

216


Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:18 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
D:\Programs\Free Download Manager\FUM\fumoei.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programs\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF31419.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Free Uploader Oe Integration] D:\Programs\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Programs\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - D:\Programs\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185981081156
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvUnKecb - C:\WINDOWS\
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6480 bytes


Im now getting a message that "regt.exe failed to start because clb.dll was not found. Reinstalling may fix the problem". I get the same for regedit.exe, but i guess that dll can be reinstalled when everything is done.
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi please do one thing please.

Submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

C:\Qoobox\Quarantine\C\Windows\clb.dll.vir
C:\WINDOWS\clbcatq.dll
C:\WINDOWS\system32\beep.sys


Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#9
AlphaFloor

AlphaFloor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Jotti Filescan seems to be down so i used the other.

File clbcatq.dll received on 05.14.2007 00:49:37 (CET)
Current status: finished
Result: 2/31 (6.45%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - No threat detected
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Win32.Malware.gen!24 (suspicious)

File clb.dll.vir received on 05.01.2008 09:22:00 (CET)
Current status: finished
Result: 1/32 (3.12%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - BlockReason.0


File beep.sys received on 06.01.2008 13:31:04 (CET)
Current status: finished
Result: 0/31 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.5.30.1 2008.05.30 -
AntiVir 7.8.0.26 2008.06.01 -
Authentium 5.1.0.4 2008.06.01 -
Avast 4.8.1195.0 2008.05.31 -
AVG 7.5.0.516 2008.05.31 -
BitDefender 7.2 2008.06.01 -
CAT-QuickHeal 9.50 2008.05.31 -
ClamAV 0.92.1 2008.06.01 -
DrWeb 4.44.0.09170 2008.06.01 -
eSafe 7.0.15.0 2008.05.29 -
eTrust-Vet 31.4.5837 2008.05.30 -
Ewido 4.0 2008.06.01 -
F-Prot 4.4.4.56 2008.05.31 -
F-Secure 6.70.13260.0 2008.06.01 -
Fortinet 3.14.0.0 2008.06.01 -
GData 2.0.7306.1023 2008.06.01 -
Ikarus T3.1.1.26.0 2008.06.01 -
Kaspersky 7.0.0.125 2008.06.01 -
McAfee 5307 2008.05.30 -
Microsoft 1.3520 2008.06.01 -
NOD32v2 3149 2008.05.31 -
Norman 5.80.02 2008.05.30 -
Panda 9.0.0.4 2008.05.31 -
Prevx1 V2 2008.06.01 -
Rising 20.46.62.00 2008.06.01 -
Sophos 4.29.0 2008.06.01 -
Sunbelt 3.0.1139.1 2008.05.29 -
Symantec 10 2008.06.01 -
VBA32 3.12.6.6 2008.06.01 -
VirusBuster 4.3.26:9 2008.05.31 -
Webwasher-Gateway 6.6.2 2008.06.01 -
Additional information
File size: 4224 bytes
MD5...: da1f27d85e0d1525f6621372e7b685e9
SHA1..: e3d2dc5eb273fa701de8af13b60d6baac7629260
SHA256: 5a81a46a3bdd19dafc6c87d277267a5d44f3a1b5302f2cc1111d84b7bad5610d
SHA512: 8b8a95965ccaf51d578c2dd761abfc750fe464360e8244e5a06c2089586ac6fd
e2989e3ab7cc8b28a034c8c9fdba69c2641730674ca55d172d0d1a3e7e53fa8b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1066c
timedatestamp.....: 0x3b7d82e5 (Fri Aug 17 20:47:33 2001)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x424 0x480 5.77 64f775a399d212649b5b58a280791c2d
.rdata 0x780 0xad 0x100 2.62 0ace5f365131534c66de4137833221ad
INIT 0x880 0x284 0x300 4.44 13a9d0bea8490140305ffa9291acfd99
.rsrc 0xb80 0x3c8 0x400 3.22 9b654fc1759147ff04b147754f347be4
.reloc 0xf80 0x9a 0x100 2.80 5c4742feb834ca0995d1e806fe06cc57

( 2 imports )
> ntoskrnl.exe: MmLockPagableDataSection, KeCancelTimer, MmUnlockPagableImageSection, IoStartNextPacket, KeSetTimer, _allmul, IoStartPacket, KeInitializeEvent, KeInitializeTimer, KeInitializeDpc, IoCreateDevice, RtlInitUnicodeString, IoAcquireCancelSpinLock, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, IoReleaseCancelSpinLock, IoDeleteDevice, IofCompleteRequest
> HAL.dll: ExReleaseFastMutex, KfRaiseIrql, KfLowerIrql, HalMakeBeep, ExAcquireFastMutex

( 0 exports )
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok go to this location C:\Qoobox\Quarantine\C\Windows\clb.dll.vir right click on that file only and choose rename.
Rename it to this clb.dll removing the .vir extention.
Then right click on cut and then Go to this location C:\Windows open the C:\Windows folder and then right click and choose paste.

On next reboot you should not get the error message again.
That file looked to be a member of the rootkit that you have.
That is why I had you delete it.
This is one of the other files that is part of the rootkit > clbdriver.sys note clb in both either way according to the results from the upload I had you to restore the file to it's original location.
====================================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
C:\WINDOWS\system32\acledith.exe
E:\cb.bat
E:\Autorun.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IEUpdate"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"IEUpdate"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IEUpdate"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"IEUpdate"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnKecb]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000 
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab4e-125c-11dd-85c4-00138f037a10}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6ab54-125c-11dd-85c4-00138f037a10}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

Advertisements


#11
AlphaFloor

AlphaFloor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ComboFix 08-05-29.1 - Bryan 2008-06-01 16:16:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512 [GMT -5:00]
Running from: C:\Documents and Settings\Bryan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bryan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\acledith.exe
E:\Autorun.exe
E:\autorun.exe
E:\cb.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 13:48 . 2008-06-01 13:48 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-01 13:48 . 2008-06-01 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 13:48 . 2008-06-01 16:27 1,127,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-01 13:48 . 2008-06-01 14:02 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-01 13:48 . 2008-06-01 14:02 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-01 13:48 . 2008-06-01 16:22 19,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-01 13:48 . 2008-06-01 16:26 12,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-01 13:48 . 2008-06-01 16:22 3,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-31 19:51 . 2008-05-31 19:51 501,248 --a------ C:\WINDOWS\clbcatq.dll
2008-05-31 19:36 . 2008-06-01 15:59 107 --a------ C:\loadit.ini
2008-05-31 17:09 . 2008-05-31 17:09 <DIR> d-------- C:\Deckard
2008-05-31 16:39 . 2008-05-31 16:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Documents and Settings\Bryan\Application Data\SUPERAntiSpyware.com
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-31 15:38 . 2008-05-31 15:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 14:51 . 2004-05-13 15:17 10,752 --a------ C:\WINDOWS\clb.dll
2008-05-31 14:38 . 2008-05-31 14:55 2,692 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 09:12 . 2008-05-31 09:12 <DIR> d-------- C:\!KillBox
2008-05-31 08:20 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-17 20:34 . 2008-05-17 20:35 <DIR> d-------- C:\Digital Aviation
2008-05-17 20:34 . 2008-05-17 20:34 2,048 --a------ C:\WINDOWS\f70100fs9.lic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 21:15 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Free Download Manager
2008-06-01 20:24 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-06-01 19:02 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-01 01:17 --------- d-----w C:\Documents and Settings\Bryan\Application Data\teamspeak2
2008-06-01 00:25 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Azureus
2008-05-31 01:10 --------- d-----w C:\Program Files\TOPCAT
2008-05-31 00:54 --------- d-----w C:\Program Files\FSBuild
2008-05-20 21:12 --------- d-----w C:\Program Files\MSN Messenger
2008-05-20 21:12 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-26 14:12 --------- d-----w C:\Program Files\MagicDisc
2008-01-11 21:33 305 ----a-w C:\Program Files\FSBuildEKCH-EGBB.RTE
.

((((((((((((((((((((((((((((( snapshot_2008-06-01_12.38.53.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 17:32:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 21:23:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 21:23:29 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Programs\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"Free Uploader Oe Integration"="D:\Programs\Free Download Manager\FUM\fumoei.exe" [2007-06-10 19:02 40960]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 11:09 126976]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 14:34 163840]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 21:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" [ ]

C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-26 09:11:55 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnKecb]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38859:TCP"= 38859:TCP:PORT_38859
"41344:TCP"= 41344:TCP:PORT_41344

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 SaiH075C;SaiH075C;C:\WINDOWS\system32\DRIVERS\SaiH075C.sys [2006-07-27 06:49]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;C:\WINDOWS\system32\drivers\CM108.sys []
S3 PciCon;PciCon;F:\PciCon.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 16:24:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-01 16:31:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 21:31:45
ComboFix2.txt 2008-06-01 17:39:41
ComboFix3.txt 2008-05-31 23:37:08

Pre-Run: 27,144,597,504 bytes free
Post-Run: 27,134,517,248 bytes free

138


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:27 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
D:\Programs\Free Download Manager\FUM\fumoei.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programs\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Free Uploader Oe Integration] D:\Programs\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Programs\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - D:\Programs\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185981081156
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5394 bytes
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#13
AlphaFloor

AlphaFloor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Malwarebytes' Anti-Malware 1.14
Database version: 813

6:31:25 PM 6/1/2008
mbam-log-6-1-2008 (18-31-25).txt

Scan type: Quick Scan
Objects scanned: 36452
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page (Homepage.Hijack) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\Main\Start Page (Homepage.Hijack) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And another HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:58 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
D:\Programs\Free Download Manager\FUM\fumoei.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programs\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Free Uploader Oe Integration] D:\Programs\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Programs\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - D:\Programs\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185981081156
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvUnKecb - C:\WINDOWS\
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6120 bytes


So am i finally clean now?
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Not quite:
Please go to Start > Run> then copy\paste this in "%userprofile%\desktop\dss.exe" /config then hit ok.
Place a check next to everything and click on ok or scan.
Post those logs please.
  • 0

#15
AlphaFloor

AlphaFloor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hey! sorry for the late reply.

Deckard's System Scanner v20071014.68
Run by Bryan on 2008-06-02 19:54:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2008-06-03 00:54:20 UTC - RP10 - Deckard's System Scanner Restore Point
9: 2008-06-01 21:16:18 UTC - RP9 - ComboFix created restore point
8: 2008-06-01 18:48:00 UTC - RP8 - Installed Kaspersky Internet Security 7.0.
7: 2008-06-01 18:42:17 UTC - RP7 - Removed Kaspersky Internet Security 7.0.
6: 2008-06-01 17:24:19 UTC - RP6 - ComboFix created restore point


-- First Restore Point --
1: 2008-05-31 19:48:58 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Bryan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:03 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
D:\Programs\Free Download Manager\FUM\fumoei.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bryan\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programs\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Free Uploader Oe Integration] D:\Programs\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Programs\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - D:\Programs\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185981081156
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvUnKecb - C:\WINDOWS\
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5820 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080531-174457-485 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
backup-20080531-174458-101 O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
backup-20080531-174458-216 O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
backup-20080531-174458-227 O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - (no file)
backup-20080531-174458-235 O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
backup-20080531-174458-368 O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
backup-20080531-174458-401 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080531-174458-567 O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
backup-20080531-174458-796 O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
backup-20080531-181201-490 O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe
backup-20080531-181201-710 O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
backup-20080531-181201-885 O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\acledith.exe
backup-20080531-181201-918 O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\acledith.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 papycpu2 - c:\windows\system32\drivers\papycpu2.sys
R1 papyjoy - c:\windows\system32\drivers\papyjoy.sys
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
R3 SaiMini - c:\windows\system32\drivers\saimini.sys <Not Verified; Saitek; Configuration Software>
R3 SaiNtBus - c:\windows\system32\drivers\saibus.sys <Not Verified; Saitek; Configuration Software>

S0 viaagp1 (VIA AGP Filter) - c:\windows\system32\drivers\viaagp1.sys (file missing)
S3 CM1083264 (C-Media CM108 Like Sound UDAX Interface) - c:\windows\system32\drivers\cm108.sys (file missing)
S3 PciCon - f:\pcicon.sys (file missing)
S3 SE27bus (Sony Ericsson Device 039 Driver driver (WDM)) - c:\windows\system32\drivers\se27bus.sys <Not Verified; MCCI; Sony Ericsson Device 039 Driver>
S3 SE27mdfl (Sony Ericsson Device 039 USB WMC Modem Filter) - c:\windows\system32\drivers\se27mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Modem Filter Driver>
S3 SE27mdm (Sony Ericsson Device 039 USB WMC Modem Driver) - c:\windows\system32\drivers\se27mdm.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Data Modem>
S3 SE27mgmt (Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se27mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Device Management>
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\windows\system32\drivers\se27nd5.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 SE27obex (Sony Ericsson Device 039 USB WMC OBEX Interface) - c:\windows\system32\drivers\se27obex.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC OBEX Interface>
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\windows\system32\drivers\se27unic.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 1032)
2007-04-19 13:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 356)
2005-09-23 07:28:38 83456 --a------ C:\WINDOWS\system32\dfshim.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:28:52 270848 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2008-05-13 10:13:36 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2007-06-27 15:21:20 86016 --a------ D:\Programs\Free Download Manager\FUM\fumshext.dll
2007-02-27 12:39:26 61440 --a------ C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>
2002-05-14 18:22:34 122880 --a------ C:\Program Files\WinRAR\RarExt.dll
2006-06-05 14:06:22 20992 --a------ D:\Programs\MagicISO\misosh.dll <Not Verified; MagicISO, Inc.; MagicISO Shell Extension Module>

C:\WINDOWS\system32\rundll32.exe (pid 1920)
2007-04-19 13:26:00 212992 --a------ C:\WINDOWS\system32\nvapi.dll


-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-01 18:24:28 0 d-------- C:\Documents and Settings\Bryan\Application Data\Malwarebytes
2008-06-01 18:24:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-01 18:24:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-01 16:41:13 90 ---hs---- C:\WINDOWS\cnerolf.dat
2008-06-01 13:48:51 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-01 13:48:51 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-01 13:48:09 31008 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-01 13:48:09 2429984 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-01 13:48:09 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-01 13:48:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 18:15:13 68096 --a------ C:\WINDOWS\zip.exe
2008-05-31 18:15:13 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-31 18:15:13 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-31 18:15:13 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-31 18:15:13 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-31 18:15:13 98816 --a------ C:\WINDOWS\sed.exe
2008-05-31 18:15:13 80412 --a------ C:\WINDOWS\grep.exe
2008-05-31 18:15:13 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-31 18:00:01 0 d-------- C:\WINDOWS\setup.pss
2008-05-31 17:59:36 0 d-------- C:\WINDOWS\setupupd
2008-05-31 16:39:47 0 d-------- C:\Program Files\Trend Micro
2008-05-31 15:39:36 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-31 15:39:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 15:39:10 0 d-------- C:\Documents and Settings\Bryan\Application Data\SUPERAntiSpyware.com
2008-05-31 15:38:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 14:38:42 2692 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 09:12:08 0 d-------- C:\!KillBox
2008-05-31 08:20:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-31 08:20:13 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-17 20:34:09 0 d-------- C:\Digital Aviation


-- Find3M Report ---------------------------------------------------------------

2008-06-01 20:32:01 0 d-------- C:\Documents and Settings\Bryan\Application Data\Free Download Manager
2008-06-01 18:55:14 0 d-------- C:\Program Files\Microsoft Games
2008-06-01 16:40:19 0 d-------- C:\Program Files\FSBuild
2008-06-01 15:24:53 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-05-31 20:17:45 0 d-------- C:\Documents and Settings\Bryan\Application Data\teamspeak2
2008-05-31 19:25:13 0 d-------- C:\Documents and Settings\Bryan\Application Data\Azureus
2008-05-31 15:38:55 0 d-------- C:\Program Files\Common Files
2008-05-30 20:10:59 0 d-------- C:\Program Files\TOPCAT
2008-05-20 16:12:08 0 d-------- C:\Program Files\Messenger Plus! Live
2008-05-20 16:12:07 0 d-------- C:\Program Files\MSN Messenger
2008-04-26 09:12:04 0 d-------- C:\Program Files\MagicDisc


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [11/03/2005 11:09 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 03:01 AM]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [10/18/2005 02:34 PM]
"nwiz"="nwiz.exe" [04/19/2007 01:26 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [04/19/2007 01:26 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/19/2007 01:26 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\WINDOWS\KHALMNPR.Exe]
"AGRSMMSG"="AGRSMMSG.exe" [10/07/2004 09:50 PM C:\WINDOWS\AGRSMMSG.exe]
"IEUpdate"="C:\WINDOWS\system32\acledith.exe" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Programs\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM]
"Free Uploader Oe Integration"="D:\Programs\Free Download Manager\FUM\fumoei.exe" [06/10/2007 07:02 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/13/2008 12:43 PM]

C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [4/26/2008 9:11:55 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnKecb]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"




-- End of Deckard's System Scanner: finished at 2008-06-02 19:56:25 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ 2400+
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 767.48 MiB / 493.09 MiB
Pagefile Memory (total/avail): 1874.29 MiB / 1613.03 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.1 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 25.43 GiB free.
D: is Fixed (NTFS) - 37.24 GiB total, 16.89 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - ST380215A - 74.53 GiB - 1 partition
\PARTITION0 - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE0 - WDC WD400BB-18DEA0 - 37.25 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.24 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab) Disabled
AV: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\FS9.EXE"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\FS9.EXE:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bryan\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-B05B31F042
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bryan
LOGONSERVER=\\HOME-B05B31F042
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Bryan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Bryan\LOCALS~1\Temp
USERDOMAIN=HOME-B05B31F042
USERNAME=Bryan
USERPROFILE=C:\Documents and Settings\Bryan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bryan (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> D:\Programs\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> D:\Programs\DivX\ConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
737-300 Pilot in Command --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal_737-300PIC.exe
737 Pilot in Command - 400/500 Upgrade --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal_737PIC.exe
A310 The Master's Edition --> C:\Program Files\Microsoft Games\Flight Simulator 9\ssw.a310.Uninstal.exe
A310 The Master's Edition v1.5 Update --> 0:\Program Files\Microsoft Games\Flight Simulator 9\A310.Patch.1.5.Uninstal.exe
ActiveSky Version 6 and ActiveSky Graphics --> MsiExec.exe /X{1819F22A-8B42-4CF5-88C1-97B6F4A7849A}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-000000000001}
Advanced Voice Client 1.0 --> "C:\Program Files\Advanced Voice Client\unins000.exe"
aerosoft's - Balearen-Gibraltar - FS2004 --> "C:\Program Files\Microsoft Games\Flight Simulator 9\aerosoft\Uninstall.exe" "uninstall_Balearen-Gibraltar.ini" "C:\Program Files\Microsoft Games\Flight Simulator 9"
aerosoft's - Budapest 2007 - FS2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0976C02C-0F73-447D-9657-5318C0C45A05}\Setup.exe" -uninst
aerosoft's - Wonderful Madeira - FS2004 --> "C:\Program Files\Microsoft Games\Flight Simulator 9\uninstall_Wonderful Madeira.exe"
Agere Systems PCI Soft Modem --> agrsmdel
Airbus Series Vol.2 (FS2004) --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal_Airbus2_wilco.exe
AVC Tuner --> C:\Program Files\Advanced Voice Client Tuner\Uninstal.exe
Azureus --> D:\Programs\Azureus\Uninstall.exe
BearShare --> D:\Programs\BEARSH~1\UNWISE.EXE D:\Programs\BEARSH~1\INSTALL.LOG
Ben Gurion Airport 2006 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal.exe
BF-Quito 2005 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Addon Scenery\Forero\Quito2005\UnInstall_quito2005.exe
Call of Duty --> D:\Programs\CALLOF~1\Uninstall\Unwise.exe /u D:\Programs\CALLOF~1\Uninstall\Install.log
CCleaner (remove only) --> "D:\Programs\CCleaner\uninst.exe"
China-Macau scenery for FS2004 --> c:\Program Files\Microsoft Games\Flight Simulator 9\Addon Scenery\macau2005\Uninstal.exe
COLOMBIA VIRTUAL P.E. 2005 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal.exe
CRJ Experience --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal.exe
CRJ New Generation --> C:\Program Files\Microsoft Games\Flight Simulator 9\crjng_uninstal.exe
DivX Codec --> D:\Programs\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> D:\Programs\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> D:\Programs\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> D:\Programs\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> D:\Programs\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EditVoicepack --> MsiExec.exe /I{1EC65D1D-3911-4F7D-8B6A-63C69EDBFC6E}
eMule --> "D:\Programs\eMule\Uninstall.exe"
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
Flight One ATR 72-500 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\ATR_Beta.ini"
Fly the MADDOG 2006 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall Fly the Maddog 2006.exe
Fly the MADDOG 2006 liveries --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall Liveries.exe
Fly to Brazil #6 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\irunin.ini"
Fokker 70-100 --> C:\Program Files\Microsoft Games\Flight Simulator 9\UnFokker70-FS9.exe
Follow Me Multiplayer --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal.exe
Free Download Manager 2.5 --> "D:\Programs\Free Download Manager\unins000.exe"
FS Global 2005 --> C:\PROGRA~1\MICROS~4\FLIGHT~1\pilotsSW\fsg2k5\uninstal.exe C:\PROGRA~1\MICROS~4\FLIGHT~1\pilotsSW\fsg2k5
FS Real Time v1.62.2 --> C:\WINDOWS\iun6002.exe "C:\Program Files\FS Real Time\irunin.ini"
FSBuild 2 --> C:\Program Files\FSBuild\UnInstall_19636.exe
FSNavigator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F76FF6D-B992-4FD9-8686-F09F868B2C58}\Setup.exe" -l0x9
FSPause12 --> MsiExec.exe /I{94147A93-0288-42D6-8DCC-D35CBA84FC3A}
Fuel Loader --> C:\Program Files\Simulation Hardware\Fuel Loader\Uninstal.exe
Greatest Airliners: 727 --> "C:\Program Files\Microsoft Games\Flight Simulator 9\uninstall_GA727.exe" "/U:C:\Program Files\Microsoft Games\Flight Simulator 9\F1DF_GA727.xml"
GUARULHOS INTERNATIONAL AIRPORT --> C:\WINDOWS\iun6002.exe "C:\Documents and Settings\Bryan\Desktop\Fs2004 - WorldSceneries - Guarulhos Sao Paulo\wsuninstall\irunin_GR.ini"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IFSD Irish Scenery --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\Addon Scenery\ifsd_scenery\IFSD\installer\irunin.ini"
Ivalo 2.0 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstal_Ivalo2.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
KEWR Newark --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall KEWR.exe
KLGA La Guardia --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall KLGA.exe
LAGO Male Scenery FS2004 2.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35E853C8-8E86-4259-B4D6-E2B5BEDDABCD}\Setup.exe" -l0x9
LAGO Twin Otter Version 2.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0663708C-35D2-4A9B-AD98-2D49FB6729B6}\Setup.exe" -l0x9
Legendary C-130 --> C:\Program Files\Microsoft Games\Flight Simulator 9\csC130_uninstall.exe
Level-D Simulations 767-300 --> C:\Program Files\Microsoft Games\Flight Simulator 9\UnLvld767.exe
Magic ISO Maker v5.4 (build 0237) --> D:\Programs\MagicISO\UNWISE.EXE D:\Programs\MagicISO\INSTALL.LOG
MagicDisc 2.6.93 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Media Converter SA Edition 0.8 --> D:\Programs\Media Converter SA Edition\uninst.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator 2004 A Century of Flight --> "C:\Program Files\Microsoft Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 --> MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NCalc 5.1.0 --> "C:\Program Files\NCalc5\unins000.exe"
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OCS PT-154 --> C:\WINDOWS\OCS PT-154 Uninstaller.exe
Photohands 1.0E --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{544FB392-069D-4BA5-9DC7-FFD47230AEE5}\Setup.exe"
PMDG 747-400 FS9 Update V1R12 (Unifies to FSX) --> C:\Program Files\InstallShield Installation Information\{304DAE83-906F-4005-BA09-2870349ABD14}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDG 747-400F GE Atlas --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{044DB990-522B-4E0E-90E0-9868576D567A}\setup.exe" -l0x9 -removeonly
PMDG 747-400F GE Polar Air Cargo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F091397A-BAF6-428D-B278-19541A83BBAE}\setup.exe" -l0x9 -removeonly
PMDG 747-400F PW FedEx --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9CDD8DA2-7BFE-40FD-AEC8-5A48B7C88BFB}\setup.exe" -l0x9 -removeonly
PMDG 747-400F RR Cargolux VCV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0781BF9-33E6-442B-8167-D60F01E34F6E}\setup.exe" -l0x9 -removeonly
PMDG_747-400_Sound_Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2758F387-D016-4725-9D03-AB039364DF3D}\setup.exe" -l0x9 -removeonly
PMDG747_400 Queen of the Skies --> C:\Program Files\InstallShield Installation Information\{97679567-0095-464E-B5F2-E218A1CF3421}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDG747_400_PW_Singapore --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1BF1967F-7879-494C-BB0A-493653C90857}\setup.exe" -l0x9 -removeonly
PMDG747_400F --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{164360E5-0AAD-48AD-8A36-3F8A859FAB6F}\setup.exe" -l0x9 -removeonly
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PSS B777 Professional 2004 (777-200 LR) 2.1 --> C:\WINDOWS\iun6002.exe "C:\Documents and Settings\Bryan\Desktop\777\PSS\772LR_uni.ini"
PSS Boeing 757 Pro 2006 1.3 --> C:\WINDOWS\iun6002.exe "C:\Documents and Settings\Bryan\Desktop\757\PSS\757_ALL.ini"
PT Tu154M --> MsiExec.exe /I{9A9DC850-9444-4DB0-A364-B0F6B555A647}
Radar Contact Version 4.0 --> "C:\Program Files\rcv4\unins000.exe"
Radar Contact Version 4.01 --> "C:\Program Files\rcv4\unins001.exe"
Ready for Pushback V2_10 Full Version --> C:\Program Files\Microsoft Games\Flight Simulator 9\RFP_V2_Upgrade_Unistaller.exe
Remove UK2000 Part 1 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 1\irunin.ini
Remove UK2000 Part 2 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 2\irunin.ini
Remove UK2000 Part 3 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 3\irunin.ini
Remove UK2000 Part 4 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 4\irunin.ini
Remove UK2000 Part 5 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 5\irunin.ini
Remove UK2000 Part 6 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 6\irunin.ini
Remove UK2000 Part7 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part7\irunin.ini
Rovaniemi 4.1 --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall_Rovaniemi41.exe
Saitek SST Programming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{967FB80D-56BD-42EF-A942-9E8C78F984A4}\Setup.exe" -l0x9 -removeonly
SimCharts 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{61812F6F-0705-4B20-B914-32C1E3C155C7}\Setup.exe" -l0x9
Spybot - Search & Destroy 1.4 --> "D:\Programs\Spybot - Search & Destroy\unins000.exe"
SquawkBox 3 --> C:\Program Files\SquawkBox3\sbuninstall.exe SquawkBox 3
SSTSIM --> "C:\WINDOWS\SSTSIM\uninstall.exe" "/U:C:\Program Files\Microsoft Games\Flight Simulator 9\SSTSIM\data\Uninstall\uninstall.xml"
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SWAT 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8} uninstall
Săo Paulo - Congonhas Airport X-Generation --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\sbspx9unin.ini"
TeamSpeak 2 RC2 --> D:\Programs\Teamspeak2_RC2\unins000.exe
TeamSpeak 2 Server RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TJSJ San Juan --> C:\Program Files\Microsoft Games\Flight Simulator 9\Uninstall TJSJ.exe
TOPCAT 2.20 (26MAR08) --> C:\Program Files\TOPCAT\uninst.exe
TTS_Technology --> MsiExec.exe /I{AC696733-F8C5-4EAD-B165-AC8AB8C2A755}
Ultimate Traffic --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9\UT13.ini"
UPDATE 01 COLVIRTUAL PE 2005 --> C:\Program Files\Microsoft Games\Flight Simulator 9\desinstalar_colvape2k5.exe
UPDATE 02 COLVIRTUAL PE 2005 --> C:\Program Files\Microsoft Games\Flight Simulator 9\uninstallupd2.exe
UPDATE 03 COLVIRTUAL PE 2005 (FS2004) --> C:\Program Files\Microsoft Games\Flight Simulator 9\uninstallupd2.exe
VRC --> "C:\Program Files\VRC\uninstall.exe"
vroute.info --> rundll32.exe dfshim.dll,ShArpMaintain vroute.info.application, Culture=en, PublicKeyToken=5accc01de4247373, processorArchitecture=msil
Winamp --> "D:\Programs\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wonderful Rio Full Pack --> C:\WINDOWS\iun6002.exe "C:\Program Files\Microsoft Games\Flight Simulator 9/wsuninstall\Wonderful Rio Full Packirunin.ini"


-- Application Event Log -------------------------------------------------------

Event Record #/Type14868 / Warning
Event Submitted/Written: 06/02/2008 07:49:36 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type14867 / Warning
Event Submitted/Written: 06/02/2008 07:49:36 PM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .

Event Record #/Type14865 / Error
Event Submitted/Written: 06/01/2008 07:03:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application FS9.EXE, version 9.0.0.30612, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type14864 / Error
Event Submitted/Written: 06/01/2008 07:01:45 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application FS9.EXE, version 9.0.0.30612, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type14863 / Error
Event Submitted/Written: 06/01/2008 07:01:44 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application FS9.EXE, version 9.0.0.30612, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type37496 / Error
Event Submitted/Written: 06/01/2008 04:16:43 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Event Record #/Type37495 / Error
Event Submitted/Written: 06/01/2008 04:16:43 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type37494 / Error
Event Submitted/Written: 06/01/2008 04:16:43 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The SNMP Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type37493 / Error
Event Submitted/Written: 06/01/2008 04:16:43 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type37492 / Error
Event Submitted/Written: 06/01/2008 04:16:43 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Messenger Sharing Folders USN Journal Reader service service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-06-02 19:56:25 ------------


You might notice the windows firewall has been disabled, i did that because im already running a firewall.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP