Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IE explorer popups will not go away (Malware) [CLOSED] [RESOLVED]


  • This topic is locked This topic is locked

#1
mlo356

mlo356

    Member

  • Member
  • PipPip
  • 16 posts
Hello to all. This is my first post and would like to say TY for the future help and that you guys make PC help possible. About a few months ago i started to experience IE explorer popups and they are becong for frequent. I notice that the popups the appear are related to what i am doing on the internet so i am on to it but i cant get rid of if to save my life. I was hoping you fine folks could help me. SO first off here is my Hijackthis log:

HIJACKTHIS LOG:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\WINDOWS\system32\svrhost.exe
D:\Documents and Settings\X\Desktop\picx\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: (no name) - {37426A4F-D596-411F-A95D-D283BF4F2CDF} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

This is it and I would really appreciate the help. Thankx in advance.
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following....


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator



Regards
fenzodahl512
  • 0

#3
mlo356

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
TY for the reply. This is what i have.

MAIN:


Deckard's System Scanner v20071014.68
Run by X on 2008-07-14 17:46:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive D: has 0.04 GiB (less than 15%) free.


-- HijackThis (run as X.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:33 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Documents and Settings\X\Desktop\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\X.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: (no name) - {37426A4F-D596-411F-A95D-D283BF4F2CDF} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKLM\..\Policies\Explorer\Run: [®Windows Update] svchosts.exe
O4 - HKCU\..\Policies\Explorer\Run: [®Windows Update] svchosts.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 8594 bytes

-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-14 17:45:46 0 d-------- D:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-08 00:28:37 0 d-------- D:\Program Files\BitComet
2008-07-05 21:38:18 0 d-------- D:\Program Files\Microsoft ActiveSync
2008-07-05 21:37:09 0 d-------- D:\Program Files\Beat It
2008-06-23 16:21:16 0 d-------- D:\Documents and Settings\X\Application Data\Vso
2008-06-08 22:27:46 0 d-------- D:\Program Files\Absolute Poker
2008-06-05 16:13:56 0 d-------- D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 16:12:52 0 d-------- D:\Program Files\XBC
2008-06-05 16:10:43 0 d-------- D:\Program Files\Common Files
2008-06-05 16:08:23 0 d-------- D:\Program Files\Binaryfish
2008-06-05 15:46:25 0 d-------- D:\Program Files\MagicDisc
2008-06-02 18:25:53 0 d-------- D:\Program Files\PowerISO
2008-05-26 00:49:37 0 d-------- D:\Program Files\Uniblue
2008-05-16 23:09:41 0 d-------- D:\Program Files\SpaceTime Mathematics
2008-05-16 22:51:31 0 d-------- D:\Program Files\WinPcap
2008-05-09 23:55:57 2508 --a------ D:\Documents and Settings\X\Application Data\$_hpcst$.hpc
2008-05-04 13:11:21 33 --a------ D:\Documents and Settings\X\Application Data\install.ini
2008-04-19 23:53:40 23680 --a------ D:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37426A4F-D596-411F-A95D-D283BF4F2CDF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/13/2006 10:47 PM]
"PWRISOVM.EXE"="D:\Program Files\PowerISO\PWRISOVM.EXE" [03/14/2008 07:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/03/2004 09:56 PM]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/20/2006 10:36 PM]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 05:39 AM]
"Uniblue RegistryBooster 2"="D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [05/05/2008 01:01 PM]
"Uniblue SpyEraser"="D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [01/08/2008 09:14 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32
"IE7-10"=rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N

D:\Documents and Settings\X\Start Menu\Programs\Startup\
MagicDisc.lnk - D:\Program Files\MagicDisc\MagicDisc.exe [6/5/2008 3:46:16 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"®Windows Update"=svchosts.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"®Windows Update"=svchosts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\Config\csrss.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 D:\WINDOWS\System32\awvtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8cbd05dc]
rundll32.exe "D:\WINDOWS\System32\ylnhnjkm.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"D:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8f6ed4a1]
Rundll32.exe "D:\WINDOWS\System32\jlorwefx.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"D:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
"D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Critical Services]
svhhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyIPAddress]
rundll32.exe "D:\WINDOWS\System32\ylnhnjkm.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
"D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-07-14 17:46:52 ------------



EXTRA:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3200+
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 1023.48 MiB / 753.34 MiB
Pagefile Memory (total/avail): 2516.65 MiB / 2348.92 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.2 MiB

C: is Fixed (NTFS) - 25 GiB total, 0 GiB free.
D: is Fixed (NTFS) - 25 GiB total, 0.04 GiB free.
E: is Fixed (NTFS) - 20 GiB total, 2.91 GiB free.
F: is Fixed (NTFS) - 30 GiB total, 1.9 GiB free.
G: is CDROM (Unformatted)
H: is CDROM (Unformatted)
I: is CDROM (No Media)
J: is CDROM (No Media)
K: is Fixed (NTFS) - 372.6 GiB total, 2.21 GiB free.
L: is Fixed (NTFS) - 233.75 GiB total, 0.34 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6Y200P0 - 189.92 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 25 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 25 GiB - D:
\PARTITION2 - Installable File System - 20 GiB - E:
\PARTITION3 - Installable File System - 30 GiB - F:

\\.\PHYSICALDRIVE1 - Maxtor 5 A250J0 USB Device - 233.76 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 233.75 GiB - L:

\\.\PHYSICALDRIVE2 - MDT MD40 00KS-00MNB0 USB Device - 372.61 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 372.6 GiB - K:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Docume
nts and Settings\All Users
APPDATA=D:\Documents and Settings\X\Application Data
CLASSPATH=D:\Program Files\JavaSoft\JRE\1.3\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=REBORN
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\X
LOGONSERVER=\\REBORN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\system32\WBEM;D:\Program Files\QuickTime\QTSystem\;D:\Program Files\Microsoft SQL Server\80\Tools\Binn\;D:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=D:\Program Files
PROMPT=$P$G
QTJAVA=D:\Program Files\JavaSoft\JRE\1.3\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\X\LOCALS~1\Temp
TMP=D:\DOCUME~1\X\LOCALS~1\Temp
USERDOMAIN=REBORN
USERNAME=X
USERPROFILE=D:\Documents and Settings\X
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HelpAssistant
X (admin)
Administrator.REBORN (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "D:\Program Files\ViaVoice\Bin\vunUS.exe" ProdRunDictate Dc En_US 'IBM ViaVoice™ Dictation Runtime' D:\WINDOWS\IsUninst.exe -f"D:\Program Files\ViaVoice\RtDict_US.isu"
--> "D:\Program Files\ViaVoice\Bin\vunUS.exe" ProdRunDictate Dc En_US 'IBM ViaVoice™ Dictation Runtime' D:\WINDOWS\IsUninst.exe -f"D:\Program Files\ViaVoice\RtDict_US.isu"
--> D:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> D:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> D:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> D:\WINDOWS\IsUninst.exe -f"D:\Program Files\ViaVoice\tts\vvoutloud.isu" -c"D:\Program Files\ViaVoice\tts\\vo50u_US.dll"
--> D:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> D:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> D:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> D:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> D:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
µTorrent --> "D:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Absolute Poker --> D:\Program Files\_uninstallation_info\Absolute Poker\CasinoUninstall.exe
ACE Mega CoDecS Pack --> "D:\Program Files\ACE Mega CoDecS Pack\unins000.exe"
Adobe Flash Player ActiveX --> D:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> D:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Applet Effects Factory --> D:\PROGRA~1\APPLET~1\UNWISE.EXE D:\PROGRA~1\APPLET~1\INSTALL.LOG
ASAPI Update --> D:\PROGRA~1\VOB\ASAPIU~1\IWUNIN~1.EXE -uninstall D:\WINDOWS\ISUNINST.EXE -fD:\PROGRA~1\VOB\ASAPIU~1\ASAPI.isu
ATI - Software Uninstall Utility --> D:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 D:\WINDOWS\System32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVI/MPEG/RM/WMV Joiner 4.82 --> "D:\Program Files\AVI MPEG RM WMV Joiner\unins000.exe"
Avi2Dvd 0.3.2 beta --> D:\Program Files\Avi2Dvd\uninst.exe
AviSynth 2.5 --> "D:\Program Files\AviSynth 2.5\Uninstall.exe"
BitComet 0.98 --> D:\Program Files\BitComet\uninst.exe
CCE SP Trial Version --> D:\PROGRA~1\CUSTOM~1\CCESPT~1\uinst.exe
CDRWIN 6.1 --> MsiExec.exe /I{C8310658-4019-4934-A7AC-AD1E35EDD8F5}
CoffeeCup Flash Button Factory --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B4572608-DFF7-4E77-A8DD-D814DB87787A}\Setup.exe" -l0x9
CoffeeCup Flash Firestarter --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{CB4AF7DA-CE59-41A9-93A6-DA921F809361}\Setup.exe" -l0x9
CoffeeCup Flash Form Builder --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{184D95BE-B66A-4534-97E6-4C6A44032C6E}\Setup.exe" -l0x9
CoffeeCup Flash Menu Builder --> D:\PROGRA~1\COFFEE~1\COFFEE~4\UNWISE.EXE D:\PROGRA~1\COFFEE~1\COFFEE~4\INSTALL.LOG
CoffeeCup Flash Photo Gallery - Registered --> D:\PROGRA~1\COFFEE~1\CO7278~1\UNWISE.EXE D:\PROGRA~1\COFFEE~1\CO7278~1\INSTALL.LOG
CoffeeCup GIF Animator --> D:\PROGRA~1\COFFEE~1\GIFANI~1\UNWISE.EXE D:\PROGRA~1\COFFEE~1\GIFANI~1\GAinst.LOG
CoffeeCup HTML Editor 2006 --> D:\PROGRA~1\COFFEE~1\UNWISE.EXE D:\PROGRA~1\COFFEE~1\INSTALL.LOG
CoffeeCup MP3 Rip & Burn --> D:\PROGRA~1\COFFEE~1\CO14E3~1\UNWISE.EXE D:\PROGRA~1\COFFEE~1\CO14E3~1\CoffeeCupMP3Rip&Burn.log
CoffeeCup News Flash --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{8BA676DE-6239-4D76-941A-C7B9A1501735}\Setup.exe" -l0x9
CoffeeCup PixConverter --> D:\PROGRA~1\COFFEE~1\COB628~1\UNWISE.EXE D:\PROGRA~1\COFFEE~1\COB628~1\pixinst.log
CoffeeCup StyleSheet Maker --> D:\PROGRA~1\COFFEE~1\STYLES~1\UNWISE.EXE D:\PROGRA~1\COFFEE~1\STYLES~1\styleinst.log
CoffeeCup Visual Site Designer --> D:\WINDOWS\CoffeeCup Visual Site Designer Uninstaller.exe
CoffeeCup Web JukeBox - Registered --> D:\PROGRA~1\COFFEE~1\COD64E~1\UNWISE.EXE D:\PROGRA~1\COFFEE~1\COD64E~1\INSTALL.LOG
CoffeeCup Website Color Schemer --> D:\PROGRA~1\COFFEE~1\CO3E71~1\UNWISE.EXE D:\PROGRA~1\COFFEE~1\CO3E71~1\Schemer.log
Creative DVD Audio Plugin for Audigy Series --> "D:\Program Files\Creative\CTDPlugin\CTUIDVD.exe " -u
Cucusoft MPEG/AVI to DVD/VCD/SVCD/MPEG Converter Pro 6.02 --> "D:\Program Files\Cucusoft\avi-dvd-pro\unins000.exe"
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
Direct Show Ogg Vorbis Filter (remove only) --> "D:\WINDOWS\System32\OggDSuninst.exe"
DirectShow subtitle filter colleciton (remove only) --> "D:\WINDOWS\System32\SubtitDSuninst.exe"
DirectVobSub (remove only) --> "D:\Program Files\DirectVobSub\uninstall.exe"
DiscJuggler --> MsiExec.exe /I{C3C538E5-524C-4253-AA74-0EEEF34990EA}
DivX --> D:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Codec 1528-HiggsBoson DivX Labs --> D:\Program Files\DivX\DivX Codec 1528-HiggsBoson DivX Labs\Remove.exe
DivX Converter --> D:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> D:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> D:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DivxToDVD 1.99.18 --> "D:\Program Files\vso\DivxToDVD\unins000.exe"
DVD-lab PRO 1.5 --> "D:\Program Files\DVDlabPro\unins000.exe"
DVD Decrypter (Remove Only) --> "D:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "D:\Program Files\DVD Shrink\unins000.exe"
ESET NOD32 Antivirus --> MsiExec.exe /I{7D974ACA-4EE5-412C-8E6A-A5B57B305727}
ffdshow (remove only) --> "D:\WINDOWS\System32\uninstall.exe"
FireBurner --> MsiExec.exe /X{850C4C12-57E2-43E4-B66B-B08B120C55F3}
FL Studio 6 --> D:\Program Files\Image-Line\FL Studio 6\uninstall.exe
Fruity Loops Studio Producer Edition XXL v6.04 Patcher --> D:\PROGRA~1\IMAGE-~1\FLSTUD~2\UNWISE.EXE D:\PROGRA~1\IMAGE-~1\FLSTUD~2\INSTALL.LOG
FruityLoops Studio Producer Edition v5.02 --> D:\PROGRA~1\IMAGE-~1\FLSTUD~2\FLSTUD~1\UNWISE.EXE D:\PROGRA~1\IMAGE-~1\FLSTUD~2\FLSTUD~1\INSTALL.LOG
Full Tilt Poker --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9 -removeonly
GSpot Codec Information Appliance --> D:\Program Files\GSpot\Uninstall.exe
HijackThis 1.99.1 --> D:\Documents and Settings\X\Desktop\picx\HijackThis.exe /uninstall
IBM ViaVoice Standard 8.0 - US English --> "D:\Program Files\ViaVoice\Bin\uninst_US.exe" DeleteProdVVFW80Basic_US
Imation Disk Manager V a Service --> D:\DOCUME~1\X\LOCALS~1\Temp\Imation Disk Manager V a.exe -u
InterVideo WinDVD 5 --> "D:\Program Files\InstallShield Installation Information\{1B399A41-C1D0-40A2-9E4F-095868EFAF01}\setup.exe" REMOVEALL
InterVideo WinDVD Creator 2 --> "D:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinRip --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D32D4182-DE6C-457E-838C-8D7B9CE332BA}\setup.exe" REMOVEALL
iPod for Windows 2006-06-28 --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 2.46 Basic --> "D:\Program Files\K-Lite Codec Pack\unins000.exe"
LimeWire PRO 4.12.3 --> "D:\Program Files\LimeWire\uninstall.exe"
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Shockwave Player --> D:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE D:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic ISO Maker v5.4 (build 0239) --> D:\PROGRA~1\MagicISO\UNWISE.EXE D:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.7.97 --> D:\PROGRA~1\MAGICD~1\UNWISE.EXE D:\PROGRA~1\MAGICD~1\INSTALL.LOG
MANSIONPoker.net --> MsiExec.exe /X{B6E03145-21CA-4582-AE6A-04FFE1F24CA1}
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Matroska Pack - Lazy Man's MKV 0.9.8 --> "D:\Program Files\LD-Anime\unins000.exe"
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Student Graphing Calculator --> MsiExec.exe /I{06043840-7A70-4AC6-9340-2EB7E1486914}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Script Host --> rundll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\wsh.inf,Uninstall.NT
Mozilla (1.7.5) --> D:\WINDOWS\MozillaUninstall.exe /ua "1.7.5 (en)"
Mozilla ActiveX Control v1.7.12 --> D:\Program Files\Mozilla ActiveX Control v1.7.12\uninst.exe
Mozilla Firefox (2.0.0.15) --> D:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 To Ringtone Gold 3.16 --> "D:\Program Files\AnMing\unins000.exe"
My DSC --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll<UNINSTALL_CMD>
Nero 7 Ultra Edition --> MsiExec.exe /I{8C30E1DC-D83E-4A90-AD02-1A275FC71033}
Netscape (7.2) --> D:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
NVIDIA Drivers --> D:\WINDOWS\System32\nvuaudio.exe UninstallGUI
Pacific Poker --> D:\PROGRA~1\PACIFI~1\UNWISE.EXE D:\PROGRA~1\PACIFI~1\INSTALL.LOG
PC Inspector File Recovery --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9
PokerStars --> D:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
PowerISO --> "D:\Program Files\PowerISO\uninstall.exe"
QuickTime --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer --> D:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RegCure --> "D:\WINDOWS\RegCure\uninstall.exe" "/U:D:\Program Files\RegCure\Uninstall\uninstall.xml"
ResumeMaker --> D:\PROGRA~1\RESUME~1\UNWISE.EXE D:\PROGRA~1\RESUME~1\INSTALL.LOG
River Past Video Cleaner Pro --> D:\WINDOWS\Video Cleaner Pro Uninstaller.exe
RM Converter 3.28 --> "D:\Program Files\RM Converter\unins000.exe"
RM to AVI MPEG WMV VCD SVCD DVD Converter 3.0 --> "D:\Program Files\Witcobber\RM to AVI MPEG WMV VCD SVCD DVD Converter\unins000.exe"
Serials 2000 7.1+ --> "D:\Program Files\Serials 2000 7.1 Plus\unins000.exe"
Serials 2005 --> MsiExec.exe /I{E381FABF-C47C-4898-B517-4075D60A6CE1}
Shockwave --> D:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE D:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Smart Audio Converter --> "D:\Program Files\SmartAudioConverter\unins000.exe"
SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
Spybot - Search & Destroy --> "D:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpyHunter --> "D:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "D:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
Steinberg Dcota v1.0 --> D:\PROGRA~1\STEINB~1\VSTPLU~1\D'cota\UNWISE.EXE D:\PROGRA~1\STEINB~1\VSTPLU~1\D'cota\INSTALL.LOG
Subtitle Workshop 2.51 --> "D:\Program Files\URUSoft\Subtitle Workshop\uninstall.exe"
TCPMP --> D:\Program Files\Microsoft ActiveSync\TCPMP\Uninstall.exe TCPMP
The Core Media Player 4.0 --> "D:\Program Files\CoreCodec\The Core Media Player\uninstall-tcmp4.exe"
The Sims 2 --> D:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
TMPGEnc 3.0 XPress --> MsiExec.exe /I{D48EAA77-E526-41EB-894C-BD6A17EABD95}
TMPGEnc DVD Author 1.5 --> MsiExec.exe /I{49062DAB-7009-4EBD-903A-830B283407C4}
Treo 700wx User Guide --> MsiExec.exe /X{00A148E8-2D9A-422E-9473-E5850C135F2A}
Ultra AVI Converter 2.0.2 --> "D:\Program Files\Ultra AVI Converter\unins000.exe"
Uniblue RegistryBooster 2 --> "D:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Uniblue SpyEraser --> "D:\Program Files\Uniblue\SpyEraser\unins000.exe"
VeryPDF PDF Editor v2.2 --> "D:\Program Files\VeryPDF PDF Editor v2.2\unins000.exe"
VideoLAN VLC media player 0.8.6d --> D:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> D:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VobSub v2.23 (Remove Only) --> "D:\Program Files\Gabest\VobSub\uninstall.exe"
Vodei Multimedia Processor 1.03 --> D:\Program Files\Vodei\uninst.exe
VSO ConvertXtoDVD 2.2.3.258h Licensed by AxMan --> "D:\Program Files\VSO\ConvertXtoDVD\unins000.exe"
WinAVI Video Converter --> "D:\Program Files\WinAVI Video Converter\unins000.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Messenger 5.1 --> MsiExec.exe /I{A433AE09-2126-4dad-9CBD-C1B05DC42787}
WinPcap 3.1 --> "D:\Program Files\WinPcap\Uninstall.exe" "D:\Program Files\WinPcap\install.log"
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
XviD MPEG-4 Codec --> "D:\Program Files\XviD\UninstXviD.exe"
Yahoo! Messenger --> D:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U D:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type2850 / Error
Event Submitted/Written: 07/13/2008 03:01:32 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3111, faulting module msvcr71.dll, version 7.10.3052.4, fault address 0x00010582.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type2849 / Error
Event Submitted/Written: 07/09/2008 08:56:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.62306, faulting module vsfilter.dll, version 1.0.0.9, fault address 0x00001712.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2848 / Error
Event Submitted/Written: 07/08/2008 10:22:34 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application PhotoSnapViewer.exe, version 1.2.0.19, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2844 / Error
Event Submitted/Written: 07/07/2008 08:56:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application nero.exe, version 7.5.1.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2840 / Error
Event Submitted/Written: 07/06/2008 11:04:47 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3111, faulting module medialibrarynse.dll, version 1.5.0.13, fault address 0x0000867a.
Processing media-specific event for [explorer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type30297 / Error
Event Submitted/Written: 07/14/2008 05:18:44 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type30295 / Warning
Event Submitted/Written: 07/13/2008 04:44:23 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type30294 / Warning
Event Submitted/Written: 07/13/2008 02:48:44 AM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom0 during a paging operation.

Event Record #/Type30293 / Warning
Event Submitted/Written: 07/13/2008 02:48:44 AM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom0 during a paging operation.

Event Record #/Type30292 / Warning
Event Submitted/Written: 07/13/2008 02:48:44 AM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom0 during a paging operation.



-- End of Deckard's System Scanner: finished at 2008-07-14 17:18:47 ------------

Thanks again. hope this helps.

Edited by mlo356, 14 July 2008 - 03:50 PM.

  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply.. Please do the following...


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.




Please post the following logs in your next reply.. Please post each log in separate post..

1. SDFix
2. ComboFix
3. A fresh HijackThis (after ComboFix step)


Regards
fenzodahl512
  • 0

#5
mlo356

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK. Sorry for the late reply but i was having problems with safe mode but its ok now. Here is what i have

SDFIX

SDFix: Version 1.205
Run by X on Wed 07/16/2008 at 02:46 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: D:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:



Could Not Remove D:\csrss.exe
Could Not Remove D:\WINDOWS\csrss.exe
Could Not Remove D:\WINDOWS\FVProtect.exe
Could Not Remove D:\WINDOWS\lsasss.exe
Could Not Remove D:\WINDOWS\services.exe
Could Not Remove D:\WINDOWS\svchost.exe
Could Not Remove D:\WINDOWS\system32\bootconf.exe
Could Not Remove D:\WINDOWS\system32\drivers\core.cache.dsk
Could Not Remove D:\WINDOWS\system32\iexplore.exe
Could Not Remove D:\WINDOWS\system32\iexplorer.exe
Could Not Remove D:\WINDOWS\system32\internet.exe
Could Not Remove D:\WINDOWS\system32\msupdate.exe
Could Not Remove D:\WINDOWS\system32\remote.exe
Could Not Remove D:\WINDOWS\system32\scrigz.exe
Could Not Remove D:\WINDOWS\system32\svchost32.exe
Could Not Remove D:\WINDOWS\system32\svhost.exe
Could Not Remove D:\WINDOWS\system32\svshost.exe
Could Not Remove D:\WINDOWS\system32\taskgmr.exe
Could Not Remove D:\WINDOWS\system32\update.exe
Could Not Remove D:\WINDOWS\system32\win32.exe
Could Not Remove D:\WINDOWS\system32\windll.exe
Could Not Remove D:\WINDOWS\system32\windowz.exe
Could Not Remove D:\WINDOWS\system32\winxp.exe
Could Not Remove D:\WINDOWS\userconfig9x.dll
Could Not Remove D:\WINDOWS\winlogon.exe
Could Not Remove D:\WINDOWS\winserv.exe



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 15:41:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:14,34,30,fd,4f,61,45,5b,82,04,15,b7,6f,53,eb,24,87,a8,8d,15,72,..
"p0"="D:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:14,34,30,fd,4f,61,45,5b,82,04,15,b7,6f,53,eb,24,87,a8,8d,15,72,..
"p0"="D:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:97d5f2ed
"s2"=dword:f79bcaff
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:14,34,30,fd,4f,61,45,5b,82,04,15,b7,6f,53,eb,24,87,a8,8d,15,72,..
"p0"="D:\Program Files\Alcohol Soft\Alcohol 120\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="D:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:42,fd,97,10,47,9b,00,ec,de,04,7b,c3,f4,c1,a6,7f,68,47,13,2d,f1,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,ed,fa,3c,49,ab,c2,52,e9,3d,86,04,ac,7b,d1,bf,8a,13,..
"khjeh"=hex:7c,5c,28,7c,82,b5,4f,5e,33,1b,38,27,a1,c5,d6,d3,4e,8e,24,f9,7f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:18,11,59,45,17,03,a2,ed,56,d0,df,ed,ce,63,73,00,cf,5e,f6,02,cc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:14,34,30,fd,4f,61,45,5b,82,04,15,b7,6f,53,eb,24,87,a8,8d,15,72,..
"p0"="D:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:14,34,30,fd,4f,61,45,5b,82,04,15,b7,6f,53,eb,24,87,a8,8d,15,72,..
"p0"="D:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="D:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:42,fd,97,10,47,9b,00,ec,de,04,7b,c3,f4,c1,a6,7f,68,47,13,2d,f1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,ed,fa,3c,49,ab,c2,52,e9,3d,86,04,ac,7b,d1,bf,8a,13,..
"khjeh"=hex:7c,5c,28,7c,82,b5,4f,5e,33,1b,38,27,a1,c5,d6,d3,4e,8e,24,f9,7f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:18,11,59,45,17,03,a2,ed,56,d0,df,ed,ce,63,73,00,cf,5e,f6,02,cc,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2739448D-3A9D-06B9-38AD-643EB4C5EAAB}]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\BitComet\\BitComet.exe"="D:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="D:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="D:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe:*:Enabled:Java™ Platform SE binary"
"D:\\Program Files\\LimeWire\\LimeWire.exe"="D:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="D:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :

D:\csrss.exe Found
D:\WINDOWS\csrss.exe Found
D:\WINDOWS\FVProtect.exe Found
D:\WINDOWS\lsasss.exe Found
D:\WINDOWS\services.exe Found
D:\WINDOWS\svchost.exe Found
D:\WINDOWS\system32\bootconf.exe Found
D:\WINDOWS\system32\drivers\core.cache.dsk Found
D:\WINDOWS\system32\iexplore.exe Found
D:\WINDOWS\system32\iexplorer.exe Found
D:\WINDOWS\system32\internet.exe Found
D:\WINDOWS\system32\msupdate.exe Found
D:\WINDOWS\system32\remote.exe Found
D:\WINDOWS\system32\scrigz.exe Found
D:\WINDOWS\system32\svchost32.exe Found
D:\WINDOWS\system32\svhost.exe Found
D:\WINDOWS\system32\svshost.exe Found
D:\WINDOWS\system32\taskgmr.exe Found
D:\WINDOWS\system32\update.exe Found
D:\WINDOWS\system32\win32.exe Found
D:\WINDOWS\system32\windll.exe Found
D:\WINDOWS\system32\windowz.exe Found
D:\WINDOWS\system32\winxp.exe Found
D:\WINDOWS\userconfig9x.dll Found
D:\WINDOWS\winlogon.exe Found
D:\WINDOWS\winserv.exe Found

File Backups: - D:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 10 Nov 2006 287 A..H. --- "D:\Program Files\malwaresweeper.com"
Mon 3 Mar 2008 5,702 A..H. --- "D:\WINDOWS\nod32restoretemdono.reg"
Sun 22 Jul 2007 625,152 A.SH. --- "D:\Program Files\Internet Explorer\IEXPLORE.EXE"
Fri 27 May 2005 33 A..H. --- "D:\Program Files\Serials 2005\Crypt.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "D:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 5 Mar 2008 34,630 A.SH. --- "D:\WINDOWS\system32\fsxyomkg.dllbox"
Wed 4 Dec 2002 187,184 A..H. --- "D:\WINDOWS\system32\pskill.exe"
Wed 4 Dec 2002 125,744 A..H. --- "D:\WINDOWS\system32\pslist.exe"
Wed 11 May 2005 2,179 A.SH. --- "D:\WINDOWS\system32\websys.dll"
Mon 1 Jul 2002 162,816 A..H. --- "D:\WINDOWS\system32\wget.exe"
Wed 18 May 2005 4,348 A.SH. --- "D:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 9 May 2008 400 A.SH. --- "D:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Fri 9 May 2008 48 A.SH. --- "D:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sun 20 Apr 2008 0 A.SH. --- "D:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 25 Mar 2007 172,032 ...H. --- "D:\Documents and Settings\X\Application Data\Microsoft\Word\~WRL2865.tmp"
Thu 28 Jun 2007 3,096,576 A..H. --- "D:\Documents and Settings\X\Application Data\U3\temp\Launchpad Removal.exe"
Wed 26 Mar 2008 1,340,499 A..H. --- "D:\Deckard\System Scanner\20080714174632\backup\DOCUME~1\X\LOCALS~1\Temp\s7A.tmp"

Finished!



COMBO FIX

ComboFix 08-07-15.4 - X 2008-07-16 15:59:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768 [GMT -4:00]
Running from: D:\Documents and Settings\X\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\X\Application Data\CROSOF~1
D:\Documents and Settings\X\Application Data\CROSOF~1.NET
D:\Documents and Settings\X\Application Data\PPATCH~1
D:\Documents and Settings\X\Application Data\PPATCH~2
D:\Documents and Settings\X\Application Data\SEMBLY~1
D:\Documents and Settings\X\Application Data\SSTEM~1
D:\Documents and Settings\X\Application Data\STEM32~1
D:\Documents and Settings\X\Application Data\TSKS~1
D:\Documents and Settings\X\Application Data\WNSXS~1
D:\Documents and Settings\X\Application Data\YSTEM3~1
D:\Documents and Settings\X\My Documents\APPATC~1
D:\Documents and Settings\X\My Documents\ASEMBL~1
D:\Documents and Settings\X\My Documents\DOBE~1
D:\Documents and Settings\X\My Documents\ICROSO~1
D:\Documents and Settings\X\My Documents\MBOLS~1
D:\Documents and Settings\X\My Documents\PPATCH~1
D:\Documents and Settings\X\My Documents\PPPATC~1
D:\Documents and Settings\X\My Documents\RACLE~1
D:\Documents and Settings\X\My Documents\RACLE~2
D:\Documents and Settings\X\My Documents\SCURIT~1
D:\Documents and Settings\X\My Documents\SEMBLY~1
D:\Documents and Settings\X\My Documents\SKS~1
D:\Documents and Settings\X\My Documents\SMBOLS~1
D:\Documents and Settings\X\My Documents\STEM32~1
D:\Documents and Settings\X\My Documents\TSKS~1
D:\Program Files\180searchassistant\
D:\Program Files\asembl~1
D:\Program Files\asks~1
D:\Program Files\Common Files\{8C5DE~1
D:\Program Files\Common Files\{8C5DE~1\directordll.lzma
D:\Program Files\Common Files\{8C5DE~1\directorexe.lzma
D:\Program Files\Common Files\appatc~1
D:\Program Files\Common Files\crosof~1
D:\Program Files\Common Files\curity~1
D:\Program Files\Common Files\fnts~1
D:\Program Files\Common Files\mbols~1
D:\Program Files\Common Files\mcroso~1.net
D:\Program Files\Common Files\pppatc~1
D:\Program Files\Common Files\pppatc~2
D:\Program Files\Common Files\racle~1
D:\Program Files\Common Files\scurit~1
D:\Program Files\Common Files\sks~1
D:\Program Files\Common Files\smbols~1
D:\Program Files\Common Files\sstem~1
D:\Program Files\Common Files\stem~1
D:\Program Files\Common Files\wnsxs~1
D:\Program Files\Common Files\ymbols~1
D:\Program Files\ecurit~1
D:\Program Files\folder.js
D:\Program Files\HbTools\
D:\Program Files\Hotbar\
D:\Program Files\icroso~1.net
D:\Program Files\ini.ini\
D:\Program Files\mantec~1
D:\Program Files\mbols~1
D:\Program Files\MyWebSearch\
D:\Program Files\newdotnet\
D:\Program Files\ppatch~1
D:\Program Files\ppatch~2
D:\Program Files\racle~1
D:\Program Files\sembly~1
D:\Program Files\SideFind\
D:\Program Files\sks~1
D:\Program Files\smante~1
D:\Program Files\smbols~1
D:\Program Files\sstem~1
D:\Program Files\stem32~1
D:\Program Files\surfsidekick 3\
D:\Program Files\zango\
D:\WINDOWS\BM8f6ed4a1.txt
D:\WINDOWS\cookies.ini
D:\WINDOWS\crosof~1.net
D:\WINDOWS\curity~1
D:\WINDOWS\dobe~1
D:\WINDOWS\fnts~1
D:\WINDOWS\icroso~1.net
D:\WINDOWS\mantec~1
D:\WINDOWS\pppatc~1
D:\WINDOWS\pppatc~1\?ppPatch\
D:\WINDOWS\pskt.ini
D:\WINDOWS\racle~1
D:\WINDOWS\racle~2
D:\WINDOWS\scurit~1
D:\WINDOWS\sembly~1
D:\WINDOWS\sks~1
D:\WINDOWS\smbols~1
D:\WINDOWS\ssembl~1
D:\WINDOWS\system32\asks~1
D:\WINDOWS\system32\bang-006.ico
D:\WINDOWS\system32\bctqgouy.ini
D:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
D:\WINDOWS\system32\c2
D:\WINDOWS\system32\c4
D:\WINDOWS\system32\crosof~1
D:\WINDOWS\system32\drivers\npf.sys
D:\WINDOWS\system32\fnts~1
D:\WINDOWS\system32\ftibnmfw.ini
D:\WINDOWS\system32\iesjydld.ini
D:\WINDOWS\system32\ijkmp.ini
D:\WINDOWS\system32\ijkmp.ini2
D:\WINDOWS\system32\k8
D:\WINDOWS\system32\k8\ravecom3.exe
D:\WINDOWS\system32\knnmp.ini
D:\WINDOWS\system32\knnmp.ini2
D:\WINDOWS\system32\lubkgfjd.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\mcroso~1.net
D:\WINDOWS\system32\mgbhlujs.ini
D:\WINDOWS\system32\mkjnhnly.ini
D:\WINDOWS\system32\mrafnexy.ini
D:\WINDOWS\system32\MSINET.oca
D:\WINDOWS\system32\packet.dll
D:\WINDOWS\system32\pskill.exe
D:\WINDOWS\system32\pthreadVC.dll
D:\WINDOWS\system32\racle~1
D:\WINDOWS\system32\s7
D:\WINDOWS\system32\s7\gbsu011.exe
D:\WINDOWS\system32\sembly~1
D:\WINDOWS\system32\sks~1
D:\WINDOWS\system32\smbols~1
D:\WINDOWS\system32\ststv.ini
D:\WINDOWS\system32\ststv.ini2
D:\WINDOWS\system32\ttvwa.ini
D:\WINDOWS\system32\ttvwa.ini2
D:\WINDOWS\system32\uevuvnnh.ini
D:\WINDOWS\system32\uninstall.exe
D:\WINDOWS\system32\uvvanpde.ini
D:\WINDOWS\system32\wanpacket.dll
D:\WINDOWS\system32\wnsxs~1
D:\WINDOWS\system32\wpcap.dll
D:\WINDOWS\system32\wtgafbee.ini
D:\WINDOWS\system32\ymbols~1
D:\WINDOWS\system32\ystem3~1
D:\WINDOWS\tsks~1
D:\WINDOWS\wnsxs~1
D:\WINDOWS\ymante~1
D:\WINDOWS\ymbols~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COM+_MESSAGES
-------\Legacy_POWERMANAGER
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-16 15:37 . 2008-07-16 15:37 167,976 --------- D:\WINDOWS\system32\drivers\core.cache.dsk
2008-07-16 14:17 . 2008-07-16 14:17 <DIR> d-------- D:\WINDOWS\ERUNT
2008-07-16 14:12 . 2008-07-16 15:44 <DIR> d-------- D:\SDFix
2008-07-14 17:45 . 2008-07-14 17:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-07-14 17:10 . 2008-07-14 17:10 <DIR> d-------- D:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 04:28 --------- d-----w D:\Program Files\BitComet
2008-07-06 01:38 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-07-06 01:37 --------- d-----w D:\Program Files\Beat It
2008-06-23 20:21 --------- d-----w D:\Documents and Settings\X\Application Data\Vso
2008-06-09 02:27 --------- d-----w D:\Program Files\Absolute Poker
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-05 20:12 --------- d-----w D:\Program Files\XBC
2008-06-05 20:08 --------- d-----w D:\Program Files\Binaryfish
2008-06-05 19:46 --------- d-----w D:\Program Files\MagicDisc
2008-06-02 22:25 --------- d-----w D:\Program Files\PowerISO
2008-05-27 16:11 96,896 ----a-w D:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-26 04:49 --------- d-----w D:\Program Files\Uniblue
2008-05-17 03:09 --------- d-----w D:\Program Files\SpaceTime Mathematics
2008-05-17 02:51 --------- d-----w D:\Program Files\WinPcap
2008-03-31 21:13 87,608 ----a-w D:\Documents and Settings\X\Application Data\inst.exe
2008-03-31 21:13 47,360 ----a-w D:\Documents and Settings\X\Application Data\pcouffin.sys
2006-06-29 23:26 52 ----a-w D:\Program Files\ini.ini
2006-06-28 16:51 0 ----a-w D:\Documents and Settings\X\Application Data\internaldb41.dat
2005-05-15 19:04 201 --sha-w D:\WINDOWS\system32\ntuser.dat
2005-05-11 13:53 2,179 --sha-w D:\WINDOWS\system32\websys.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36 1207080]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]
"Uniblue RegistryBooster 2"="D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 13:01 1923352]
"Uniblue SpyEraser"="D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2008-01-08 09:14 1260296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-13 22:47 180269]
"PWRISOVM.EXE"="D:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 19:50 233472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

D:\Documents and Settings\X\Start Menu\Programs\Startup\
MagicDisc.lnk - D:\Program Files\MagicDisc\MagicDisc.exe [2008-06-05 15:46:16 547840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= D:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= D:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
D:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-02-22 11:58 217544 D:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 D:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-02-20 11:06 1443072 D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2005-02-22 08:55 1611488 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-24 23:24 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
--a------ 2008-01-23 15:47 847872 D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-13 22:47 180269 D:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-09-13 14:17 4621816 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-02-27 14:29 47104 D:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\BitComet\\BitComet.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26481:TCP"= 26481:TCP:BitComet 26481 TCP
"26481:UDP"= 26481:UDP:BitComet 26481 UDP
"1212:TCP"= 1212:TCP:BitComet 1212 TCP
"1212:UDP"= 1212:UDP:BitComet 1212 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-11-10 18:00]
R1 aecc;aecc;D:\WINDOWS\system32\drivers\aecc.sys [2008-03-03 21:16]
R1 Asapi;Asapi;D:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 10:22]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-16 04:33:00 D:\WINDOWS\Tasks\At1.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 13:46:53 D:\WINDOWS\Tasks\At10.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 14:33:00 D:\WINDOWS\Tasks\At11.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 15:33:00 D:\WINDOWS\Tasks\At12.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 16:33:00 D:\WINDOWS\Tasks\At13.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-14 17:33:00 D:\WINDOWS\Tasks\At14.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 18:30:13 D:\WINDOWS\Tasks\At15.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-15 19:33:00 D:\WINDOWS\Tasks\At16.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 20:03:00 D:\WINDOWS\Tasks\At17.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-15 21:33:00 D:\WINDOWS\Tasks\At18.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-15 22:46:54 D:\WINDOWS\Tasks\At19.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 05:33:00 D:\WINDOWS\Tasks\At2.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-15 23:33:00 D:\WINDOWS\Tasks\At20.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 00:33:00 D:\WINDOWS\Tasks\At21.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 01:33:00 D:\WINDOWS\Tasks\At22.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 02:33:00 D:\WINDOWS\Tasks\At23.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 03:46:51 D:\WINDOWS\Tasks\At24.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 06:33:00 D:\WINDOWS\Tasks\At3.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 07:33:00 D:\WINDOWS\Tasks\At4.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 08:46:54 D:\WINDOWS\Tasks\At5.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 09:33:00 D:\WINDOWS\Tasks\At6.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 10:33:00 D:\WINDOWS\Tasks\At7.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 11:33:00 D:\WINDOWS\Tasks\At8.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 12:33:00 D:\WINDOWS\Tasks\At9.job"
- D:\WINDOWS\system32\svrhost.exe
"2008-07-16 20:05:41 D:\WINDOWS\Tasks\RegCure Program Check.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-07-10 07:00:00 D:\WINDOWS\Tasks\RegCure.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-07-16 12:35:06 D:\WINDOWS\Tasks\SpyHunter Scanner.job"
- D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-07-16 20:06:48 D:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-06-21 23:24:19 D:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-8cbd05dc - D:\WINDOWS\System32\ylnhnjkm.dll
MSConfigStartUp-AVP - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
MSConfigStartUp-BM8f6ed4a1 - D:\WINDOWS\System32\jlorwefx.dll
MSConfigStartUp-MyIPAddress - D:\WINDOWS\System32\ylnhnjkm.dll
MSConfigStartUp-SpySweeper - D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-Microsoft Critical Services - svhhost.exe
MSConfigStartUp-PWRISOVM - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 16:05:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-07-16 16:10:28 - machine was rebooted [X]
ComboFix-quarantined-files.txt 2008-07-16 20:10:24

Pre-Run: 940,175,360 bytes free
Post-Run: 919,326,720 bytes free

425


HIJACK THIS


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:42 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 8609 bytes


THNKX again. hope this helps.
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • D:\WINDOWS\system32\fsxyomkg.dllbox
      D:\WINDOWS\system32\websys.dll
      D:\WINDOWS\system32\drivers\aecc.sys
  • Click on the submit button. You can only submit one file per round..
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT






1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
D:\csrss.exe
D:\WINDOWS\csrss.exe
D:\WINDOWS\FVProtect.exe
D:\WINDOWS\lsasss.exe
D:\WINDOWS\services.exe
D:\WINDOWS\svchost.exe
D:\WINDOWS\system32\bootconf.exe
D:\WINDOWS\system32\drivers\core.cache.dsk
D:\WINDOWS\system32\iexplore.exe
D:\WINDOWS\system32\iexplorer.exe
D:\WINDOWS\system32\internet.exe
D:\WINDOWS\system32\msupdate.exe
D:\WINDOWS\system32\remote.exe
D:\WINDOWS\system32\scrigz.exe
D:\WINDOWS\system32\svchost32.exe
D:\WINDOWS\system32\svhost.exe
D:\WINDOWS\system32\svshost.exe
D:\WINDOWS\system32\taskgmr.exe
D:\WINDOWS\system32\update.exe
D:\WINDOWS\system32\win32.exe
D:\WINDOWS\system32\windll.exe
D:\WINDOWS\system32\windowz.exe
D:\WINDOWS\system32\winxp.exe
D:\WINDOWS\userconfig9x.dll
D:\WINDOWS\winlogon.exe
D:\WINDOWS\winserv.exe
D:\WINDOWS\pss\PowerReg Scheduler V3.exe
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\Tasks\At9.job
D:\WINDOWS\system32\svrhost.exe
D:\Program Files\malwaresweeper.com

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Jotti/VirusTotal Result
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 17 July 2008 - 04:09 AM.

  • 0

#7
mlo356

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok. here is everything that you wanted me to do. i ran the files: D:\WINDOWS\system32\fsxyomkg.dllbox
D:\WINDOWS\system32\websys.dll, D:\WINDOWS\system32\drivers\aecc.sys

through Jotti's malware scan and all of them had the "OK STATUS" ACCEPT FOR D:\WINDOWS\system32\drivers\aecc.sys. when i submitted this file, an error came up that said "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file". I tried removing windows firewall and still the same error.

For the combo fix, I copy/pasted the code as you wrote. i dragged it to combo fix and it did its thing but on restart i didnt get a log file so i ran it immediately without dragging that code and the log is posted below. if i was supposed to get a log, please let me know and i will try it again.

COMBOFIX

ComboFix 08-07-15.4 - X 2008-07-18 20:58:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.752 [GMT -4:00]
Running from: D:\Documents and Settings\X\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\180searchassistant\
D:\Program Files\HbTools\
D:\Program Files\Hotbar\
D:\Program Files\MyWebSearch\
D:\Program Files\newdotnet\
D:\Program Files\SideFind\
D:\Program Files\surfsidekick 3\
D:\Program Files\zango\
D:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
D:\Program Files\180searchassistant\
D:\Program Files\HbTools\
D:\Program Files\Hotbar\
D:\Program Files\MyWebSearch\
D:\Program Files\newdotnet\
D:\Program Files\SideFind\
D:\Program Files\surfsidekick 3\
D:\Program Files\zango\

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 21:03 . 2008-07-18 21:03 932 --------- D:\WINDOWS\system32\drivers\core.cache.dsk
2008-07-16 19:00 . 2008-07-16 19:00 <DIR> d-------- D:\Program Files\Netcom3 Cleaner
2008-07-16 16:20 . 2008-07-16 16:20 <DIR> d-------- D:\Program Files\Auralog
2008-07-16 16:20 . 1998-09-02 04:02 194,320 --a------ D:\WINDOWS\system32\qcut.dll
2008-07-16 16:20 . 1998-08-27 00:51 182,032 --a------ D:\WINDOWS\system32\dxtmsft3.dll
2008-07-16 16:20 . 1998-08-20 07:02 140,800 --a------ D:\WINDOWS\system32\tm20dec.ax
2008-07-16 16:20 . 1998-09-02 04:28 63,488 --a------ D:\WINDOWS\system32\unam4ie.exe
2008-07-16 16:20 . 1998-09-02 04:28 38,160 --a------ D:\WINDOWS\system32\LMRTREND.dll
2008-07-16 16:20 . 1998-08-17 05:21 11,776 --a------ D:\WINDOWS\system32\mciqtz.drv
2008-07-16 16:20 . 1998-08-17 05:21 10,240 --a------ D:\WINDOWS\system32\vidx16.dll
2008-07-16 16:20 . 1998-08-17 05:21 5,672 --a------ D:\WINDOWS\system32\quartz.vxd
2008-07-16 16:20 . 2008-07-16 16:20 4,608 --a------ D:\WINDOWS\system32\w95inf32.dll
2008-07-16 16:20 . 2008-07-16 16:20 2,272 --a------ D:\WINDOWS\system32\w95inf16.dll
2008-07-16 14:17 . 2008-07-16 14:17 <DIR> d-------- D:\WINDOWS\ERUNT
2008-07-16 14:12 . 2008-07-16 15:44 <DIR> d-------- D:\SDFix
2008-07-14 17:45 . 2008-07-14 17:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-07-14 17:10 . 2008-07-14 17:10 <DIR> d-------- D:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 01:19 --------- d-----w D:\Program Files\BitComet
2008-07-17 00:20 --------- d-----w D:\Program Files\Uniblue
2008-07-16 23:23 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-07-06 01:37 --------- d-----w D:\Program Files\Beat It
2008-06-23 20:21 --------- d-----w D:\Documents and Settings\X\Application Data\Vso
2008-06-09 02:27 --------- d-----w D:\Program Files\Absolute Poker
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-05 20:12 --------- d-----w D:\Program Files\XBC
2008-06-05 20:08 --------- d-----w D:\Program Files\Binaryfish
2008-06-05 19:46 --------- d-----w D:\Program Files\MagicDisc
2008-06-02 22:25 --------- d-----w D:\Program Files\PowerISO
2008-05-27 16:11 96,896 ----a-w D:\WINDOWS\system32\drivers\mcdbus.sys
2008-03-31 21:13 47,360 ----a-w D:\Documents and Settings\X\Application Data\pcouffin.sys
2006-06-28 16:51 0 ----a-w D:\Documents and Settings\X\Application Data\internaldb41.dat
2005-05-15 19:04 201 --sha-w D:\WINDOWS\system32\ntuser.dat
2005-05-11 13:53 2,179 --sha-w D:\WINDOWS\system32\websys.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36 1207080]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]
"Uniblue SpyEraser"="D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2008-01-08 09:14 1260296]
"SpyClean"="D:\Program Files\Netcom3 Cleaner\SpyClean.exe" [2008-03-11 22:06 4505600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-13 22:47 180269]
"PWRISOVM.EXE"="D:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 19:50 233472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

D:\Documents and Settings\X\Start Menu\Programs\Startup\
MagicDisc.lnk - D:\Program Files\MagicDisc\MagicDisc.exe [2008-06-05 15:46:16 547840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= D:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= D:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
D:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-02-22 11:58 217544 D:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 D:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-02-20 11:06 1443072 D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2005-02-22 08:55 1611488 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-24 23:24 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
--a------ 2008-01-23 15:47 847872 D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-13 22:47 180269 D:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-09-13 14:17 4621816 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-02-27 14:29 47104 D:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\BitComet\\BitComet.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26481:TCP"= 26481:TCP:BitComet 26481 TCP
"26481:UDP"= 26481:UDP:BitComet 26481 UDP
"1212:TCP"= 1212:TCP:BitComet 1212 TCP
"1212:UDP"= 1212:UDP:BitComet 1212 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-11-10 18:00]
R1 aecc;aecc;D:\WINDOWS\system32\drivers\aecc.sys [2008-03-03 21:16]
R1 Asapi;Asapi;D:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 10:22]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
S3 Netcom3;NetCom3 Service;D:\Program Files\Netcom3 Cleaner\PSCMonitor.exe [2006-11-18 19:36]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-19 01:03:13 D:\WINDOWS\Tasks\RegCure Program Check.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-07-17 07:00:00 D:\WINDOWS\Tasks\RegCure.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-07-18 15:07:35 D:\WINDOWS\Tasks\SpyHunter Scanner.job"
- D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-07-16 20:06:48 D:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-07-16 22:57:53 D:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 21:03:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\DOCUME~1\X\LOCALS~1\Temp\xml7.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-07-18 21:08:00 - machine was rebooted [X]
ComboFix-quarantined-files.txt 2008-07-19 01:07:57
ComboFix2.txt 2008-07-19 00:41:23
ComboFix3.txt 2008-07-16 20:10:29

Pre-Run: 740,777,984 bytes free
Post-Run: 727,011,328 bytes free

255

Finally, here is the latest hijack this log

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:41 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
D:\Program Files\Nero\Nero 7\Core\nero.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [SpyClean] D:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory....sharingctrl.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - D:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 9054 bytes


I hope this is everything and Thankx for the help. Hope we can resolve it.
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please don't disable your Windows Firewall.. It is highly unadvisable..


Please uninstall Netcom3 Cleaner from your computer..




1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
aecc
Netcom3

Rootkit::
D:\WINDOWS\system32\drivers\core.cache.dsk

File::
C:\Documents and Settings\user\Local Settings\Temp\xml7.tmp
D:\WINDOWS\system32\drivers\aecc.sys

Folder::
D:\Program Files\Netcom3 Cleaner

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
mlo356

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hello. OK i uninstalled the netcom and ran the script through combofix. the results from combo as well as a new hijack this log are posted below. THANKx and hope this will all be over soon LOL.


COMBOFIX


ComboFix 08-07-15.4 - X 2008-07-19 19:47:39.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.650 [GMT -4:00]
Running from: D:\Documents and Settings\X\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\X\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\user\Local Settings\Temp\xml7.tmp
D:\WINDOWS\system32\drivers\aecc.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\180searchassistant\
D:\Program Files\HbTools\
D:\Program Files\Hotbar\
D:\Program Files\MyWebSearch\
D:\Program Files\Netcom3 Cleaner
D:\Program Files\Netcom3 Cleaner\Backup\{B4D03B6D-5605-4B5C-9DC5-67040FC74F39}.rbk
D:\Program Files\Netcom3 Cleaner\Backup\{EC060FBE-D3EA-4F79-AA5E-E39B5922FFA6}.rbk
D:\Program Files\Netcom3 Cleaner\Logs\2008_07_16.log
D:\Program Files\Netcom3 Cleaner\Logs\2008_07_17.log
D:\Program Files\Netcom3 Cleaner\Logs\2008_07_18.log
D:\Program Files\Netcom3 Cleaner\Logs\2008_07_19.log
D:\Program Files\newdotnet\
D:\Program Files\SideFind\
D:\Program Files\surfsidekick 3\
D:\Program Files\zango\
D:\WINDOWS\BM8f6ed4a1.txt
D:\WINDOWS\cookies.ini
D:\WINDOWS\pskt.ini
D:\WINDOWS\system32\AHQXyyay.ini
D:\WINDOWS\system32\AHQXyyay.ini2
D:\WINDOWS\system32\drivers\aecc.sys
D:\WINDOWS\system32\drivers\core.cache.dsk
D:\WINDOWS\system32\hjqhgriu.ini
D:\WINDOWS\system32\pqmyalab.dll
D:\WINDOWS\system32\sierlhxy.dll
D:\WINDOWS\system32\uirghqjh.dll
D:\WINDOWS\system32\yayyXQHA.dll
D:\WINDOWS\system32\ywgase.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AECC
-------\Service_aecc
-------\Service_Netcom3


((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-19 00:48 . 2008-07-19 00:48 110,415 --a------ D:\WINDOWS\BM8f6ed4a1.xml
2008-07-19 00:42 . 2008-07-19 00:42 25,888 --a------ D:\WINDOWS\system32\urqNFwtt.dll
2008-07-19 00:42 . 2008-07-19 00:42 25,888 --a------ D:\WINDOWS\system32\iifgEtRI.dll
2008-07-16 16:20 . 2008-07-16 16:20 <DIR> d-------- D:\Program Files\Auralog
2008-07-16 16:20 . 1998-09-02 04:02 194,320 --a------ D:\WINDOWS\system32\qcut.dll
2008-07-16 16:20 . 1998-08-27 00:51 182,032 --a------ D:\WINDOWS\system32\dxtmsft3.dll
2008-07-16 16:20 . 1998-08-20 07:02 140,800 --a------ D:\WINDOWS\system32\tm20dec.ax
2008-07-16 16:20 . 1998-09-02 04:28 63,488 --a------ D:\WINDOWS\system32\unam4ie.exe
2008-07-16 16:20 . 1998-09-02 04:28 38,160 --a------ D:\WINDOWS\system32\LMRTREND.dll
2008-07-16 16:20 . 1998-08-17 05:21 11,776 --a------ D:\WINDOWS\system32\mciqtz.drv
2008-07-16 16:20 . 1998-08-17 05:21 10,240 --a------ D:\WINDOWS\system32\vidx16.dll
2008-07-16 16:20 . 1998-08-17 05:21 5,672 --a------ D:\WINDOWS\system32\quartz.vxd
2008-07-16 16:20 . 2008-07-16 16:20 4,608 --a------ D:\WINDOWS\system32\w95inf32.dll
2008-07-16 16:20 . 2008-07-16 16:20 2,272 --a------ D:\WINDOWS\system32\w95inf16.dll
2008-07-16 14:17 . 2008-07-16 14:17 <DIR> d-------- D:\WINDOWS\ERUNT
2008-07-16 14:12 . 2008-07-16 15:44 <DIR> d-------- D:\SDFix
2008-07-14 17:45 . 2008-07-14 17:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-07-14 17:10 . 2008-07-14 17:10 <DIR> d-------- D:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 01:19 --------- d-----w D:\Program Files\BitComet
2008-07-17 00:20 --------- d-----w D:\Program Files\Uniblue
2008-07-16 23:23 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-07-06 01:37 --------- d-----w D:\Program Files\Beat It
2008-06-23 20:21 --------- d-----w D:\Documents and Settings\X\Application Data\Vso
2008-06-09 02:27 --------- d-----w D:\Program Files\Absolute Poker
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-05 20:12 --------- d-----w D:\Program Files\XBC
2008-06-05 20:08 --------- d-----w D:\Program Files\Binaryfish
2008-06-05 19:46 --------- d-----w D:\Program Files\MagicDisc
2008-06-02 22:25 --------- d-----w D:\Program Files\PowerISO
2008-05-27 16:11 96,896 ----a-w D:\WINDOWS\system32\drivers\mcdbus.sys
2008-03-31 21:13 47,360 ----a-w D:\Documents and Settings\X\Application Data\pcouffin.sys
2006-06-28 16:51 0 ----a-w D:\Documents and Settings\X\Application Data\internaldb41.dat
2005-05-15 19:04 201 --sha-w D:\WINDOWS\system32\ntuser.dat
2005-05-11 13:53 2,179 --sha-w D:\WINDOWS\system32\websys.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE24F0ED-C471-4DE4-B073-B077DAC59994}]
2008-07-19 00:42 25888 --a------ D:\WINDOWS\system32\urqNFwtt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24F0ED-C471-4DE4-B073-B077DAC59994}"= "D:\WINDOWS\system32\urqNFwtt.dll" [2008-07-19 00:42 25888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNFwtt]
2008-07-19 00:42 25888 D:\WINDOWS\system32\urqNFwtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= D:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= D:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 D:\WINDOWS\system32\yayVmLeB

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^MagicDisc.lnk]
path=D:\Documents and Settings\X\Start Menu\Programs\Startup\MagicDisc.lnk
backup=D:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
D:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8cbd05dc]
D:\WINDOWS\system32\uirghqjh.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-02-22 11:58 217544 D:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8f6ed4a1]
D:\WINDOWS\system32\pqmyalab.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 05:39 486856 D:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 D:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-02-20 11:06 1443072 D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 D:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2005-02-22 08:55 1611488 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-14 19:50 233472 D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-24 23:24 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
--a------ 2008-01-23 15:47 847872 D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-13 22:47 180269 D:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
--a------ 2008-01-08 09:14 1260296 D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-09-13 14:17 4621816 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-02-27 14:29 47104 D:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\BitComet\\BitComet.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26481:TCP"= 26481:TCP:BitComet 26481 TCP
"26481:UDP"= 26481:UDP:BitComet 26481 UDP
"1212:TCP"= 1212:TCP:BitComet 1212 TCP
"1212:UDP"= 1212:UDP:BitComet 1212 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-11-10 18:00]
R1 Asapi;Asapi;D:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 10:22]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bbc147-e0fa-11dc-b293-00112fde776c}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-07-19 23:53:28 D:\WINDOWS\Tasks\RegCure Program Check.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-07-17 07:00:00 D:\WINDOWS\Tasks\RegCure.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-07-19 12:48:55 D:\WINDOWS\Tasks\SpyHunter Scanner.job"
- D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-07-16 20:06:48 D:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-07-16 22:57:53 D:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BM8f6ed4a1 - D:\WINDOWS\system32\pqmyalab.dll
MSConfigStartUp-SpyClean - D:\Program Files\Netcom3 Cleaner\SpyClean.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 19:54:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\WINDOWS\system32\urqNFwtt.dll

PROCESS: D:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\SAMLIB.dll
-> D:\WINDOWS\system32\yayVmLeB.dll
-> ?:\WINDOWS\system32\SXS.DLL
-> ?:\WINDOWS\system32\SXS.DLL
-> ?:\WINDOWS\system32\SXS.DLL
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-19 19:55:57 - machine was rebooted [X]
ComboFix-quarantined-files.txt 2008-07-19 23:55:45
ComboFix2.txt 2008-07-19 01:08:01
ComboFix3.txt 2008-07-19 00:41:23
ComboFix4.txt 2008-07-16 20:10:29

Pre-Run: 853,766,144 bytes free
Post-Run: 875,520,000 bytes free

301



HIJACK THIS


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:26 PM, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O4 - HKLM\..\Run: [BM8f6ed4a1] Rundll32.exe "D:\WINDOWS\system32\yppmfamj.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory....sharingctrl.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 7567 bytes

Edited by mlo356, 19 July 2008 - 06:01 PM.

  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Somehow you have new infections.. Lets do this..


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
D:\WINDOWS\BM8f6ed4a1.xml
D:\WINDOWS\system32\urqNFwtt.dll
D:\WINDOWS\system32\iifgEtRI.dll
D:\WINDOWS\system32\uirghqjh.dll
D:\WINDOWS\system32\pqmyalab.dll
D:\WINDOWS\system32\yayVmLeB.dll
D:\WINDOWS\system32\yppmfamj.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8f6ed4a1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8cbd05dc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNFwtt]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE24F0ED-C471-4DE4-B073-B077DAC59994}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24F0ED-C471-4DE4-B073-B077DAC59994}"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 20 July 2008 - 02:27 AM.

  • 0

Advertisements


#11
mlo356

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok. here is the new combo fix and hijack this file. Thankx

COMBOFIX


ComboFix 08-07-15.4 - X 2008-07-20 8:44:58.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT -4:00]
Running from: D:\Documents and Settings\X\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\X\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\WINDOWS\BM8f6ed4a1.xml
D:\WINDOWS\system32\iifgEtRI.dll
D:\WINDOWS\system32\pqmyalab.dll
D:\WINDOWS\system32\uirghqjh.dll
D:\WINDOWS\system32\urqNFwtt.dll
D:\WINDOWS\system32\yayVmLeB.dll
D:\WINDOWS\system32\yppmfamj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\180searchassistant\
D:\Program Files\HbTools\
D:\Program Files\Hotbar\
D:\Program Files\MyWebSearch\
D:\Program Files\newdotnet\
D:\Program Files\SideFind\
D:\Program Files\surfsidekick 3\
D:\Program Files\zango\
D:\WINDOWS\BM8f6ed4a1.xml
D:\WINDOWS\pskt.ini
D:\WINDOWS\system32\BeLmVyay.ini
D:\WINDOWS\system32\BeLmVyay.ini2
D:\WINDOWS\system32\elgstble.dll
D:\WINDOWS\system32\gaxsfr.dll
D:\WINDOWS\system32\iifgEtRI.dll
D:\WINDOWS\system32\pqgvjxhr.dll
D:\WINDOWS\system32\qkdcxfsh.dll
D:\WINDOWS\system32\rhxjvgqp.ini
D:\WINDOWS\system32\urqNFwtt.dll
D:\WINDOWS\system32\yayVmLeB.dll
D:\WINDOWS\system32\yppmfamj.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-16 16:20 . 2008-07-16 16:20 <DIR> d-------- D:\Program Files\Auralog
2008-07-16 16:20 . 1998-09-02 04:02 194,320 --a------ D:\WINDOWS\system32\qcut.dll
2008-07-16 16:20 . 1998-08-27 00:51 182,032 --a------ D:\WINDOWS\system32\dxtmsft3.dll
2008-07-16 16:20 . 1998-08-20 07:02 140,800 --a------ D:\WINDOWS\system32\tm20dec.ax
2008-07-16 16:20 . 1998-09-02 04:28 63,488 --a------ D:\WINDOWS\system32\unam4ie.exe
2008-07-16 16:20 . 1998-09-02 04:28 38,160 --a------ D:\WINDOWS\system32\LMRTREND.dll
2008-07-16 16:20 . 1998-08-17 05:21 11,776 --a------ D:\WINDOWS\system32\mciqtz.drv
2008-07-16 16:20 . 1998-08-17 05:21 10,240 --a------ D:\WINDOWS\system32\vidx16.dll
2008-07-16 16:20 . 1998-08-17 05:21 5,672 --a------ D:\WINDOWS\system32\quartz.vxd
2008-07-16 16:20 . 2008-07-16 16:20 4,608 --a------ D:\WINDOWS\system32\w95inf32.dll
2008-07-16 16:20 . 2008-07-16 16:20 2,272 --a------ D:\WINDOWS\system32\w95inf16.dll
2008-07-16 14:17 . 2008-07-16 14:17 <DIR> d-------- D:\WINDOWS\ERUNT
2008-07-16 14:12 . 2008-07-16 15:44 <DIR> d-------- D:\SDFix
2008-07-14 17:45 . 2008-07-14 17:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-07-14 17:10 . 2008-07-14 17:10 <DIR> d-------- D:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 01:19 --------- d-----w D:\Program Files\BitComet
2008-07-17 00:20 --------- d-----w D:\Program Files\Uniblue
2008-07-16 23:23 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-07-06 01:37 --------- d-----w D:\Program Files\Beat It
2008-06-23 20:21 --------- d-----w D:\Documents and Settings\X\Application Data\Vso
2008-06-09 02:27 --------- d-----w D:\Program Files\Absolute Poker
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-05 20:12 --------- d-----w D:\Program Files\XBC
2008-06-05 20:08 --------- d-----w D:\Program Files\Binaryfish
2008-06-05 19:46 --------- d-----w D:\Program Files\MagicDisc
2008-06-02 22:25 --------- d-----w D:\Program Files\PowerISO
2008-05-27 16:11 96,896 ----a-w D:\WINDOWS\system32\drivers\mcdbus.sys
2008-03-31 21:13 47,360 ----a-w D:\Documents and Settings\X\Application Data\pcouffin.sys
2006-06-28 16:51 0 ----a-w D:\Documents and Settings\X\Application Data\internaldb41.dat
2005-05-15 19:04 201 --sha-w D:\WINDOWS\system32\ntuser.dat
2005-05-11 13:53 2,179 --sha-w D:\WINDOWS\system32\websys.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM8f6ed4a1"="D:\WINDOWS\system32\qkdcxfsh.dll" [BU]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-13 22:47 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= D:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= D:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^MagicDisc.lnk]
path=D:\Documents and Settings\X\Start Menu\Programs\Startup\MagicDisc.lnk
backup=D:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
D:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-02-22 11:58 217544 D:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 05:39 486856 D:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 D:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-02-20 11:06 1443072 D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 D:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2005-02-22 08:55 1611488 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-14 19:50 233472 D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-24 23:24 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
--a------ 2008-01-23 15:47 847872 D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-13 22:47 180269 D:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
--a------ 2008-01-08 09:14 1260296 D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-09-13 14:17 4621816 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-02-27 14:29 47104 D:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\BitComet\\BitComet.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26481:TCP"= 26481:TCP:BitComet 26481 TCP
"26481:UDP"= 26481:UDP:BitComet 26481 UDP
"1212:TCP"= 1212:TCP:BitComet 1212 TCP
"1212:UDP"= 1212:UDP:BitComet 1212 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-11-10 18:00]
R1 Asapi;Asapi;D:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 10:22]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bbc147-e0fa-11dc-b293-00112fde776c}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-07-20 12:49:32 D:\WINDOWS\Tasks\RegCure Program Check.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-07-17 07:00:00 D:\WINDOWS\Tasks\RegCure.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-07-20 12:40:17 D:\WINDOWS\Tasks\SpyHunter Scanner.job"
- D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-07-16 20:06:48 D:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-07-16 22:57:53 D:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-8cbd05dc - D:\WINDOWS\system32\pqgvjxhr.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 08:49:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-20 8:54:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-20 12:54:07
ComboFix2.txt 2008-07-19 23:55:59
ComboFix3.txt 2008-07-19 01:08:01
ComboFix4.txt 2008-07-19 00:41:23
ComboFix5.txt 2008-07-20 12:43:39

Pre-Run: 858,775,552 bytes free
Post-Run: 844,193,792 bytes free

271


HIJACK THIS


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:40 AM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [BM8f6ed4a1] Rundll32.exe "D:\WINDOWS\system32\qkdcxfsh.dll",s
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory....sharingctrl.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 8134 bytes

Edited by mlo356, 20 July 2008 - 07:00 AM.

  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please temporarily disable the following programs prior to our fix.. Please re-enable them back after performing all steps given..

1. Spybot S&D
2. NOD Antivirus

Please visit HERE if you do not know how..




NEXT


Please go to Start >> Run >> Copy/Paste command below >> Press Enter

REGEDIT /E "%USERPROFILE%\Desktop\result.txt" "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg"

A new textfile result.txt will be created on your Desktop. Please post its content in your next reply..




NEXT


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    D:\WINDOWS\system32\qkdcxfsh.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM8f6ed4a1
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




NEXT


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator



Please post the following logs in your next reply.. Please post each log in separate post..

1. result.txt
2. OTMoveIt2
3. Malwarebytes
4. Deckard System Scanner (both main.txt and extra.txt)


Regards
fenzodahl512
  • 0

#13
mlo356

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok. I have finished everything from the last post. during the last step when i had to run dss.exe., i only had a "main" notepad file pop up and not the extra. Everyting is posted below, if you want me to keep tryin for the "extra" i can amd also, my popus are gone. THANKX A MILLION, This has been erking me for a while. I really do appreciate the help, i couldnt have done without cha. If there is still some disinfecting to do, im all for it. if not, i just had a few more questions like what type of virus protection and malware/spyware/adware protection do u reccomend? but anywho, here are the results. THANKX AGAIN :)

RESULTS.EXE


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="axcmd"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Alcohol Soft\\Alcohol 120\\axcmd.exe\" /automount"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgnt"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwinrqez"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="D:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\DAEMON Tools Lite\\daemon.exe\" -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrc_2"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="egui"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe\" /hide /waitservice"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="JavaCore"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avp"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdc_2"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oabdvw"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="D:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NoDNS"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oabdvw"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nvcoi"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="D:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cmd"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realplay"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mrofinu572"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SDTrayApp"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ycnsyw"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyHunter3"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CLIStart"
"hkey"="HKLM"
"command"="D:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyEraser"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Uniblue\\SpyEraser\\SpyEraser.exe\" -m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VVSN"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="JVAW~1"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pqdsregm"
"hkey"="HKLM"
"inimapping"="0"

MOVE IT

Explorer killed successfully
File/Folder D:\WINDOWS\system32\qkdcxfsh.dll not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM8f6ed4a1 >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM8f6ed4a1 deleted successfully.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07212008_192716


Malwarebytes


Malwarebytes' Anti-Malware 1.22
Database version: 977
Windows 5.1.2600 Service Pack 2

1:08:22 AM 7/22/2008
mbam-log-7-22-2008 (01-08-22).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|K:\|L:\|)
Objects scanned: 373023
Time elapsed: 5 hour(s), 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 47

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\River Past Video Cleaner Pro (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Deckard\System Scanner\20080714174632\backup\DOCUME~1\X\LOCALS~1\Temp\5C4B.tmp (Trojan.Madcode) -> Quarantined and deleted successfully.
D:\Deckard\System Scanner\20080714174632\backup\DOCUME~1\X\LOCALS~1\Temp\winvsnet.exe (Rogue.Installer) -> Quarantined and deleted successfully.
D:\mcd\rootkit detection & prevention\NeoavaB2.exe (Rogue.Installer) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\BluetoothAuthorizationAgent.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\s7\gbsu011.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\k8\ravecom3.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP124\A0018479.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP124\A0018517.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
K:\Music-Vid Programs\Fruity Loops (Trojan.Downloader) -> Quarantined and deleted successfully.
K:\Music-Vid Programs\ImToo DVD RIPPER (Trojan.Downloader) -> Quarantined and deleted successfully.
K:\Music-Vid Programs\SONY Acid Pro 5.0c \SONY ACID Pro 5.0 (90.2MB (12 August 2005) (Trojan.Downloader) -> Quarantined and deleted successfully.
K:\Music-Vid Programs\SONY Acid Pro 5.0c \SONY Sound Forge 8.0 (40.5MB) (12 August 2005) (Trojan.Downloader) -> Quarantined and deleted successfully.
K:\Music-Vid Programs\SONY ACID Pro 5.0c (90.2MB (12 August 2005)\keygen\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
K:\Programs\WinRAR (Trojan.Agent) -> Quarantined and deleted successfully.
K:\Programs\Clone DVD (Trojan.Downloader) -> Quarantined and deleted successfully.
K:\RECYCLER\S-1-5-21-3960784808-249451443-1462143556-1003\Dd14\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
L:\Downloads\WinRAR.v3.70.I\ (Trojan.Agent) -> Quarantined and deleted successfully.
L:\RECYCLER\S-1-5-21-3960784808-249451443-1462143556-1003\Dd14\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
L:\Music-Vid Programs\Fruity Loops\Tascam GigaStudio (Trojan.Downloader) -> Quarantined and deleted successfully.
L:\Music-Vid Programs\ImToo DVD RIPPER\Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
L:\Muzic\River Past Video Cleaner Pro v6.5.1 (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\winsys.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\csrss.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\skybot.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
D:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\svchost32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\windll.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\iexplorer.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\svshost.exe (Worm.SDbot) -> Quarantined and deleted successfully.
D:\WINDOWS\BM8f6ed4a1.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\services.exe (Backdoor.ProRat) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\iexplore.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ClickToFindandFixErrors_2.ico (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ClickToFindandFixErrors_4.ico (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\c3.dll (Rootkit.Haxdor) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\boot32.sys (Rootkit.Haxdor) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\c3.sys (Rootkit.Haxdor) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\c4.sys (Rootkit.Haxdor) -> Quarantined and deleted successfully.
  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN}
    D:\Program Files\180searchassistant
    D:\Program Files\HbTools
    D:\Program Files\Hotbar
    D:\Program Files\MyWebSearch
    D:\Program Files\newdotnet
    D:\Program Files\SideFind
    D:\Program Files\surfsidekick 3
    D:\Program Files\zango
    D:\WINDOWS\system32\svrhost.exe
    D:\WINDOWS\Tasks\At??.job
    D:\WINDOWS\lsasss.exe
    D:\WINDOWS\system32\bootconf.exe
    D:\WINDOWS\system32\internet.exe
    D:\WINDOWS\system32\msupdate.exe
    D:\WINDOWS\system32\remote.exe
    D:\WINDOWS\system32\scrigz.exe
    D:\WINDOWS\system32\svhost.exe
    D:\WINDOWS\system32\taskgmr.exe
    D:\WINDOWS\system32\update.exe
    D:\WINDOWS\system32\win32.exe
    D:\WINDOWS\system32\windowz.exe
    D:\WINDOWS\winserv.exe
    D:\WINDOWS\system32\winxp.exe
    D:\WINDOWS\pskt.ini
    D:\WINDOWS\pss\PowerReg Scheduler V3.exe
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.




Please post the following logs in your next reply..


1. OTMoveIt2
2. SUPERAntiSpyware
3. And don't forget, a fresh DSS log (after SUPERAntiSpyware step).. You forgot to post DSS log last time...


Regards
fenzodahl512

Edited by fenzodahl512, 22 July 2008 - 05:27 AM.

  • 0

#15
mlo356

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK. sorry bout the dss file. here is everything you ask me to do from the last post. THANKX

MOVEIT


Explorer killed successfully
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kolvw\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrfuvu\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwup\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yavaeev\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN} >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D0-05-57-73-ZN}\\ deleted successfully.
D:\Program Files\180searchassistant moved successfully.
D:\Program Files\HbTools moved successfully.
D:\Program Files\Hotbar moved successfully.
D:\Program Files\MyWebSearch moved successfully.
D:\Program Files\newdotnet moved successfully.
D:\Program Files\SideFind moved successfully.
D:\Program Files\surfsidekick 3 moved successfully.
D:\Program Files\zango moved successfully.
File/Folder D:\WINDOWS\system32\svrhost.exe not found.
< D:\WINDOWS\Tasks\At??.job >
File/Folder D:\WINDOWS\Tasks\At??.job not found.
D:\WINDOWS\lsasss.exe moved successfully.
D:\WINDOWS\system32\bootconf.exe moved successfully.
D:\WINDOWS\system32\internet.exe moved successfully.
D:\WINDOWS\system32\msupdate.exe moved successfully.
D:\WINDOWS\system32\remote.exe moved successfully.
D:\WINDOWS\system32\scrigz.exe moved successfully.
D:\WINDOWS\system32\svhost.exe moved successfully.
D:\WINDOWS\system32\taskgmr.exe moved successfully.
D:\WINDOWS\system32\update.exe moved successfully.
D:\WINDOWS\system32\win32.exe moved successfully.
D:\WINDOWS\system32\windowz.exe moved successfully.
D:\WINDOWS\winserv.exe moved successfully.
D:\WINDOWS\system32\winxp.exe moved successfully.
File/Folder D:\WINDOWS\pskt.ini not found.
File/Folder D:\WINDOWS\pss\PowerReg Scheduler V3.exe not found.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07222008_183735


SUPERANTISPYWARE

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/22/2008 at 06:47 PM

Application Version : 4.15.1000

Core Rules Database Version : 3511
Trace Rules Database Version: 1502

Scan type : Complete Scan
Total Scan Time : 00:04:40

Memory items scanned : 363
Memory threats detected : 0
Registry items scanned : 7321
Registry threats detected : 2
File items scanned : 66
File threats detected : 7

Adware.Apropos Media
D:\Program Files\Aprps

Adware.SpywareStrike
D:\Program Files\SpywareStrike

Adware.WhenU
D:\Program Files\Save

Adware.180solutions/ZangoSearch
D:\Program Files\Zango Programs

Spyware.WebSearch (WinTools/Huntbar)
D:\Program Files\Common Files\WinTools

Adware.WebNexus
D:\WINDOWS\wupdt.exe

Adware.Elite Media
D:\WINDOWS\etb

Rogue.Netcom3/SpyClean
HKU\S-1-5-21-789336058-1960408961-839522115-1003\Software\Netcom3 Cleaner
HKU\S-1-5-21-789336058-1960408961-839522115-1003\Software\SpyClean



DSS

Deckard's System Scanner v20071014.68
Run by X on 2008-07-22 18:53:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive D: has 0.66 GiB (less than 15%) free.


-- HijackThis (run as X.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:42 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\X\Desktop\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\X.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory....sharingctrl.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 8313 bytes

-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-22 18:39:49 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-22 18:39:37 0 d-------- D:\Program Files\SUPERAntiSpyware
2008-07-22 18:39:37 0 d-------- D:\Documents and Settings\X\Application Data\SUPERAntiSpyware.com
2008-07-21 19:28:41 0 d-------- D:\Documents and Settings\X\Application Data\Malwarebytes
2008-07-21 19:28:38 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 19:28:37 0 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 16:20:45 38160 --a------ D:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-07-16 16:20:44 182032 --a------ D:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-07-16 16:20:41 63488 --a------ D:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2008-07-16 16:20:39 10240 --a------ D:\WINDOWS\system32\vidx16.dll
2008-07-16 16:20:39 194320 --a------ D:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-07-16 16:20:38 4608 --a------ D:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-07-16 16:20:38 2272 --a------ D:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-07-16 16:20:24 0 d-------- D:\Program Files\Auralog
2008-07-16 15:54:23 68096 --a------ D:\WINDOWS\zip.exe
2008-07-16 15:54:23 49152 --a------ D:\WINDOWS\VFind.exe
2008-07-16 15:54:23 212480 --a------ D:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-16 15:54:23 136704 --a------ D:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-16 15:54:23 161792 --a------ D:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-16 15:54:23 98816 --a------ D:\WINDOWS\sed.exe
2008-07-16 15:54:23 80412 --a------ D:\WINDOWS\grep.exe
2008-07-16 15:54:23 89504 --a------ D:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-16 15:50:30 0 d-------- D:\WINDOWS\setup.pss
2008-07-16 15:50:15 0 d-------- D:\WINDOWS\setupupd
2008-07-16 14:17:13 0 d-------- D:\WINDOWS\ERUNT
2008-07-14 17:45:46 0 d-------- D:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-22 18:39:10 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-07-16 20:20:52 0 d-------- D:\Program Files\Uniblue
2008-07-16 19:23:11 0 d-------- D:\Program Files\Microsoft ActiveSync
2008-07-16 16:03:00 0 d-------- D:\Program Files\Common Files
2008-07-05 21:37:09 0 d-------- D:\Program Files\Beat It
2008-06-23 16:21:16 0 d-------- D:\Documents and Settings\X\Application Data\Vso
2008-06-08 22:27:46 0 d-------- D:\Program Files\Absolute Poker
2008-06-05 16:13:56 0 d-------- D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 16:12:52 0 d-------- D:\Program Files\XBC
2008-06-05 16:08:23 0 d-------- D:\Program Files\Binaryfish
2008-06-05 15:46:25 0 d-------- D:\Program Files\MagicDisc
2008-06-02 18:25:53 0 d-------- D:\Program Files\PowerISO
2008-05-09 23:55:57 2508 --a------ D:\Documents and Settings\X\Application Data\$_hpcst$.hpc
2008-05-04 13:11:21 33 --a------ D:\Documents and Settings\X\Application Data\install.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/13/2006 10:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/03/2004 09:56 PM]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32
"IE7-10"=rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^MagicDisc.lnk]
path=D:\Documents and Settings\X\Start Menu\Programs\Startup\MagicDisc.lnk
backup=D:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"D:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"D:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
"D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
"D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-07-22 18:54:01 ------------

hope this helps Thankx
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP