Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IE explorer popups will not go away (Malware) [CLOSED] [RESOLVED]

Started by mlo356 , Jul 12 2008 11:10 PM

  • This topic is locked This topic is locked

#16
fenzodahl512
Posted 23 July 2008 - 05:46 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
D:\Program Files\Aprps
D:\Program Files\SpywareStrike
D:\Program Files\Save
D:\Program Files\Zango Programs
D:\Program Files\Common Files\WinTools
D:\WINDOWS\wupdt.exe
D:\WINDOWS\etb
HKU\S-1-5-21-789336058-1960408961-839522115-1003\Software\Netcom3 Cleaner
HKU\S-1-5-21-789336058-1960408961-839522115-1003\Software\SpyClean
EmptyTemp
purity
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.





NEXT


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Please post the following logs here..

1. OTMoveIt2
2. Kaspersky Webscanner
3. Tell me about your computer behaviour


Regards
fenzodahl512
  • 0

Advertisements

#17
mlo356
Posted 25 July 2008 - 08:13 AM

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi. sorry it took so long to reply but i couldnt and still cant get the kaspersky to work. when the page comes up, i click accept and nothing happen. i been trying for like 2 days now. i tried to find an alternative route but nothing but here is the moveit file below. my computer it running great. i havent seen a popup in about a week now. THANKS A TON. EVERYTHING seems to be normal again. I aapreciate the help from you and i hope i may be able to help someone in the future because i have learned a lot. i just had a few more questions like what type of virus protection and malware/spyware/adware protection do u reccomend? THANK YOU VERY MUCH :)


MOVE IT


Explorer killed successfully
File/Folder D:\Program Files\Aprps not found.
File/Folder D:\Program Files\SpywareStrike not found.
File/Folder D:\Program Files\Save not found.
File/Folder D:\Program Files\Zango Programs not found.
File/Folder D:\Program Files\Common Files\WinTools not found.
File/Folder D:\WINDOWS\wupdt.exe not found.
File/Folder D:\WINDOWS\etb not found.
< HKU\S-1-5-21-789336058-1960408961-839522115-1003\Software\Netcom3 Cleaner >
Registry key HKEY_USERS\S-1-5-21-789336058-1960408961-839522115-1003\Software\Netcom3 Cleaner\\ not found.
< HKU\S-1-5-21-789336058-1960408961-839522115-1003\Software\SpyClean >
Registry key HKEY_USERS\S-1-5-21-789336058-1960408961-839522115-1003\Software\SpyClean\\ not found.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07252008_100443
  • 0

#18
fenzodahl512
Posted 25 July 2008 - 08:20 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok... Lets do this...


Lets run F-Secure online scan for Viruses, Spyware and RootKits:
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient




Then please also include a fresh DSS log (after F-Secure step) in your next reply..


Regards
fenzodahl512



----------------------------



i just had a few more questions like what type of virus protection and malware/spyware/adware protection do u reccomend? THANK YOU VERY MUCH



Keep Malwarebytes' and your NOD32.. I'll introduce you to firewall after all of this done :)

Edited by fenzodahl512, 25 July 2008 - 08:21 AM.

  • 0

#19
fenzodahl512
Posted 31 July 2008 - 11:25 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#20
fenzodahl512
Posted 31 July 2008 - 11:08 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
User returned...


Please post a fresh DSS log for my review..
  • 0

#21
mlo356
Posted 01 August 2008 - 04:09 PM

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thankx for reopening. here is the dss log

DSS

Deckard's System Scanner v20071014.68
Run by X on 2008-08-01 18:03:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive D: has 0.32 GiB (less than 15%) free.


-- HijackThis (run as X.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:03: VIRUS ALERT!, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\Documents and Settings\X\Desktop\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\X.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: {e4791cdc-2d76-b128-4ac4-92a47f7712e3} - {3e2177f7-4a29-4ca4-821b-67d2cdc1974e} - D:\WINDOWS\system32\etgnqz.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E5646F36-145E-4F1D-B6D1-87C5EFC5BA1C} - D:\WINDOWS\system32\hgGaayAr.dll
O2 - BHO: (no name) - {ECEC2691-4DAD-4A2C-AAE7-A2C9EC2E5448} - D:\WINDOWS\system32\cbXrsSkI.dll
O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory....sharingctrl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS8\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS9\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS10\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd.dll,D:\PROGRA~1\KASPER~1\KASPER~2\adialhk.dll,D:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hgGaayAr - D:\WINDOWS\SYSTEM32\hgGaayAr.dll
O21 - SSODL: wnslvxtf - {8DE93E60-139D-4DAA-BFC1-44D355E67375} - D:\WINDOWS\wnslvxtf.dll (file missing)
O21 - SSODL: eqvwamkl - {F3FFB8D2-F307-4F01-938A-DD317215EBE5} - D:\WINDOWS\eqvwamkl.dll (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 10002 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-07-31 21:52:27 120960 --a------ D:\WINDOWS\system32\etgnqz.dll
2008-07-31 21:52:26 120960 --a------ D:\WINDOWS\system32\rrnvsuem.dll
2008-07-31 10:24:43 96559 --a------ D:\WINDOWS\system32\drivers\klin.dat
2008-07-31 10:24:43 87855 --a------ D:\WINDOWS\system32\drivers\klick.dat
2008-07-31 10:14:27 499744 --ahs---- D:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-31 10:14:27 2748960 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-07-31 10:08:34 36352 --a------ D:\WINDOWS\system32\mlJDwXpp.dll
2008-07-31 10:08:33 36352 --a------ D:\WINDOWS\system32\hgGaayAr.dll
2008-07-30 21:04:29 120960 --a------ D:\WINDOWS\system32\pgymge.dll
2008-07-30 21:04:28 120960 --a------ D:\WINDOWS\system32\ciywqcsy.dll
2008-07-30 21:01:28 99712 --a------ D:\WINDOWS\system32\njbsiwke.dll
2008-07-29 20:59:19 4287 --ahs---- D:\WINDOWS\system32\IkSsrXbc.ini2
2008-07-29 20:59:08 323584 -----n--- D:\WINDOWS\system32\cbXrsSkI.dll
2008-07-29 20:54:57 0 d--h----- D:\WINDOWS\$hf_mig$
2008-07-29 20:54:13 0 d-------- D:\Documents and Settings\X\Application Data\rhc1o3j0erb7
2008-07-29 20:53:59 0 d-------- D:\Documents and Settings\X\Application Data\TmpRecentIcons
2008-07-29 20:53:40 0 d-------- D:\Program Files\rhc1o3j0erb7
2008-07-29 20:53:22 163840 --a------ D:\WINDOWS\eblv.exe
2008-07-29 20:53:19 60928 --a------ D:\WINDOWS\system32\blphc5o3j0erb7.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-27 11:12:19 0 d-------- D:\Program Files\Elaborate Bytes
2008-07-27 11:08:48 0 d-------- D:\WINDOWS\system32\SoftwareDistribution
2008-07-27 11:01:02 0 d-------- D:\Program Files\SlySoft
2008-07-26 21:48:37 0 d-------- D:\Program Files\Pocket Tanks Deluxe
2008-07-22 18:39:49 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-22 18:39:37 0 d-------- D:\Program Files\SUPERAntiSpyware
2008-07-22 18:39:37 0 d-------- D:\Documents and Settings\X\Application Data\SUPERAntiSpyware.com
2008-07-21 19:28:41 0 d-------- D:\Documents and Settings\X\Application Data\Malwarebytes
2008-07-21 19:28:38 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 19:28:37 0 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 16:20:45 38160 --a------ D:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-07-16 16:20:44 182032 --a------ D:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-07-16 16:20:41 63488 --a------ D:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2008-07-16 16:20:39 10240 --a------ D:\WINDOWS\system32\vidx16.dll
2008-07-16 16:20:39 194320 --a------ D:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-07-16 16:20:38 4608 --a------ D:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-07-16 16:20:38 2272 --a------ D:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-07-16 16:20:24 0 d-------- D:\Program Files\Auralog
2008-07-16 15:54:23 68096 --a------ D:\WINDOWS\zip.exe
2008-07-16 15:54:23 49152 --a------ D:\WINDOWS\VFind.exe
2008-07-16 15:54:23 212480 --a------ D:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-16 15:54:23 136704 --a------ D:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-16 15:54:23 161792 --a------ D:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-16 15:54:23 98816 --a------ D:\WINDOWS\sed.exe
2008-07-16 15:54:23 80412 --a------ D:\WINDOWS\grep.exe
2008-07-16 15:54:23 89504 --a------ D:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-16 15:50:30 0 d-------- D:\WINDOWS\setup.pss
2008-07-16 15:50:15 0 d-------- D:\WINDOWS\setupupd
2008-07-16 14:17:13 0 d-------- D:\WINDOWS\ERUNT
2008-07-14 17:45:46 0 d-------- D:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-31 10:14:40 0 d-------- D:\Program Files\Kaspersky Lab
2008-07-22 18:39:10 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-07-16 20:20:52 0 d-------- D:\Program Files\Uniblue
2008-07-16 19:23:11 0 d-------- D:\Program Files\Microsoft ActiveSync
2008-07-16 16:03:00 0 d-------- D:\Program Files\Common Files
2008-07-05 21:37:09 0 d-------- D:\Program Files\Beat It
2008-06-23 16:21:16 0 d-------- D:\Documents and Settings\X\Application Data\Vso
2008-06-08 22:27:46 0 d-------- D:\Program Files\Absolute Poker
2008-06-05 16:13:56 0 d-------- D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 16:12:52 0 d-------- D:\Program Files\XBC
2008-06-05 16:08:23 0 d-------- D:\Program Files\Binaryfish
2008-06-05 15:46:25 0 d-------- D:\Program Files\MagicDisc
2008-06-02 18:25:53 0 d-------- D:\Program Files\PowerISO
2008-05-09 23:55:57 2508 --a------ D:\Documents and Settings\X\Application Data\$_hpcst$.hpc
2008-05-04 13:11:21 33 --a------ D:\Documents and Settings\X\Application Data\install.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e2177f7-4a29-4ca4-821b-67d2cdc1974e}]
07/31/2008 21:52: VIRUS ALERT! 120960 --a------ D:\WINDOWS\system32\etgnqz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5646F36-145E-4F1D-B6D1-87C5EFC5BA1C}]
07/31/2008 10:08: VIRUS ALERT! 36352 --a------ D:\WINDOWS\system32\hgGaayAr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECEC2691-4DAD-4A2C-AAE7-A2C9EC2E5448}]
07/29/2008 20:59: VIRUS ALERT! 323584 --------- D:\WINDOWS\system32\cbXrsSkI.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [07/27/2008 10:42: VIRUS ALERT!]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [04/25/2008 18:21: VIRUS ALERT!]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/13/2006 22:47: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/03/2004 21:56: VIRUS ALERT!]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33: VIRUS ALERT!]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/20/2006 22:36: VIRUS ALERT!]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32
"IE7-10"=rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=0 (0x0)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13: VIRUS ALERT! 77824]
"{E5646F36-145E-4F1D-B6D1-87C5EFC5BA1C}"= D:\WINDOWS\system32\hgGaayAr.dll [07/31/2008 10:08: VIRUS ALERT! 36352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wnslvxtf"= {8DE93E60-139D-4DAA-BFC1-44D355E67375} - D:\WINDOWS\wnslvxtf.dll [ ]
"eqvwamkl"= {F3FFB8D2-F307-4F01-938A-DD317215EBE5} - D:\WINDOWS\eqvwamkl.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41: VIRUS ALERT! 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGaayAr]
hgGaayAr.dll 07/31/2008 10:08: VIRUS ALERT! 36352 D:\WINDOWS\system32\hgGaayAr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=D:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd.dll,D:\PROGRA~1\KASPER~1\KASPER~2\adialhk.dll,D:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 D:\WINDOWS\system32\cbXrsSkI

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim83.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyd50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^MagicDisc.lnk]
path=D:\Documents and Settings\X\Start Menu\Programs\Startup\MagicDisc.lnk
backup=D:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
e

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\+,-./0123456789:;<=exe]
!"#$%&'()*+,-./0123456789:;<=exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3456789:;<=>?@ABCDEexe]
()*+,-./0123456789:;<=>?@ABCDEexe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3456789:;<=>?@ABCDEFGexe]
()*+,-./0123456789:;<=>?@ABCDEFGexe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\789:;<=>?@ABCDEFGHIexe]
,-./0123456789:;<=>?@ABCDEFGHIexe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"D:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"D:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
"D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhc1o3j0erb7]
D:\Program Files\rhc1o3j0erb7\rhc1o3j0erb7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
"D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bbc147-e0fa-11dc-b293-00112fde776c}]
AutoRun\command- M:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-08-01 18:04:40 ------------
  • 0

#22
fenzodahl512
Posted 01 August 2008 - 04:27 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
You are actually getting re-infected.. That's why your computer become haywire..


Please delete your version of ComboFix and download the new version from either of link below.. run it and post the log here..

Link 1
Link 2
Link 3


  • 0

#23
mlo356
Posted 02 August 2008 - 09:19 AM

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok. Here is the NEW combofix log. Thankx

COMBOFIX

ComboFix 08-07-31.06 - X 2008-08-02 11:09:27.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.657 [GMT -4:00]
Running from: D:\Documents and Settings\X\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\Altnet\
D:\Program Files\Need2Find\
D:\Program Files\RXToolBar\

.
((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-07-31 10:24 . 2008-08-01 13:24 96,559 --a------ D:\WINDOWS\system32\drivers\klin.dat
2008-07-31 10:24 . 2008-08-01 13:24 87,855 --a------ D:\WINDOWS\system32\drivers\klick.dat
2008-07-31 10:14 . 2008-08-02 00:22 2,935,328 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-07-31 10:14 . 2008-08-02 00:22 507,936 --ahs---- D:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-31 10:14 . 2008-08-02 00:22 29,252 --ahs---- D:\WINDOWS\system32\drivers\fidbox.idx
2008-07-31 10:14 . 2008-08-02 00:22 2,816 --ahs---- D:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-30 21:01 . 2008-07-30 21:01 99,712 --a------ D:\WINDOWS\system32\njbsiwke.dll
2008-07-29 20:54 . 2008-07-29 20:54 <DIR> d--h----- D:\WINDOWS\$hf_mig$
2008-07-27 11:12 . 2008-07-27 11:12 <DIR> d-------- D:\Program Files\Elaborate Bytes
2008-07-27 11:01 . 2008-07-27 11:04 <DIR> d-------- D:\Program Files\SlySoft
2008-07-26 22:34 . 2008-07-26 22:34 2,292 --a------ D:\bttf.nri
2008-07-26 21:48 . 2008-07-26 21:48 <DIR> d-------- D:\Program Files\Pocket Tanks Deluxe
2008-07-22 18:39 . 2008-07-22 18:39 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-07-22 18:39 . 2008-07-22 18:39 <DIR> d-------- D:\Documents and Settings\X\Application Data\SUPERAntiSpyware.com
2008-07-22 18:39 . 2008-07-22 18:39 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-21 19:28 . 2008-07-21 19:28 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 19:28 . 2008-07-21 19:28 <DIR> d-------- D:\Documents and Settings\X\Application Data\Malwarebytes
2008-07-21 19:28 . 2008-07-21 19:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 19:28 . 2008-07-20 20:21 38,472 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 19:28 . 2008-07-20 20:21 17,144 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 19:27 . 2008-07-21 19:27 <DIR> d-------- D:\_OTMoveIt
2008-07-16 16:20 . 2008-07-16 16:20 <DIR> d-------- D:\Program Files\Auralog
2008-07-16 16:20 . 1998-09-02 04:02 194,320 --a------ D:\WINDOWS\system32\qcut.dll
2008-07-16 16:20 . 1998-08-27 00:51 182,032 --a------ D:\WINDOWS\system32\dxtmsft3.dll
2008-07-16 16:20 . 1998-08-20 07:02 140,800 --a------ D:\WINDOWS\system32\tm20dec.ax
2008-07-16 16:20 . 1998-09-02 04:28 63,488 --a------ D:\WINDOWS\system32\unam4ie.exe
2008-07-16 16:20 . 1998-09-02 04:28 38,160 --a------ D:\WINDOWS\system32\LMRTREND.dll
2008-07-16 16:20 . 1998-08-17 05:21 11,776 --a------ D:\WINDOWS\system32\mciqtz.drv
2008-07-16 16:20 . 1998-08-17 05:21 10,240 --a------ D:\WINDOWS\system32\vidx16.dll
2008-07-16 16:20 . 1998-08-17 05:21 5,672 --a------ D:\WINDOWS\system32\quartz.vxd
2008-07-16 16:20 . 2008-07-16 16:20 4,608 --a------ D:\WINDOWS\system32\w95inf32.dll
2008-07-16 16:20 . 2008-07-16 16:20 2,272 --a------ D:\WINDOWS\system32\w95inf16.dll
2008-07-16 14:17 . 2008-07-16 14:17 <DIR> d-------- D:\WINDOWS\ERUNT
2008-07-16 14:12 . 2008-07-16 15:44 <DIR> d-------- D:\SDFix
2008-07-14 17:45 . 2008-07-14 17:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-07-14 17:10 . 2008-07-14 17:10 <DIR> d-------- D:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-31 14:14 --------- d-----w D:\Program Files\Kaspersky Lab
2008-07-31 14:08 --------- d-----w D:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-27 16:32 --------- d-----w D:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-22 22:39 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 00:20 --------- d-----w D:\Program Files\Uniblue
2008-07-16 23:23 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-07-06 01:37 --------- d-----w D:\Program Files\Beat It
2008-06-23 20:21 --------- d-----w D:\Documents and Settings\X\Application Data\Vso
2008-06-09 02:27 --------- d-----w D:\Program Files\Absolute Poker
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 20:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-05 20:12 --------- d-----w D:\Program Files\XBC
2008-06-05 20:08 --------- d-----w D:\Program Files\Binaryfish
2008-06-05 19:46 --------- d-----w D:\Program Files\MagicDisc
2008-06-02 22:25 --------- d-----w D:\Program Files\PowerISO
2008-03-31 21:13 47,360 ----a-w D:\Documents and Settings\X\Application Data\pcouffin.sys
2006-06-28 16:51 0 ----a-w D:\Documents and Settings\X\Application Data\internaldb41.dat
2005-05-15 19:04 201 --sha-w D:\WINDOWS\system32\ntuser.dat
2005-05-11 13:53 2,179 --sha-w D:\WINDOWS\system32\websys.dll
2008-04-20 04:11 32,768 --sha-w D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042020080421\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-07-27 10:42 176640]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-13 22:47 180269]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= D:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= D:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim83.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyd50.sys]
@="Driver"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^MagicDisc.lnk]
path=D:\Documents and Settings\X\Start Menu\Programs\Startup\MagicDisc.lnk
backup=D:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3456789:;<=>?@ABCDEexe]
()*+ [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3456789:;<=>?@ABCDEFGexe]
()*+ [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\+]
!#$%&'()*+ [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
D:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-02-22 11:58 217544 D:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 05:39 486856 D:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 D:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-02-20 11:06 1443072 D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 D:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2005-02-22 08:55 1611488 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-14 19:50 233472 D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-24 23:24 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
--a------ 2008-01-23 15:47 847872 D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-13 22:47 180269 D:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
--a------ 2008-01-08 09:14 1260296 D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-09-13 14:17 4621816 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-02-27 14:29 47104 D:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"D:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;D:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-11-10 18:00]
R1 Asapi;Asapi;D:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 10:22]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;D:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;D:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bbc147-e0fa-11dc-b293-00112fde776c}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 D:\WINDOWS\Tasks\RegCure Program Check.job
- D:\Program Files\RegCure\RegCure.exe [2007-08-02 04:20]

2008-07-31 D:\WINDOWS\Tasks\RegCure.job
- D:\Program Files\RegCure\RegCure.exe [2007-08-02 04:20]

2008-07-31 D:\WINDOWS\Tasks\SpyHunter Scanner.job
- D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-01-23 15:47]

2008-07-27 D:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]

2008-07-16 D:\WINDOWS\Tasks\Uniblue SpyEraser.job
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 11:12:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-02 11:13:49
ComboFix-quarantined-files.txt 2008-08-02 15:13:34
ComboFix2.txt 2008-08-01 23:23:05
ComboFix3.txt 2008-07-20 12:54:11
ComboFix4.txt 2008-07-19 23:55:59
ComboFix5.txt 2008-08-02 15:09:08

Pre-Run: 754,180,096 bytes free
Post-Run: 734,388,224 bytes free

276
  • 0

#24
fenzodahl512
Posted 02 August 2008 - 11:01 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
D:\WINDOWS\system32\njbsiwke.dll
D:\bttf.nri
EmptyTemp
purity
[start explorer]

[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
[/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


You already have Malwarebytes'.. Please run and update it..
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Please post the following logs in your next reply.. Please post each log in separate post..

1. OTMoveIt2
2. Malwarebytes'
3. A fresh DSS log (after Malwarebytes step)



Regards
fenzodahl512
  • 0

#25
mlo356
Posted 04 August 2008 - 08:49 AM

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok. here is everything that you asked me to do. hope this helps.

MOVEIT

Explorer killed successfully
LoadLibrary failed for D:\WINDOWS\system32\njbsiwke.dll
D:\WINDOWS\system32\njbsiwke.dll NOT unregistered.
D:\WINDOWS\system32\njbsiwke.dll moved successfully.
D:\bttf.nri moved successfully.
< EmptyTemp >
File delete failed. D:\DOCUME~1\X\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08042008_000356

Files moved on Reboot...
D:\DOCUME~1\X\LOCALS~1\Temp\WCESLog.log moved successfully.


MALWAREBYTES

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/04/2008 at 01:22 AM

Application Version : 4.15.1000

Core Rules Database Version : 3524
Trace Rules Database Version: 1514

Scan type : Complete Scan
Total Scan Time : 01:07:07

Memory items scanned : 339
Memory threats detected : 0
Registry items scanned : 7372
Registry threats detected : 0
File items scanned : 33238
File threats detected : 8

Adware.Tracking Cookie
.media6degrees.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.media6degrees.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.media6degrees.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
cache.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
cache.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.media6degrees.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.media6degrees.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.atdmt.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adbrite.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adbrite.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adbrite.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
4.adbrite.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adbrite.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.crackle.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.crackle.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.crackle.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.crackle.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.crackle.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.crackle.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.crackle.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
crackle.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.ehg-groupernetworks.hitbox.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.hitbox.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.hitbox.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.tribalfusion.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.doubleclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adopt.euroclick.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adopt.euroclick.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adopt.euroclick.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
adopt.euroclick.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adopt.euroclick.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.adopt.euroclick.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.mediaplex.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.questionmarket.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.questionmarket.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.realmedia.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.realmedia.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.realmedia.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.apmebf.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
ads.revsci.net [ D:\Documents and Settings\X\Application Data\Mozilla\Firefox\Profiles\3mqb4zy3.default\cookies.txt ]
.questionmarket.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
ad.yieldmanager.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.questionmarket.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.advertising.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.doubleclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.adrevolver.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.adrevolver.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.adrevolver.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
media.adrevolver.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.atdmt.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.ads.pointroll.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.ads.pointroll.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.ads.pointroll.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.ads.pointroll.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.ads.pointroll.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.ads.pointroll.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.ads.pointroll.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.tribalfusion.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.insightexpressai.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.insightexpressai.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.insightexpressai.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.insightexpressai.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.insightexpressai.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.insightexpressai.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.dynamic.media.adrevolver.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.dynamic.media.adrevolver.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
ads.nebuadserving.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
ads.nebuadserving.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.zedo.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.zedo.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.zedo.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.zedo.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.zedo.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.revsci.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.revsci.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.revsci.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
ads.revsci.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.usatoday1.112.2o7.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.tacoda.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.tacoda.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.tacoda.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.tacoda.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.tacoda.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
anad.tacoda.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.bs.serving-sys.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.serving-sys.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.serving-sys.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.serving-sys.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.serving-sys.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.serving-sys.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.serving-sys.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.fastclick.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.media6degrees.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.media6degrees.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.media6degrees.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.trafficmp.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.casalemedia.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.casalemedia.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.casalemedia.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.casalemedia.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.casalemedia.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.adbrite.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.stats.adbrite.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.adbrite.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.statcounter.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.statcounter.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.directtrack.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
angleinteractive.directtrack.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.apmebf.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.iacas.adbureau.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.iacas.adbureau.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.iacas.adbureau.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.iacas.adbureau.net [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.atwola.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]
.e-2dj6whkiwlcjwcp.stats.esomniture.com [ D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\cookies.txt ]

NotHarmful.Sysinternals Bluescreen Screen Saver
D:\SYSTEM VOLUME INFORMATION\_RESTORE{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP149\A0024440.SCR
D:\SYSTEM VOLUME INFORMATION\_RESTORE{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP167\A0036547.SCR

Adware.Vundo/Variant-Gen6
D:\SYSTEM VOLUME INFORMATION\_RESTORE{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP149\A0025479.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP167\A0036550.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP167\A0036551.DLL

Adware.Vundo Variant
D:\SYSTEM VOLUME INFORMATION\_RESTORE{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP160\A0032512.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP167\A0036548.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{3AC89F4A-47AA-4C3C-A2BF-C539274C17A0}\RP167\A0036552.DLL

DSS

Deckard's System Scanner v20071014.68
Run by X on 2008-08-04 10:41:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive D: has 0.61 GiB (less than 15%) free.


-- HijackThis (run as X.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\Documents and Settings\X\Desktop\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\X.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory....sharingctrl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS8\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS9\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS10\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 9277 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-07-31 10:24:43 96559 --a------ D:\WINDOWS\system32\drivers\klin.dat
2008-07-31 10:24:43 87855 --a------ D:\WINDOWS\system32\drivers\klick.dat
2008-07-31 10:14:27 507936 --ahs---- D:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-31 10:14:27 2964000 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-07-29 20:54:57 0 d--h----- D:\WINDOWS\$hf_mig$
2008-07-27 11:12:19 0 d-------- D:\Program Files\Elaborate Bytes
2008-07-27 11:08:48 0 d-------- D:\WINDOWS\system32\SoftwareDistribution
2008-07-27 11:01:02 0 d-------- D:\Program Files\SlySoft
2008-07-26 21:48:37 0 d-------- D:\Program Files\Pocket Tanks Deluxe
2008-07-22 18:39:49 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-22 18:39:37 0 d-------- D:\Program Files\SUPERAntiSpyware
2008-07-22 18:39:37 0 d-------- D:\Documents and Settings\X\Application Data\SUPERAntiSpyware.com
2008-07-21 19:28:41 0 d-------- D:\Documents and Settings\X\Application Data\Malwarebytes
2008-07-21 19:28:38 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 19:28:37 0 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 16:20:45 38160 --a------ D:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-07-16 16:20:44 182032 --a------ D:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-07-16 16:20:41 63488 --a------ D:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2008-07-16 16:20:39 10240 --a------ D:\WINDOWS\system32\vidx16.dll
2008-07-16 16:20:39 194320 --a------ D:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-07-16 16:20:38 4608 --a------ D:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-07-16 16:20:38 2272 --a------ D:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-07-16 16:20:24 0 d-------- D:\Program Files\Auralog
2008-07-16 15:54:23 68096 --a------ D:\WINDOWS\zip.exe
2008-07-16 15:54:23 49152 --a------ D:\WINDOWS\VFind.exe
2008-07-16 15:54:23 212480 --a------ D:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-16 15:54:23 136704 --a------ D:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-16 15:54:23 161792 --a------ D:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-16 15:54:23 98816 --a------ D:\WINDOWS\sed.exe
2008-07-16 15:54:23 80412 --a------ D:\WINDOWS\grep.exe
2008-07-16 15:54:23 89504 --a------ D:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-16 15:50:30 0 d-------- D:\WINDOWS\setup.pss
2008-07-16 15:50:15 0 d-------- D:\WINDOWS\setupupd
2008-07-16 14:17:13 0 d-------- D:\WINDOWS\ERUNT
2008-07-14 17:45:46 0 d-------- D:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-08-02 11:12:17 0 d-------- D:\Program Files\Common Files
2008-07-31 10:14:40 0 d-------- D:\Program Files\Kaspersky Lab
2008-07-22 18:39:10 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-07-16 20:20:52 0 d-------- D:\Program Files\Uniblue
2008-07-16 19:23:11 0 d-------- D:\Program Files\Microsoft ActiveSync
2008-07-05 21:37:09 0 d-------- D:\Program Files\Beat It
2008-06-23 16:21:16 0 d-------- D:\Documents and Settings\X\Application Data\Vso
2008-06-08 22:27:46 0 d-------- D:\Program Files\Absolute Poker
2008-06-05 16:13:56 0 d-------- D:\Documents and Settings\X\Application Data\Uniblue
2008-06-05 16:12:52 0 d-------- D:\Program Files\XBC
2008-06-05 16:08:23 0 d-------- D:\Program Files\Binaryfish
2008-06-05 15:46:25 0 d-------- D:\Program Files\MagicDisc
2008-05-09 23:55:57 2508 --a------ D:\Documents and Settings\X\Application Data\$_hpcst$.hpc
2008-05-04 13:11:21 33 --a------ D:\Documents and Settings\X\Application Data\install.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [07/27/2008 10:42]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/13/2006 22:47]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [04/25/2008 18:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/03/2004 21:56]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/20/2006 22:36]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32
"IE7-10"=rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim83.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyd50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^MagicDisc.lnk]
path=D:\Documents and Settings\X\Start Menu\Programs\Startup\MagicDisc.lnk
backup=D:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=D:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
e

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\+,-./0123456789:;<=exe]
!"#$%&'()*+,-./0123456789:;<=exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3456789:;<=>?@ABCDEexe]
()*+,-./0123456789:;<=>?@ABCDEexe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3456789:;<=>?@ABCDEFGexe]
()*+,-./0123456789:;<=>?@ABCDEFGexe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"D:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"D:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
"D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
"D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bbc147-e0fa-11dc-b293-00112fde776c}]
AutoRun\command- M:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-08-04 10:41:49 ------------
  • 0

Advertisements

#26
fenzodahl512
Posted 04 August 2008 - 09:58 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Tell me, what do you know about this file..

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ghmec.exe


Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ghmec.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Winim83
Winyd50

File::
D:\WINDOWS\pss\PowerReg Scheduler V3.exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyd50.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org result
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 04 August 2008 - 09:59 AM.

  • 0

#27
mlo356
Posted 06 August 2008 - 09:54 AM

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi. i dont know much about that ghmec.exe but it seems to have something to do with those IE explorer popups so i assuming its a piece of malware that sorta hard to get rid of. how it got on my PC is beyond me though. Both the sites you gave me to scan cant find the file that i copied and pasted. so, i tried to find the file and its gone. i did a windows search and everything. eother its gone or has been moved. if there is something else you would like for me to try to let me know. here is the rest:

COMBOFIX

ComboFix 08-07-31.06 - X 2008-08-06 10:58:16.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.695 [GMT -4:00]
Running from: D:\Documents and Settings\X\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\X\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\WINDOWS\pss\PowerReg Scheduler V3.exe
.
The following files were disabled during the run:
D:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\Altnet\
D:\Program Files\Need2Find\
D:\Program Files\RXToolBar\

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-07-31 10:24 . 2008-08-01 13:24 96,559 --a------ D:\WINDOWS\system32\drivers\klin.dat
2008-07-31 10:24 . 2008-08-01 13:24 87,855 --a------ D:\WINDOWS\system32\drivers\klick.dat
2008-07-31 10:14 . 2008-08-06 11:01 2,964,000 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-07-31 10:14 . 2008-08-06 11:01 507,936 --ahs---- D:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-31 10:14 . 2008-08-06 11:01 29,476 --ahs---- D:\WINDOWS\system32\drivers\fidbox.idx
2008-07-31 10:14 . 2008-08-06 11:01 2,816 --ahs---- D:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-29 20:54 . 2008-07-29 20:54 <DIR> d--h----- D:\WINDOWS\$hf_mig$
2008-07-27 11:12 . 2008-07-27 11:12 <DIR> d-------- D:\Program Files\Elaborate Bytes
2008-07-27 11:01 . 2008-07-27 11:04 <DIR> d-------- D:\Program Files\SlySoft
2008-07-26 21:48 . 2008-07-26 21:48 <DIR> d-------- D:\Program Files\Pocket Tanks Deluxe
2008-07-22 18:39 . 2008-07-22 18:39 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-07-22 18:39 . 2008-07-22 18:39 <DIR> d-------- D:\Documents and Settings\X\Application Data\SUPERAntiSpyware.com
2008-07-22 18:39 . 2008-07-22 18:39 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-21 19:28 . 2008-07-21 19:28 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 19:28 . 2008-07-21 19:28 <DIR> d-------- D:\Documents and Settings\X\Application Data\Malwarebytes
2008-07-21 19:28 . 2008-07-21 19:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 19:28 . 2008-07-20 20:21 38,472 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 19:28 . 2008-07-20 20:21 17,144 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 19:27 . 2008-07-21 19:27 <DIR> d-------- D:\_OTMoveIt
2008-07-16 16:20 . 2008-07-16 16:20 <DIR> d-------- D:\Program Files\Auralog
2008-07-16 16:20 . 1998-09-02 04:02 194,320 --a------ D:\WINDOWS\system32\qcut.dll
2008-07-16 16:20 . 1998-08-27 00:51 182,032 --a------ D:\WINDOWS\system32\dxtmsft3.dll
2008-07-16 16:20 . 1998-08-20 07:02 140,800 --a------ D:\WINDOWS\system32\tm20dec.ax
2008-07-16 16:20 . 1998-09-02 04:28 63,488 --a------ D:\WINDOWS\system32\unam4ie.exe
2008-07-16 16:20 . 1998-09-0 04:28 38,160 --a------ D:\WINDOWS\system32\LMRTREND.dll
2008-07-16 16:20 . 1998-08-17 05:21 11,776 --a------ D:\WINDOWS\system32\mciqtz.drv
2008-07-16 16:20 . 1998-08-17 05:21 10,240 --a------ D:\WINDOWS\system32\vidx16.dll
2008-07-16 16:20 . 1998-08-17 05:21 5,672 --a------ D:\WINDOWS\system32\quartz.vxd
2008-07-16 16:20 . 2008-07-16 16:20 4,608 --a------ D:\WINDOWS\system32\w95inf32.dll
2008-07-16 16:20 . 2008-07-16 16:20 2,272 --a------ D:\WINDOWS\system32\w95inf16.dll
2008-07-16 14:17 . 2008-07-16 14:17 <DIR> d-------- D:\WINDOWS\ERUNT
2008-07-16 14:12 . 2008-07-16 15:44 <DIR> d-------- D:\SDFix
2008-07-14 17:45 . 2008-07-14 17:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-07-14 17:10 . 2008-07-14 17:10 <DIR> d-------- D:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 14:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-31 14:14 --------- d-----w D:\Program Files\Kaspersky Lab
2008-07-31 14:08 --------- d-----w D:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-27 16:32 --------- d-----w D:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-22 22:39 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 00:20 --------- d-----w D:\Program Files\Uniblue
2008-07-16 23:23 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-07-06 01:37 --------- d-----w D:\Program Files\Beat It
2008-06-23 20:21 --------- d-----w D:\Documents and Settings\X\Application Data\Vso
2008-06-09 02:27 --------- d-----w D:\Program Files\Absolute Poker
2008-03-31 21:13 47,360 ----a-w D:\Documents and Settings\X\Application Data\pcouffin.sys
2006-06-28 16:51 0 ----a-w D:\Documents and Settings\X\Application Data\internaldb41.dat
2005-05-15 19:04 201 --sha-w D:\WINDOWS\system32\ntuser.dat
2005-05-11 13:53 2,179 --sha-w D:\WINDOWS\system32\websys.dll
2008-04-20 04:11 32,768 --sha-w D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042020080421\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-07-27 10:42 176640]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-13 22:47 180269]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= D:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= D:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= D:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= D:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Docments and Settings^All Users^Start Menu^Programs^Startup^ghmec.exe]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VoiceCenter.lnk]
backup=D:\WINDOWS\pss\VoiceCenter.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^MagicDisc.lnk]
path=D:\Documents and Settings\X\Start Menu\Programs\Startup\MagicDisc.lnk
backup=D:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^X^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=D:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3456789:;<=>?@ABCDEexe]
()*+ [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3456789:;<=>?@ABCDEFGexe]
()*+ [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\+]
!#$%&'()*+ [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
D:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-02-22 11:58 217544 D:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 05:39 486856 D:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 D:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-02-20 11:06 1443072 D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 D:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2005-02-22 08:55 1611488 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-14 19:50 233472 D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-24 23:24 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyhunter Security Suite]
--a------ 2008-01-23 15:47 847872 D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-13 22:47 180269 D:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
--a------ 2008-01-08 09:14 1260296 D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-09-13 14:17 4621816 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-02-27 14:29 47104 D:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Network Monitor"=2 (0x2)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"antivirwebservice"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"AntiVirFirewallService"=2 (0x2)
"Alerter"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ose"=3 (0x3)
"AVEService"=2 (0x2)
"AudioSrv"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"AVP"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"D:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;D:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\DRIVERS\SI3112r.sys [2005-11-10 18:00]
R1 Asapi;Asapi;D:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 10:22]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;D:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;D:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bbc147-e0fa-11dc-b293-00112fde776c}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 D:\WINDOWS\Tasks\RegCure Program Check.job
- D:\Program Files\RegCure\RegCure.exe [2007-08-02 04:20]

2008-07-31 D:\WINDOWS\Tasks\RegCure.job
- D:\Program Files\RegCure\RegCure.exe [2007-08-02 04:20]

2008-08-06 D:\WINDOWS\Tasks\SpyHunter Scanner.job
- D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-01-23 15:47]

2008-08-06 D:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]

2008-07-16 D:\WINDOWS\Tasks\Uniblue SpyEraser.job
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 11:03:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-06 11:09:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 15:09:51
ComboFix2.txt 2008-08-02 15:13:49
ComboFix3.txt 2008-08-01 23:23:05
ComboFix4.txt 2008-07-20 12:54:11
ComboFix5.txt 2008-08-06 14:57:03

Pre-Run: 514,502,656 bytes free
Post-Run: 496,029,696 bytes free

271

HIJACKTHIS


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\UStorSrv.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (D:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\ctvirtnn.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory....sharingctrl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS4\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS5\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS6\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS7\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS8\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS9\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O17 - HKLM\System\CS10\Services\Tcpip\..\{A3C7BD06-C7A9-4EB6-8C88-A3D1FF6526AE}: NameServer =
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UStorage Server Service - OTi - D:\WINDOWS\system32\UStorSrv.exe

--
End of file - 9400 bytes
  • 0

#28
fenzodahl512
Posted 06 August 2008 - 07:12 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
D:\Program Files\Altnet
D:\Program Files\Need2Find
D:\Program Files\RXToolBar
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ghmec.exe
EmptyTemp
purity
[start explorer]

[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
[/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Tell me about your computer condition..


Regards
fenzodahl512
  • 0

#29
mlo356
Posted 09 August 2008 - 01:58 AM

mlo356

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
wow. whatever your doing seems to work almost instantly. Thanks a lot. That kaspersky website didnt work for me. it kept saying my license was expired. so i then uninstalled the kaspersky that i had because the fine print said that this could be a reason. still, the same message. is there another website i can scan my pc.? i finally downloaded a CLEAN copy of IE. it works good now so if you would like me to use the f secure site again, jus post. THANKX again. let me know what the next step is. THANKX

marcus
  • 0

#30
fenzodahl512
Posted 09 August 2008 - 08:40 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Lets do below..

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP