Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

malware keeps regenerate after startup [RESOLVED]

Started by npbfs , Jul 20 2008 01:00 PM

This topic is locked

#1
npbfs

Posted 20 July 2008 - 01:00 PM

Member

Member
10 posts

Hi!! my PC got infect by malware. i've tried to remove using malwarebytes,but it still regenerate everytime after startup. please help~thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:59, on 2008-07-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\csrss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\explorer.exe
C:\WINDOWS.0\system32\oodag.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Real Alternative\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\alg.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\WINDOWS.0\system32\wcomipek.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS.0\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YeppStudioAgent] E:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://203.118.43.10...sCamControl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37D16-3959-4EC6-98C8-11C0429EBE9C}: NameServer = 202.156.1.78,202.156.1.68
O20 - AppInit_DLLs: nmsdjh.dll,hrafh.dll,bsnfhs.dll,gaffg.dll,snszh.dll,zdhere.dll,klsf.dll,jsdfa.dl
l,hjsz.dll,cgfhr.dll,aghmxd.dll,sdfrbt.dll,jkzsgf.dll,dghagc.dll,dfgwag.dll,fgjd.
dll,xfnh.dll,bgyu.dll,xdrhcj.dll,zsrdygx.dll,dfhvk.dll,xdfthjh.dll,cvbtfs.dll,cgy
dj.dll,zsdgrgh.dll,fghdd.dll,bgcjty.dll,dbgj.dll,xcfgh.dll,cvnghk.dll,vgxdcg.dll,
chjg.dll,vnfxd.dll,nbmfu.dll,xdbjy.dll,vbjxbnm.dll,xgngj.dll,cxvbh.dll,fgjt.dll,c
nbv.dll,cvnhk.dll,vgjzrg.dll,cvjdfh.dll,sdfhk.dll,gmnait.dll,xdbnm.dll,xbnft.dll,
myuf.dll,hkxddrh.dll,aserg.dll,zdfgf.dll,bnmdgh.dll,bxdfh.dll,cncft.dll,cfjzsxn.d
ll,dfbghj.dll,dgbzd.dll,nhjsd.dll,hjmasd.dll,xbfhxd.dll,bngyjuf.dll,xdgxr.dll,bnm
ft.dll,xcvgu.dll,szggfj.dll,zsggixd.dll,bnhugk.dll,xdhuk.dll,dxgjgfy.dll,fgjderg.
dll,asfhjy.dll,swegfuj.dll,cxfhf.dll,hjukrt.dll,dhdhvv.dll,vdfthjk.dll,xdfrg.dll,
zsgjfh.dll,cvbyj.dll,nmxdt.dll,bhdryn.dll,nbkfy.dll,xsdjd.dll,xuxdg.dll,nmdgkn.dl
l,xdhts.dll,vcnyd.dll,zsdth.dll, wcomipe.dll longasus.dll cbplus.dll comremo.dll ceshleo.dll follwel.dll offeceo.d
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe

--
End of file - 8423 bytes

#2
fenzodahl512

Posted 20 July 2008 - 02:53 PM

Malware Removal
9,863 posts

Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following...

Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
Please let your firewall allow the scanning/downloading process.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Regards
fenzodahl512

#3
npbfs

Posted 20 July 2008 - 09:44 PM

Member

Topic Starter
Member
10 posts

Hi fenzodahl512, thanks for your reply. here's the logs

main:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-21 11:37:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39, on 2008-07-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\csrss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\explorer.exe
C:\WINDOWS.0\system32\oodag.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Real Alternative\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\alg.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\WINDOWS.0\system32\wcomipek.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS.0\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YeppStudioAgent] E:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://203.118.43.10...sCamControl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37D16-3959-4EC6-98C8-11C0429EBE9C}: NameServer = 202.156.1.78,202.156.1.68
O20 - AppInit_DLLs: nmsdjh.dll,hrafh.dll,bsnfhs.dll,gaffg.dll,snszh.dll,zdhere.dll,klsf.dll,jsdfa.dl
l,hjsz.dll,cgfhr.dll,aghmxd.dll,sdfrbt.dll,jkzsgf.dll,dghagc.dll,dfgwag.dll,fgjd.
dll,xfnh.dll,bgyu.dll,xdrhcj.dll,zsrdygx.dll,dfhvk.dll,xdfthjh.dll,cvbtfs.dll,cgy
dj.dll,zsdgrgh.dll,fghdd.dll,bgcjty.dll,dbgj.dll,xcfgh.dll,cvnghk.dll,vgxdcg.dll,
chjg.dll,vnfxd.dll,nbmfu.dll,xdbjy.dll,vbjxbnm.dll,xgngj.dll,cxvbh.dll,fgjt.dll,c
nbv.dll,cvnhk.dll,vgjzrg.dll,cvjdfh.dll,sdfhk.dll,gmnait.dll,xdbnm.dll,xbnft.dll,
myuf.dll,hkxddrh.dll,aserg.dll,zdfgf.dll,bnmdgh.dll,bxdfh.dll,cncft.dll,cfjzsxn.d
ll,dfbghj.dll,dgbzd.dll,nhjsd.dll,hjmasd.dll,xbfhxd.dll,bngyjuf.dll,xdgxr.dll,bnm
ft.dll,xcvgu.dll,szggfj.dll,zsggixd.dll,bnhugk.dll,xdhuk.dll,dxgjgfy.dll,fgjderg.
dll,asfhjy.dll,swegfuj.dll,cxfhf.dll,hjukrt.dll,dhdhvv.dll,vdfthjk.dll,xdfrg.dll,
zsgjfh.dll,cvbyj.dll,nmxdt.dll,bhdryn.dll,nbkfy.dll,xsdjd.dll,xuxdg.dll,nmdgkn.dl
l,xdhts.dll,vcnyd.dll,zsdth.dll, wcomipe.dll longasus.dll cbplus.dll comremo.dll ceshleo.dll follwel.dll offeceo.d
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe

--
End of file - 8473 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-07-21 03:30:00 418 --a------ C:\WINDOWS.0\Tasks\ErrorSmart Scheduled Scan.job

-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-21 02:45:51 225792 --ah----- C:\WINDOWS.0\system32\dndsaf.dll
2008-07-21 02:45:43 24576 --a------ C:\WINDOWS.0\system32\jsnoer.dll
2008-07-21 02:45:38 24576 --a------ C:\WINDOWS.0\system32\joliom.dll
2008-07-21 02:45:34 24576 --a------ C:\WINDOWS.0\system32\offeceo.dll
2008-07-21 02:45:29 218624 --ah----- C:\WINDOWS.0\system32\tdggrz.dll
2008-07-21 02:45:25 240128 --ah----- C:\WINDOWS.0\system32\fmcvxy.dll
2008-07-21 02:45:21 28672 --a------ C:\WINDOWS.0\system32\follwel.dll
2008-07-21 02:45:15 258048 --ah----- C:\WINDOWS.0\system32\rfdswc.dll
2008-07-21 02:45:11 232960 --ah----- C:\WINDOWS.0\system32\wrqszl.dll
2008-07-21 02:45:06 229376 --ah----- C:\WINDOWS.0\system32\jfrwdh.dll
2008-07-21 02:45:02 243712 --ah----- C:\WINDOWS.0\system32\tdfhex.dll
2008-07-21 02:44:57 232960 --ah----- C:\WINDOWS.0\system32\wyhesm.dll
2008-07-21 02:44:53 240128 --ah----- C:\WINDOWS.0\system32\hhrdxd.dll
2008-07-21 02:44:48 24576 --a------ C:\WINDOWS.0\system32\ceshleo.dll
2008-07-21 02:44:43 225792 --ah----- C:\WINDOWS.0\system32\sgdewg.dll
2008-07-21 02:44:39 225792 --ah----- C:\WINDOWS.0\system32\zycdex.dll
2008-07-21 02:44:34 232960 --ah----- C:\WINDOWS.0\system32\zgtwfx.dll
2008-07-21 02:44:30 24576 --a------ C:\WINDOWS.0\system32\comremo.dll
2008-07-21 02:44:26 28672 --a------ C:\WINDOWS.0\system32\cbplus.dll
2008-07-21 02:44:13 268800 --ah----- C:\WINDOWS.0\system32\ddserh.dll
2008-07-21 02:44:08 236544 --ah----- C:\WINDOWS.0\system32\wklsdd.dll
2008-07-21 02:44:04 243712 --ah----- C:\WINDOWS.0\system32\mghefy.dll
2008-07-21 02:43:59 279552 --ah----- C:\WINDOWS.0\system32\mttwfh.dll
2008-07-21 02:43:59 0 d--hs---- C:\hss
2008-07-21 02:40:47 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-21 01:52:48 28672 --a------ C:\WINDOWS.0\system32\Partizan.exe <Not Verified; Greatis Software; RegRun Security Suite, UnHackMe>
2008-07-21 01:50:31 2 -rahs-o-t C:\WINDOWS.0\winstart.bat
2008-07-21 01:44:25 24576 --a------ C:\WINDOWS.0\system32\longasus.dll
2008-07-21 01:44:21 11264 --a------ C:\WINDOWS.0\system32\wcomipek.exe
2008-07-21 01:44:21 24576 --a------ C:\WINDOWS.0\system32\wcomipe.dll
2008-07-21 01:44:01 0 d--hs---- C:\oft
2008-07-21 01:41:54 1033216 --a------ C:\WINDOWS.0\itqn.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-21 01:39:42 1033216 --a------ C:\WINDOWS.0\ntha.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-21 01:14:53 0 d--hs---- C:\dkn
2008-07-21 01:12:46 1033216 --a------ C:\WINDOWS.0\nchb.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-21 00:56:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-07-21 00:29:17 0 d--hs---- C:\uox
2008-07-21 00:27:13 1033216 --a------ C:\WINDOWS.0\rctb.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-20 23:58:20 1033216 --a------ C:\WINDOWS.0\xefi.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-20 23:24:04 0 d--hs---- C:\lsu
2008-07-20 23:05:50 1033216 --a------ C:\WINDOWS.0\ucyp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-20 22:47:56 0 d--hs---- C:\xnn
2008-07-18 19:39:04 1033216 --a------ C:\WINDOWS.0\ynxd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 19:10:04 1033216 --a------ C:\WINDOWS.0\mkfd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 19:04:22 1033216 --a------ C:\WINDOWS.0\pyhv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 17:33:22 1033216 --a------ C:\WINDOWS.0\flfx.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 17:32:11 1033216 --a------ C:\WINDOWS.0\iqnn.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 17:29:26 0 d--hs---- C:\wlv
2008-07-18 17:28:42 0 d--hs---- C:\obf
2008-07-18 17:27:25 1033216 --a------ C:\WINDOWS.0\grho.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 17:26:38 1033216 --a------ C:\WINDOWS.0\ycvi.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 17:20:26 1033216 --a------ C:\WINDOWS.0\mlpv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 17:19:51 1033216 --a------ C:\WINDOWS.0\vkuf.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 17:06:16 0 d-------- C:\Program Files\EMCO MoveOnBoot
2008-07-18 16:42:56 1033216 --a------ C:\WINDOWS.0\eucn.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 16:38:58 1033216 --a------ C:\WINDOWS.0\fjgl.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 16:35:02 0 d--hs---- C:\bif
2008-07-18 16:32:56 1033216 --a------ C:\WINDOWS.0\tjwv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 15:39:03 0 d--hs---- C:\ifr
2008-07-18 00:04:36 1033216 --a------ C:\WINDOWS.0\loag.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 23:37:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-17 20:41:10 0 d--hs---- C:\uhb
2008-07-17 20:39:29 0 d--hs---- C:\qxk
2008-07-17 20:04:50 0 d--hs---- C:\sav
2008-07-17 19:48:54 0 d--hs---- C:\dpg
2008-07-17 19:45:44 0 d--hs---- C:\blv
2008-07-17 19:39:52 0 d--hs---- C:\aeh
2008-07-17 19:36:06 0 d--hs---- C:\toq
2008-07-17 19:33:59 1033216 --a------ C:\WINDOWS.0\tlch.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 19:32:25 389120 --a------ C:\WINDOWS.0\system32\CF30762.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 18:42:42 1033216 --a------ C:\WINDOWS.0\etqb.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 18:38:15 0 d--hs---- C:\jix
2008-07-17 18:18:40 0 d--hs---- C:\ufb
2008-07-17 18:18:25 0 d--hs---- C:\iww
2008-07-17 18:16:53 0 d--hs---- C:\btc
2008-07-17 18:16:21 1033216 --a------ C:\WINDOWS.0\sxbw.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 18:16:11 0 d--hs---- C:\ayz
2008-07-17 18:15:56 0 d--hs---- C:\dbi
2008-07-17 18:14:49 1033216 --a------ C:\WINDOWS.0\qvok.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 18:14:04 1033216 --a------ C:\WINDOWS.0\vyis.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 16:43:37 0 d--hs---- C:\ivq
2008-07-17 16:39:36 68096 --a------ C:\WINDOWS.0\zip.exe
2008-07-17 16:39:36 49152 --a------ C:\WINDOWS.0\VFind.exe
2008-07-17 16:39:36 212480 --a------ C:\WINDOWS.0\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-17 16:39:36 136704 --a------ C:\WINDOWS.0\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-17 16:39:36 161792 --a------ C:\WINDOWS.0\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-17 16:39:36 98816 --a------ C:\WINDOWS.0\sed.exe
2008-07-17 16:39:36 80412 --a------ C:\WINDOWS.0\grep.exe
2008-07-17 16:39:36 89504 --a------ C:\WINDOWS.0\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-17 16:39:21 389120 --a------ C:\WINDOWS.0\system32\CF29620.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 16:38:28 0 d--hs---- C:\dbg
2008-07-17 16:36:26 1033216 --a------ C:\WINDOWS.0\yril.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 16:35:42 0 d--hs---- C:\vff
2008-07-17 16:35:42 0 d--hs---- C:\tuu
2008-07-17 16:35:42 0 d--hs---- C:\sho
2008-07-17 16:35:42 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-17 16:35:42 0 d--hs---- C:\djm
2008-07-17 16:35:41 0 d--hs---- C:\vqi
2008-07-17 16:35:41 0 d--hs---- C:\nnj
2008-07-17 16:32:39 0 d--hs---- C:\gpg
2008-07-17 16:31:53 0 d--hs---- C:\iwl
2008-07-17 16:30:39 1033216 --a------ C:\WINDOWS.0\qrqo.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 15:56:04 1033216 --a------ C:\WINDOWS.0\expi.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 15:55:37 1033216 --a------ C:\WINDOWS.0\abbd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 15:55:05 1033216 --a------ C:\WINDOWS.0\jxko.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 15:02:47 0 d--hs---- C:\ogn
2008-07-17 15:02:15 0 d--hs---- C:\see
2008-07-17 15:00:59 1033216 --a------ C:\WINDOWS.0\dust.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 15:00:46 1033216 --a------ C:\WINDOWS.0\oxhk.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 15:00:12 1033216 --a------ C:\WINDOWS.0\knqp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 14:57:53 1033216 --a------ C:\WINDOWS.0\tinw.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 14:55:27 1033216 --a------ C:\WINDOWS.0\tezg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 14:04:07 1033216 --a------ C:\WINDOWS.0\jsma.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 13:10:40 0 d--hs---- C:\drx
2008-07-17 13:09:42 0 d--hs---- C:\imf
2008-07-17 13:05:20 1033216 --a------ C:\WINDOWS.0\qbvd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 13:02:49 1033216 --a------ C:\WINDOWS.0\bibt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-17 12:54:53 39072 --a------ C:\WINDOWS.0\system32\drivers\HBKernel.sys
2008-07-17 12:54:50 0 d--hs---- C:\meo
2008-07-17 12:54:50 0 d--hs---- C:\jqa
2008-07-17 12:54:36 7768 --a------ C:\WINDOWS.0\plch.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-09 13:16:19 3002368 --a------ C:\Documents and Settings\Guest\ntuser.dat
2008-07-09 13:16:18 15204352 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-07-08 12:28:05 371433 --ahs---- C:\WINDOWS.0\system32\ijiQAJjl.ini2
2008-07-05 20:44:55 0 d-------- C:\Documents and Settings\Guest\Application Data\Malwarebytes
2008-07-05 01:11:18 422631 --ahs---- C:\WINDOWS.0\system32\GMlonUtv.ini2
2008-07-05 00:52:49 422756 --ahs---- C:\WINDOWS.0\system32\Wxbddccf.ini2
2008-07-03 20:14:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 20:14:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 02:10:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-03 02:10:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 02:10:37 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 02:09:41 0 d-------- C:\VundoFix Backups
2008-07-03 01:39:31 0 dr------- C:\Documents and Settings\Guest\Application Data\Brother
2008-07-03 01:19:50 0 d-------- C:\Program Files\Enigma Software Group
2008-07-02 16:18:06 720896 --a------ C:\Documents and Settings\LocalService\ntuser.dat

-- Find3M Report ---------------------------------------------------------------

2008-07-21 11:35:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-21 02:58:49 0 d-------- C:\Program Files\Trend Micro
2008-07-20 20:56:43 0 d-------- C:\Program Files\uTorrent
2008-07-20 14:20:05 0 d-------- C:\Program Files\ReGetDx
2008-07-19 15:50:10 78478 --a----c- C:\WINDOWS.0\War3Unin.dat
2008-07-17 20:40:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-07-16 21:54:54 0 d-------- C:\Program Files\NJStar Chinese WP
2008-07-10 11:59:37 0 d-------- C:\Program Files\Lavasoft
2008-07-08 20:43:44 0 d-------- C:\Program Files\Opera
2008-07-05 20:21:37 1024 --a----c- C:\Documents and Settings\Administrator\Application Data\WavCodec.wff
2008-07-03 20:14:12 0 d-------- C:\Program Files\Common Files
2008-07-03 19:52:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-26 21:57:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-26 23:31:01 4096 --a------ C:\WINDOWS.0\system32\crash
2008-04-21 20:34:34 98304 --a------ C:\WINDOWS.0\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS.0\system32\NeroCheck.exe" [2001-07-09 11:50]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07]
"IMJPMIG8.1"="C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.exe" [2002-08-29 12:38]
"MSPY2002"="C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 12:39]
"PHIME2002ASync"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:39]
"PHIME2002A"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:39]
"TkBellExe"="C:\Program Files\Real Alternative\Update_OB\realsched.exe" [2006-06-28 22:56]
"YeppStudioAgent"="E:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe" []
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-12-31 20:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-24 21:57:18]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Post-itr Software Notes Lite.lnk.disabled [2007-02-27 21:45:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{000F087F-4378-545F-74FA-37D345AD7A8C}"= C:\WINDOWS.0\system32\mttwfh.dll [2008-07-21 02:43 279552]
"{000030AE-0380-4351-8244-EE98A3240370}"= C:\WINDOWS.0\system32\mghefy.dll [2008-07-21 02:44 243712]
"{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"= C:\WINDOWS.0\system32\wklsdd.dll [2008-07-21 02:44 236544]
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"= C:\WINDOWS.0\system32\ddserh.dll [2008-07-21 02:44 268800]
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"= C:\WINDOWS.0\system32\zgtwfx.dll [2008-07-21 02:44 232960]
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"= C:\WINDOWS.0\system32\zycdex.dll [2008-07-21 02:44 225792]
"{8C41B7F7-3168-400D-A702-0E7EFE0BA304}"= C:\WINDOWS.0\system32\sgdewg.dll [2008-07-21 02:44 225792]
"{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}"= C:\WINDOWS.0\system32\hhrdxd.dll [2008-07-21 02:44 240128]
"{EB71E0B3-E97D-4D30-8733-E28266467617}"= C:\WINDOWS.0\system32\wyhesm.dll [2008-07-21 02:44 232960]
"{0B846B26-BFE6-4E8E-A948-1DB17B77B483}"= C:\WINDOWS.0\system32\tdfhex.dll [2008-07-21 02:45 243712]
"{841529CB-7F77-4B99-A895-B5441E0D302F}"= C:\WINDOWS.0\system32\jfrwdh.dll [2008-07-21 02:45 229376]
"{F99DEFDD-200B-4410-B572-E90883D527D2}"= C:\WINDOWS.0\system32\wrqszl.dll [2008-07-21 02:45 232960]
"{461D2AB4-29A5-45C2-9134-D52272D3DE38}"= C:\WINDOWS.0\system32\rfdswc.dll [2008-07-21 02:45 258048]
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"= C:\WINDOWS.0\system32\fmcvxy.dll [2008-07-21 02:45 240128]
"{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}"= C:\WINDOWS.0\system32\tdggrz.dll [2008-07-21 02:45 218624]
"{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}"= C:\WINDOWS.0\system32\dndsaf.dll [2008-07-21 02:45 225792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=nmsdjh.dll,hrafh.dll,bsnfhs.dll,gaffg.dll,snszh.dll,zdhere.dll,klsf.dll,js
dfa.dll,hjsz.dll,cgfhr.dll,aghmxd.dll,sdfrbt.dll,jkzsgf.dll,dghagc.dll,dfgwag.dll
,fgjd.dll,xfnh.dll,bgyu.dll,xdrhcj.dll,zsrdygx.dll,dfhvk.dll,xdfthjh.dll,cvbtfs.d
ll,cgydj.dll,zsdgrgh.dll,fghdd.dll,bgcjty.dll,dbgj.dll,xcfgh.dll,cvnghk.dll,vgxdc
g.dll,chjg.dll,vnfxd.dll,nbmfu.dll,xdbjy.dll,vbjxbnm.dll,xgngj.dll,cxvbh.dll,fgjt
.dll,cnbv.dll,cvnhk.dll,vgjzrg.dll,cvjdfh.dll,sdfhk.dll,gmnait.dll,xdbnm.dll,xbnf
t.dll,myuf.dll,hkxddrh.dll,aserg.dll,zdfgf.dll,bnmdgh.dll,bxdfh.dll,cncft.dll,cfj
zsxn.dll,dfbghj.dll,dgbzd.dll,nhjsd.dll,hjmasd.dll,xbfhxd.dll,bngyjuf.dll,xdgxr.d
ll,bnmft.dll,xcvgu.dll,szggfj.dll,zsggixd.dll,bnhugk.dll,xdhuk.dll,dxgjgfy.dll,fg
jderg.dll,asfhjy.dll,swegfuj.dll,cxfhf.dll,hjukrt.dll,dhdhvv.dll,vdfthjk.dll,xdfr
g.dll,zsgjfh.dll,cvbyj.dll,nmxdt.dll,bhdryn.dll,nbkfy.dll,xsdjd.dll,xuxdg.dll,nmd
gkn.dll,xdhts.dll,vcnyd.dll,zsdth.dll, wcomipe.dll longasus.dll cbplus.dll comremo.dll ceshleo.dll follwel.dll offeceo.dll joliom.dll jsnoer.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlowDownCPU]
C:\WINDOWS.0\INF\MSI\SlowDownCPU\SlowDownCPU.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe

-- End of Deckard's System Scanner: finished at 2008-07-21 11:40:18 ------------

extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 511.48 MiB / 161.6 MiB
Pagefile Memory (total/avail): 1246.02 MiB / 891.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.89 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 12 GiB total, 4.29 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 177.91 GiB total, 54.53 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6B200P0 - 189.92 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 12 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 177.91 GiB - E:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.8.1201 [VPS 080611-1] v4.8.1201 (ALWIL Software) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"="C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\\Program Files\\ReGetDx\\regetdx.exe"="C:\\Program Files\\ReGetDx\\regetdx.exe:*:Enabled:ReGet 3.3"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Disabled:KazaaLite"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Documents and Settings\\Guest\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Documents and Settings\\Guest\\Program Files\\uTorrent\\uTorrent.exe:*:Disabled:uTorrent"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ALEX-F3CE98B0F1
ComSpec=C:\WINDOWS.0\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\ALEX-F3CE98B0F1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS.0\system32;C:\WINDOWS.0;C:\WINDOWS.0\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS.0
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=ALEX-F3CE98B0F1
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS.0

-- User Profiles ---------------------------------------------------------------

alexing (new local, admin)
alexing.ALEX-F3CE98B0F1.002 (new local, admin)
Administrator (admin)
Guest (guest)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Real Alternative\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS.0\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS.0\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS.0\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS.0\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{01D21D16-B246-4E9A-B4B1-0E37F2AD3446}
ATI Display Driver --> rundll32 C:\WINDOWS.0\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avanquest update --> C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}\Setup.exe" -l0x9 Brunin03.dll -removeonly
BSPlayer --> "C:\Program Files\Webteh\BSplayer\uninstall.exe"
Championship Manager 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADA3C3A9-B788-4233-845A-D8AFF7D0115A}\setup.exe" -l0x9 -removeonly
ContentSAFER for Wizmax -->
DivX Codec --> C:\WINDOWS.0\unvise32.exe C:\Program Files\DivX\DivX Codec\uninstal.log
DivX Player --> C:\WINDOWS.0\unvise32.exe C:\Program Files\DivX\DivX Player\uninstal.log
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
EMCO MoveOnBoot --> "C:\Program Files\EMCO MoveOnBoot\unins000.exe"
Flash Movie Player 1.3 --> C:\Program Files\Flash Movie Player\uninst.exe
FLVPlayer --> MsiExec.exe /I{7A347D7B-3811-4313-93B5-807740629D2A}
Granado Espada --> "E:\Granado Espada\unins000.exe"
GunboundWC --> "C:\Program Files\softnyx\unins000.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hitman Blood Money --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A804B134-F03D-4EFD-9BC0-DCD257AA1B22}\setup.exe" -l0x9 -removeonly
InternetVerifier --> "C:\Program Files\Internet Explorer\iexplore.exe" "http://notetol.com/uninstall.php"
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
K-Lite Codec Pack 2.53 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Lame ACM MP3 Codec --> "C:\WINDOWS.0\IFinst26.exe" -UC:\Program Files\Lame MP3 Codec\IFUE502.inf
Macromedia Shockwave Player --> C:\WINDOWS.0\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS.0\system32\Macromed\SHOCKW~1\Install.log
Magic ISO Maker v4.9 (build 0144) --> E:\PROGRA~1\MagicISO\UNWISE.EXE E:\PROGRA~1\MagicISO\INSTALL.LOG
Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2) --> "C:\WINDOWS.0\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MySlideshow v1.5 beta --> C:\WINDOWS.0\st6unst.exe -n "C:\Program Files\MySlideshow\ST6UNST.LOG"
Need for Speed™ Most Wanted --> E:\Program Files\EA GAMES\Need for Speed Most Wanted\EAUninstall.exe
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NJStar Chinese Word Processor --> "C:\Program Files\NJStar Chinese WP\Remove.exe" /U:"C:\Program Files\NJStar Chinese WP\Remove.log"
NJStar Communicator --> "C:\Program Files\NJStar Communicator\Remove.exe" /U:"C:\Program Files\NJStar Communicator\Remove.log"
O&O Defrag Professional Edition --> MsiExec.exe /I{53480370-6CA2-47EC-BC05-02B4B9271C31}
Opera 9.01 --> MsiExec.exe /X{256808AA-7E9E-4DB5-8A27-A26268864747}
PaperPort --> MsiExec.exe /I{71C97545-E547-4A8B-B0C8-61FF853270AC}
Post-it® Software Notes Lite Version 2 --> "C:\Program Files\3M\PSN2Lite\Uninstall.exe" -Prog"C:\Program Files\3M\PSN2Lite\Psn2Lite.exe" -INI"C:\Program Files\3M\PSN2Lite\uninst.ini"
QuickTime --> C:\WINDOWS.0\unvise32qt.exe C:\WINDOWS.0\system32\QuickTime\Uninstall.log
QuickTime Alternative 1.90 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.41 --> "C:\Program Files\Real Alternative\unins000.exe"
RealOne Player --> C:\Program Files\Real Alternative\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RecordPad Sound Recorder Uninstall --> C:\Program Files\NCH Swift Sound\RecordPad\uninst.exe
ReGet Deluxe 3.3 --> C:\Program Files\ReGetDx\regetdx.exe -uninstall
SamsungMediaStudio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{289CA3B4-9525-4B31-B58F-D76B2B52EA5A}\Setup.exe" -l0x9
Sony Ericsson PC Suite --> MsiExec.exe /I{C037D08B-4883-491D-9329-DC5ACA90F797}
Sony Ericsson PC Suite 3.010.00 --> C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\Setup.exe -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS.0\unins000.exe"
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
SUPER © Version 2006.19 (FIX) --> C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
Tweak UI --> "C:\WINDOWS.0\system32\mshta.exe" "res://C:\WINDOWS.0\system32\TweakUI.exe/uninstall.hta"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AE}
VIA Audio Driver Setup Program --> RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS.0\IsUninst.exe -y-f"C:\PROGRA~1\VIAudioi\SBASetup\Uninst.isu"
VideoLAN VLC media player 0.8.2 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Warcraft III: All Products --> C:\WINDOWS.0\War3Unin.exe C:\WINDOWS.0\War3Unin.dat
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Imaging Component --> "C:\WINDOWS.0\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{257E440F-781F-459B-9A68-A0872B80C1D6}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS.0\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Winning Eleven 7 INTERNATIONAL --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{71493403-7C93-48CC-BF19-C73DB1DB7B17} /l1033
Winning Eleven Pro Evolution Soccer 2007 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{002E6FB5-8671-4694-BFF6-81019AFEDD52} /l1033
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 9.0 --> C:\PROGRA~1\Winzip\PROGRA~1\Winzip\UNWISE.EXE C:\PROGRA~1\Winzip\PROGRA~1\Winzip\INSTALL.LOG

-- Application Event Log -------------------------------------------------------

Event Record #/Type307 / Error
Event Submitted/Written: 07/21/2008 01:39:32 AM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.

Event Record #/Type304 / Error
Event Submitted/Written: 07/21/2008 01:12:44 AM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.

Event Record #/Type301 / Error
Event Submitted/Written: 07/21/2008 00:49:45 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rundll32.exe, version 5.1.2600.2180, faulting module advapi32.dll, version 5.1.2600.2649, fault address 0x00067fd7.
Processing media-specific event for [rundll32.exe!ws!]

Event Record #/Type300 / Error
Event Submitted/Written: 07/21/2008 00:48:51 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type299 / Error
Event Submitted/Written: 07/21/2008 00:48:40 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rundll32.exe, version 5.1.2600.2180, faulting module advapi32.dll, version 5.1.2600.2649, fault address 0x00067fd7.
Processing media-specific event for [rundll32.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type241812 / Warning
Event Submitted/Written: 07/21/2008 10:08:33 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type241811 / Warning
Event Submitted/Written: 07/21/2008 06:30:05 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type241810 / Warning
Event Submitted/Written: 07/21/2008 04:40:51 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type241809 / Warning
Event Submitted/Written: 07/21/2008 03:46:13 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type241808 / Warning
Event Submitted/Written: 07/21/2008 03:18:52 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

-- End of Deckard's System Scanner: finished at 2008-07-21 11:40:18 ------------

#4
fenzodahl512

Posted 20 July 2008 - 09:54 PM

Malware Removal
9,863 posts

Please disable your Avast Antivirus and Spybot S&D prior to our fix.. Please go HERE if you do not know how.. Please re-enable both programs after you finish all steps given..

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.

Now, please re-enable both of your Avast and Spybot S&D...

Regards
fenzodahl512

#5
npbfs

Posted 20 July 2008 - 11:25 PM

Member

Topic Starter
Member
10 posts

hi, here's the logs

combofix:

ComboFix 08-07-20.5 - Administrator 2008-07-21 12:44:07.3 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS.0\system32\nmsdjh.dll
C:\WINDOWS.0\system32\hrafh.dll
C:\WINDOWS.0\system32\zdfgf.dll
C:\WINDOWS.0\system32\xdhuk.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\4MJHUE2A\www.inter-focus.cn
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\4MJHUE2A\www.inter-focus.cn\flashad.swf\IFFLASHAD.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1\s?stem32\
C:\Program Files\Common Files\{3C7CC~1
C:\Program Files\Common Files\{CC7CC~1
C:\Program Files\printview
C:\WINDOWS.0\system32\atvvcbpc.ini
C:\WINDOWS.0\system32\cbplus.dll
C:\WINDOWS.0\system32\ceshleo.dll
C:\WINDOWS.0\system32\components
C:\WINDOWS.0\system32\ddserh.dll
C:\WINDOWS.0\system32\dndsaf.dll
C:\WINDOWS.0\system32\dndsaf.dll.LoG
C:\WINDOWS.0\system32\drivers\HBKernel.sys
C:\WINDOWS.0\system32\explorer.exe
C:\WINDOWS.0\system32\feyvdvqp.ini
C:\WINDOWS.0\system32\GMlonUtv.ini
C:\WINDOWS.0\system32\GMlonUtv.ini2
C:\WINDOWS.0\system32\hhrdxd.dll
C:\WINDOWS.0\system32\ijiQAJjl.ini
C:\WINDOWS.0\system32\ijiQAJjl.ini2
C:\WINDOWS.0\system32\jfrwdh.dll
C:\WINDOWS.0\system32\joliom.dll
C:\WINDOWS.0\system32\jsnoer.dll
C:\WINDOWS.0\system32\kcmfghsg.ini
C:\WINDOWS.0\system32\mcrh.tmp
C:\WINDOWS.0\system32\rfdswc.dll
C:\WINDOWS.0\system32\sgdewg.dll
C:\WINDOWS.0\system32\tdfhex.dll
C:\WINDOWS.0\system32\tdggrz.dll
C:\WINDOWS.0\system32\ttdllfqe.ini
C:\WINDOWS.0\system32\wcomipe.dll
C:\WINDOWS.0\system32\wcomipek.exe
C:\WINDOWS.0\system32\wklsdd.dll
C:\WINDOWS.0\system32\wklsdd.dll.LoG
C:\WINDOWS.0\system32\wrqszl.dll
C:\WINDOWS.0\system32\Wxbddccf.ini
C:\WINDOWS.0\system32\Wxbddccf.ini2
C:\WINDOWS.0\system32\wyhesm.dll
C:\WINDOWS.0\system32\zycdex.dll

Infected copy of C:\WINDOWS.0\explorer.exe was found & disinfected
Restored copy from - C:\WINDOWS.0\system32\dllcache\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HBKERNEL
-------\Service_HBKernel

((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-21 13:16 . 2008-07-21 13:16 <DIR> d-------- C:\WINDOWS.0\system32\xircom
2008-07-21 13:16 . 2008-07-21 13:16 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-21 12:51 . 2008-07-21 12:51 21,248 --a------ C:\WINDOWS.0\system32\drivers\winsyy.sys
2008-07-21 12:50 . 2008-07-21 12:50 87,040 --a------ C:\winsyscom.exe
2008-07-21 12:50 . 2008-07-21 12:50 87,040 --a------ C:\eee.exe
2008-07-21 12:47 . 2008-07-21 12:50 <DIR> d--hs---- C:\mgz
2008-07-21 12:30 . 2008-07-21 12:30 0 -ra------ C:\WINDOWS.0\system32\drivers\TQANTISYS.SYS
2008-07-21 12:21 . 2008-07-21 12:47 <DIR> d--hs---- C:\zpo
2008-07-21 11:37 . 2008-07-21 11:37 <DIR> d-------- C:\Deckard
2008-07-21 02:45 . 2008-07-21 12:49 240,128 --ah----- C:\WINDOWS.0\system32\fmcvxy.dll
2008-07-21 02:45 . 2008-07-21 12:49 28,672 --a------ C:\WINDOWS.0\system32\follwel.dll
2008-07-21 02:45 . 2008-07-21 12:49 24,576 --a------ C:\WINDOWS.0\system32\offeceo.dll
2008-07-21 02:44 . 2008-07-21 12:47 243,712 --ah----- C:\WINDOWS.0\system32\mghefy.dll
2008-07-21 02:44 . 2008-07-21 12:48 232,960 --ah----- C:\WINDOWS.0\system32\zgtwfx.dll
2008-07-21 02:44 . 2008-07-21 12:48 24,576 --a------ C:\WINDOWS.0\system32\comremo.dll
2008-07-21 02:43 . 2008-07-21 02:46 <DIR> d--hs---- C:\hss
2008-07-21 02:43 . 2008-07-21 12:47 279,552 --ah----- C:\WINDOWS.0\system32\mttwfh.dll
2008-07-21 01:52 . 2008-07-21 01:52 28,672 --a------ C:\WINDOWS.0\system32\Partizan.exe
2008-07-21 01:50 . 2008-07-21 01:50 (2) -rahs-ot- C:\WINDOWS.0\winstart.bat
2008-07-21 01:50 . 2008-07-21 01:50 (2) -rahs-ot- C:\WINDOWS.0\system32\CONFIG.NT
2008-07-21 01:44 . 2008-07-21 01:44 <DIR> d--hs---- C:\oft
2008-07-21 01:44 . 2008-07-21 12:47 24,576 --a------ C:\WINDOWS.0\system32\longasus.dll
2008-07-21 01:41 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\itqn.exe
2008-07-21 01:39 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\ntha.exe
2008-07-21 01:39 . 2008-07-21 01:39 2,126 --a------ C:\WINDOWS.0\system32\wpa.dbl
2008-07-21 01:39 . 2008-07-21 13:16 1,455 --a------ C:\WINDOWS.0\system32\OODBS.lor
2008-07-21 01:14 . 2008-07-21 01:35 <DIR> d--hs---- C:\dkn
2008-07-21 01:12 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\nchb.exe
2008-07-21 00:56 . 2008-07-21 00:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-07-21 00:29 . 2008-07-21 00:57 <DIR> d--hs---- C:\uox
2008-07-21 00:27 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\rctb.exe
2008-07-20 23:58 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\xefi.exe
2008-07-20 23:24 . 2008-07-20 23:36 <DIR> d--hs---- C:\lsu
2008-07-20 23:05 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\ucyp.exe
2008-07-20 22:47 . 2008-07-20 23:06 <DIR> d--hs---- C:\xnn
2008-07-20 22:26 . 2008-07-20 22:26 575,160 --a------ C:\Autoruns.zip
2008-07-18 19:39 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\ynxd.exe
2008-07-18 19:10 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\mkfd.exe
2008-07-18 19:04 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\pyhv.exe
2008-07-18 17:33 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\flfx.exe
2008-07-18 17:32 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\iqnn.exe
2008-07-18 17:29 . 2008-07-18 17:51 <DIR> d--hs---- C:\wlv
2008-07-18 17:28 . 2008-07-18 17:51 <DIR> d--hs---- C:\obf
2008-07-18 17:27 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\grho.exe
2008-07-18 17:26 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\ycvi.exe
2008-07-18 17:20 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\mlpv.exe
2008-07-18 17:19 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\vkuf.exe
2008-07-18 17:06 . 2008-07-21 01:37 <DIR> d-------- C:\Program Files\EMCO MoveOnBoot
2008-07-18 16:42 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\eucn.exe
2008-07-18 16:38 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\fjgl.exe
2008-07-18 16:35 . 2008-07-18 16:50 <DIR> d--hs---- C:\bif
2008-07-18 16:32 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\tjwv.exe
2008-07-18 15:39 . 2008-07-18 16:50 <DIR> d--hs---- C:\ifr
2008-07-18 00:06 . 2008-07-17 12:58 <DIR> d-------- C:\SDFix
2008-07-18 00:04 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\loag.exe
2008-07-17 23:37 . 2008-07-18 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-17 20:41 . 2008-07-17 21:20 <DIR> d--hs---- C:\uhb
2008-07-17 20:39 . 2008-07-17 20:42 <DIR> d--hs---- C:\qxk
2008-07-17 20:04 . 2008-07-17 20:07 <DIR> d--hs---- C:\sav
2008-07-17 19:48 . 2008-07-17 19:51 <DIR> d--hs---- C:\dpg
2008-07-17 19:45 . 2008-07-17 19:48 <DIR> d--hs---- C:\blv
2008-07-17 19:39 . 2008-07-17 19:43 <DIR> d--hs---- C:\aeh
2008-07-17 19:36 . 2008-07-17 20:01 <DIR> d--hs---- C:\toq
2008-07-17 19:33 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\tlch.exe
2008-07-17 18:42 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\etqb.exe
2008-07-17 18:38 . 2008-07-17 18:42 <DIR> d--hs---- C:\jix
2008-07-17 18:18 . 2008-07-17 18:26 <DIR> d--hs---- C:\ufb
2008-07-17 18:18 . 2008-07-17 18:26 <DIR> d--hs---- C:\iww
2008-07-17 18:16 . 2008-07-17 18:22 <DIR> d--hs---- C:\btc
2008-07-17 18:16 . 2008-07-17 18:20 <DIR> d--hs---- C:\ayz
2008-07-17 18:16 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\sxbw.exe
2008-07-17 18:15 . 2008-07-17 18:21 <DIR> d--hs---- C:\dbi
2008-07-17 18:14 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\vyis.exe
2008-07-17 18:14 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\qvok.exe
2008-07-17 16:53 . 2007-11-10 10:11 102,664 --a------ C:\WINDOWS.0\system32\drivers\tmcomm.sys
2008-07-17 16:43 . 2008-07-17 16:48 <DIR> d--hs---- C:\ivq
2008-07-17 16:38 . 2008-07-17 16:40 <DIR> d--hs---- C:\dbg
2008-07-17 16:36 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\yril.exe
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d--hs---- C:\vqi
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d--hs---- C:\vff
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d--hs---- C:\tuu
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d--hs---- C:\sho
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d--hs---- C:\nnj
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d--hs---- C:\djm
2008-07-17 16:32 . 2008-07-17 17:37 <DIR> d--hs---- C:\gpg
2008-07-17 16:31 . 2008-07-17 16:34 <DIR> d--hs---- C:\iwl
2008-07-17 16:30 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\qrqo.exe
2008-07-17 15:56 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\expi.exe
2008-07-17 15:55 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\jxko.exe
2008-07-17 15:55 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\abbd.exe
2008-07-17 15:05 . 2008-07-21 12:50 6,264 ---hs---- C:\WINDOWS.0\system32\xdhuk.cfg
2008-07-17 15:02 . 2008-07-17 15:07 <DIR> d--hs---- C:\see
2008-07-17 15:02 . 2008-07-17 15:07 <DIR> d--hs---- C:\ogn
2008-07-17 15:00 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\oxhk.exe
2008-07-17 15:00 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\knqp.exe
2008-07-17 15:00 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\dust.exe
2008-07-17 14:57 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\tinw.exe
2008-07-17 14:55 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\tezg.exe
2008-07-17 14:04 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\jsma.exe
2008-07-17 13:10 . 2008-07-17 13:13 <DIR> d--hs---- C:\drx
2008-07-17 13:09 . 2008-07-17 19:15 <DIR> d--hs---- C:\imf
2008-07-17 13:05 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\qbvd.exe
2008-07-17 13:02 . 2007-06-13 19:26 1,033,216 --a------ C:\WINDOWS.0\bibt.exe
2008-07-17 12:58 . 2008-07-21 12:50 8,712 ---hs---- C:\WINDOWS.0\system32\zdfgf.cfg
2008-07-17 12:54 . 2008-07-17 12:58 <DIR> d--hs---- C:\meo
2008-07-17 12:54 . 2008-07-17 13:11 <DIR> d--hs---- C:\jqa
2008-07-17 12:54 . 2008-07-17 12:54 7,768 --a------ C:\WINDOWS.0\plch.exe
2008-07-15 16:39 . 2008-07-15 16:39 645,160 --a------ C:\autoruns.exe
2008-07-15 16:39 . 2008-07-15 16:39 539,688 --a------ C:\autorunsc.exe
2008-07-05 20:44 . 2008-07-05 20:44 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Malwarebytes
2008-07-03 20:14 . 2008-07-03 20:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 20:14 . 2008-07-03 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 02:10 . 2008-07-08 12:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 02:10 . 2008-07-03 02:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 02:10 . 2008-07-03 02:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-03 02:10 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS.0\system32\drivers\mbamcatchme.sys
2008-07-03 02:10 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS.0\system32\drivers\mbam.sys
2008-07-03 02:09 . 2008-07-03 02:09 <DIR> d-------- C:\VundoFix Backups
2008-07-03 01:39 . 2008-07-03 01:39 <DIR> dr------- C:\Documents and Settings\Guest\Application Data\Brother
2008-07-03 01:19 . 2008-07-03 01:19 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 03:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-20 18:58 --------- d-----w C:\Program Files\Trend Micro
2008-07-20 12:56 --------- d-----w C:\Program Files\uTorrent
2008-07-20 06:20 --------- d-----w C:\Program Files\ReGetDx
2008-07-18 11:31 --------- d-----w C:\Documents and Settings\Guest\Application Data\uTorrent
2008-07-17 12:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-07-16 13:54 --------- d-----w C:\Program Files\NJStar Chinese WP
2008-07-10 03:59 --------- d-----w C:\Program Files\Lavasoft
2008-07-08 12:43 --------- d-----w C:\Program Files\Opera
2008-07-03 11:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-26 13:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-23 02:17 11,917,655 ----a-w C:\Program Files\quicktimealt190.exe
2006-06-28 14:42 739 ----a-w C:\Program Files\INSTALL.LOG
2005-06-09 05:28 212,992 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\SlowDownCPU.exe
2005-06-08 07:18 147,456 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\RushTop.dll
2005-06-08 07:13 25,088 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\NTGLM7X.SYS
2005-06-08 06:56 94,208 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\GLM7x.dll
2005-06-08 04:02 33,280 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\RushTop.sys
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS.0\meta4.exe
2005-10-24 03:13 66,560 --sha-r C:\WINDOWS.0\MOTA113.exe
2005-10-13 13:27 422,400 --sha-r C:\WINDOWS.0\x2.64.exe
2005-10-07 11:14 308,224 --sha-r C:\WINDOWS.0\system32\avisynth.dll
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS.0\system32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS.0\system32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS.0\system32\cygz.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS.0\system32\i420vfw.dll
2006-04-27 02:24 2,945,024 --sha-r C:\WINDOWS.0\system32\Smab.dll
2005-02-28 05:16 240,128 --sha-r C:\WINDOWS.0\system32\x.264.exe
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS.0\system32\yv12vfw.dll
.

------- Sigcheck -------

2002-12-31 20:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS.0\system32\svchost.exe

2002-12-31 20:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS.0\system32\ws2_32.dll

2002-12-31 20:00 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS.0\$NtUninstallKB917953$\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS.0\system32\dllcache\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS.0\system32\drivers\tcpip.sys

2002-12-31 20:00 502784 b66dbc40d428fe1293041d621d836ac8 C:\WINDOWS.0\system32\winlogon.exe

2002-12-31 20:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS.0\system32\drivers\ndis.sys

2002-12-31 20:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS.0\system32\drivers\ip6fw.sys

2002-12-31 20:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS.0\system32\services.exe

2002-12-31 20:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS.0\system32\lsass.exe

2002-12-31 20:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS.0\system32\ctfmon.exe

2005-06-11 08:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS.0\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2002-12-31 20:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS.0\$NtUninstallKB896423$\spoolsv.exe
2005-06-11 07:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS.0\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-12-31 20:00 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS.0\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440]
"IMJPMIG8.1"="C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" [2002-08-29 12:38 208953]
"MSPY2002"="C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 12:39 59392]
"PHIME2002ASync"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 12:39 455168]
"PHIME2002A"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 12:39 455168]
"TkBellExe"="C:\Program Files\Real Alternative\Update_OB\realsched.exe" [2006-06-28 22:56 151597]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-24 21:57:18 113664]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30 61440]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Post-itr Software Notes Lite.lnk.disabled [2007-02-27 21:45:18 831]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{000F087F-4378-545F-74FA-37D345AD7A8C}"= "C:\WINDOWS.0\system32\mttwfh.dll" [2008-07-21 12:47 279552]
"{000030AE-0380-4351-8244-EE98A3240370}"= "C:\WINDOWS.0\system32\mghefy.dll" [2008-07-21 12:47 243712]
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"= "C:\WINDOWS.0\system32\zgtwfx.dll" [2008-07-21 12:48 232960]
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"= "C:\WINDOWS.0\system32\fmcvxy.dll" [2008-07-21 12:49 240128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlowDownCPU]
--a------ 2005-06-09 13:28 212992 C:\WINDOWS.0\inf\MSI\SlowDownCPU\SlowDownCPU.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\ReGetDx\\regetdx.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\Guest\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS.0\system32\drivers\aswSP.sys [2008-05-16 07:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2008-05-16 07:16]
R2 WinSYSCOM;COM+ Windows System;c:\winsyscom.exe [2008-07-21 12:50]
R3 Ndispror;Network Monitor Protocol Driver;C:\WINDOWS.0\system32\DRIVERS\winsyy.sys [2008-07-21 12:51]
S3 RushTopDevice;RushTopDevice;C:\WINDOWS.0\INF\MSI\SlowDownCPU\RushTop.sys [2005-06-08 12:02]
S3 SlowDownCPU;SlowDownCPU;C:\WINDOWS.0\INF\MSI\SlowDownCPU\NTGLM7X.sys [2005-06-08 15:13]
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\WINDOWS.0\system32\UnlockerDriver4.sys [2005-04-24 05:08]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-20 19:30:00 C:\WINDOWS.0\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-YeppStudioAgent - E:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe
ShellExecuteHooks-{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC} - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://yahoo.com.sg/
R0 -: HKLM-Main,Start Page = hxxp://yahoo.com.sg/
O8 -: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 -: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{F2C37D16-3959-4EC6-98C8-11C0429EBE9C}: NameServer = 202.156.1.78,202.156.1.68

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS.0\Java\classes\xmldso.cab
C:\WINDOWS.0\Downloaded Program Files\Microsoft XML Parser for Java.osd

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 13:17:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS.0\system32\ati2evxx.exe
C:\WINDOWS.0\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
.
**************************************************************************
.
Completion time: 2008-07-21 13:20:21 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-07-21 05:20:17

Pre-Run: 4,537,344,000 bytes free
Post-Run: 4,433,977,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

359 --- E O F --- 2007-12-21 12:05:03

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:24 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
c:\winsyscom.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Real Alternative\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS.0\explorer.exe
C:\WINDOWS.0\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://203.118.43.10...sCamControl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37D16-3959-4EC6-98C8-11C0429EBE9C}: NameServer = 202.156.1.78,202.156.1.68
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: COM+ Windows System (WinSYSCOM) - Unknown owner - c:\winsyscom.exe

--
End of file - 7388 bytes

#6
fenzodahl512

Posted 21 July 2008 - 12:43 AM

Malware Removal
9,863 posts

IMPORTANT!: Please create a fresh Restore Point before proceed with our fix. Please visit this webpage if you do not know how..

If you are using Windows Vista, please visit this webpage for more information.

NEXT

Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS.0\system32\drivers\winsyy.sys
  C:\winsyscom.exe
Click on the submit button. You can only submit one file per round.
Please post the results in your next reply.

If Jotti server is too busy, please submit the file to VirusTotal instead.

NEXT

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo.com/forum/malware-keeps-regenerate-after-startup-t205711.html&view=findpost&p=1288850#entry1288850

Collect::
C:\eee.exe
C:\WINDOWS.0\system32\drivers\TQANTISYS.SYS
C:\WINDOWS.0\system32\fmcvxy.dll
C:\WINDOWS.0\system32\follwel.dll
C:\WINDOWS.0\system32\offeceo.dll
C:\WINDOWS.0\system32\mghefy.dll
C:\WINDOWS.0\system32\zgtwfx.dll
C:\WINDOWS.0\system32\comremo.dll
C:\WINDOWS.0\system32\mttwfh.dll
C:\WINDOWS.0\system32\longasus.dll
C:\WINDOWS.0\itqn.exe
C:\WINDOWS.0\ntha.exe
C:\WINDOWS.0\nchb.exe
C:\WINDOWS.0\rctb.exe
C:\WINDOWS.0\xefi.exe
C:\WINDOWS.0\ucyp.exe
C:\WINDOWS.0\ynxd.exe
C:\WINDOWS.0\mkfd.exe
C:\WINDOWS.0\pyhv.exe
C:\WINDOWS.0\flfx.exe
C:\WINDOWS.0\iqnn.exe
C:\WINDOWS.0\grho.exe
C:\WINDOWS.0\ycvi.exe
C:\WINDOWS.0\mlpv.exe
C:\WINDOWS.0\vkuf.exe
C:\WINDOWS.0\eucn.exe
C:\WINDOWS.0\fjgl.exe
C:\WINDOWS.0\tjwv.exe
C:\WINDOWS.0\loag.exe
C:\WINDOWS.0\tlch.exe
C:\WINDOWS.0\etqb.exe
C:\WINDOWS.0\sxbw.exe
C:\WINDOWS.0\vyis.exe
C:\WINDOWS.0\qvok.exe
C:\WINDOWS.0\yril.exe
C:\WINDOWS.0\qrqo.exe
C:\WINDOWS.0\expi.exe
C:\WINDOWS.0\jxko.exe
C:\WINDOWS.0\abbd.exe
C:\WINDOWS.0\system32\xdhuk.cfg
C:\WINDOWS.0\oxhk.exe
C:\WINDOWS.0\knqp.exe
C:\WINDOWS.0\dust.exe
C:\WINDOWS.0\tinw.exe
C:\WINDOWS.0\tezg.exe
C:\WINDOWS.0\jsma.exe
C:\WINDOWS.0\qbvd.exe
C:\WINDOWS.0\bibt.exe
C:\WINDOWS.0\system32\zdfgf.cfg
C:\WINDOWS.0\plch.exe
C:\WINDOWS.0\system32\nmsdjh.dll
C:\WINDOWS.0\system32\hrafh.dll
C:\WINDOWS.0\system32\zdfgf.dll
C:\WINDOWS.0\system32\xdhuk.dll

Suspect::
C:\WINDOWS.0\system32\drivers\winsyy.sys
C:\winsyscom.exe

FileLook::
C:\winsyscom.exe

Folder::
C:\mgz
C:\zpo
C:\hss
C:\oft
C:\dkn
C:\uox
C:\lsu
C:\xnn
C:\wlv
C:\obf
C:\bif
C:\ifr
C:\uhb
C:\qxk
C:\sav
C:\dpg
C:\blv
C:\aeh
C:\toq
C:\jix
C:\ufb
C:\iww
C:\btc
C:\ayz
C:\dbi
C:\ivq
C:\dbg
C:\vqi
C:\vff
C:\tuu
C:\sho
C:\nnj
C:\djm
C:\gpg
C:\iwl
C:\see
C:\ogn
C:\drx
C:\imf
C:\meo
C:\jqa

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{000F087F-4378-545F-74FA-37D345AD7A8C}"=-
"{000030AE-0380-4351-8244-EE98A3240370}"=-
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"=-
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. Additonally, ComboFix will generate the following files on your desktop

A zipped file on your desktop called Submit [Date Time].zip
And another file named - CF-Submit.htm

6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.

Click on the file to Select it.
Submit the file by clicking "OK"

10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:

Jotti/VirusTotal result
Combofix.txt
A new HijackThis log (run after ComboFix has finished its work.)

Edited by fenzodahl512, 21 July 2008 - 12:44 AM.

#7
npbfs

Posted 21 July 2008 - 01:48 AM

Member

Topic Starter
Member
10 posts

hi, thanks for your patience. here's the results/logs

jotti/VirusTotal result:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

0 bytes size received / Se ha recibido un archivo vacio

Combofix.txt:

ComboFix 08-07-20.5 - Administrator 2008-07-21 15:10:31.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aeh
C:\aeh\osxsj.dat
C:\ayz
C:\ayz\vdmsj.dat
C:\bif
C:\blv
C:\btc
C:\btc\vdmsj.dat
C:\dbg
C:\dbi
C:\djm
C:\dkn
C:\dkn\hfvsj.dat
C:\dpg
C:\drx
C:\eee.exe
C:\gpg
C:\gpg\rlpsj.dat
C:\hss
C:\hss\ajhsj.dat
C:\hss\byzsj.dat
C:\hss\cizsj.dat
C:\hss\ckgsj.dat
C:\hss\csqsj.dat
C:\hss\ehasj.dat
C:\hss\fvzsj.dat
C:\hss\ihhsj.dat
C:\hss\iltsj.dat
C:\hss\iudsj.dat
C:\hss\ivasj.dat
C:\hss\ogzsj.dat
C:\hss\ojhsj.dat
C:\hss\qarsj.dat
C:\hss\tcysj.dat
C:\hss\ydgsj.dat
C:\hss\zxysj.dat
C:\ifr
C:\imf
C:\ivq
C:\iwl
C:\iwl\cklsj.dat
C:\iww
C:\jix
C:\jqa
C:\lsu
C:\lsu\cpwsj.dat
C:\meo
C:\meo\qdusj.dat
C:\mgz
C:\mgz\akcsj.dat
C:\mgz\iqvsj.dat
C:\mgz\tbrsj.dat
C:\nnj
C:\obf
C:\obf\bizsj.dat
C:\obf\bizsj.dat.bat
C:\obf\rmcsj.dat.bat
C:\obf\xuksj.dat.bat
C:\oft
C:\oft\diqsj.dat
C:\oft\kaesj.dat
C:\oft\lrosj.dat
C:\oft\qnesj.dat
C:\oft\ylrsj.dat
C:\ogn
C:\ogn\lcasj.dat
C:\qxk
C:\sav
C:\see
C:\see\vmwsj.dat
C:\sho
C:\toq
C:\toq\nnxsj.dat
C:\tuu
C:\ufb
C:\ufb\jcasj.dat
C:\uhb
C:\uox
C:\uox\izisj.dat
C:\vff
C:\vqi
C:\WINDOWS.0\abbd.exe
C:\WINDOWS.0\bibt.exe
C:\WINDOWS.0\dust.exe
C:\WINDOWS.0\etqb.exe
C:\WINDOWS.0\eucn.exe
C:\WINDOWS.0\expi.exe
C:\WINDOWS.0\fjgl.exe
C:\WINDOWS.0\flfx.exe
C:\WINDOWS.0\grho.exe
C:\WINDOWS.0\iqnn.exe
C:\WINDOWS.0\itqn.exe
C:\WINDOWS.0\jsma.exe
C:\WINDOWS.0\jxko.exe
C:\WINDOWS.0\knqp.exe
C:\WINDOWS.0\loag.exe
C:\WINDOWS.0\mkfd.exe
C:\WINDOWS.0\mlpv.exe
C:\WINDOWS.0\nchb.exe
C:\WINDOWS.0\ntha.exe
C:\WINDOWS.0\oxhk.exe
C:\WINDOWS.0\plch.exe
C:\WINDOWS.0\pyhv.exe
C:\WINDOWS.0\qbvd.exe
C:\WINDOWS.0\qrqo.exe
C:\WINDOWS.0\qvok.exe
C:\WINDOWS.0\rctb.exe
C:\WINDOWS.0\sxbw.exe
C:\WINDOWS.0\system32\comremo.dll
C:\WINDOWS.0\system32\drivers\TQANTISYS.SYS
C:\WINDOWS.0\system32\fmcvxy.dll
C:\WINDOWS.0\system32\follwel.dll
C:\WINDOWS.0\system32\hrafh.dll
C:\WINDOWS.0\system32\longasus.dll
C:\WINDOWS.0\system32\mghefy.dll
C:\WINDOWS.0\system32\mttwfh.dll
C:\WINDOWS.0\system32\nmsdjh.dll
C:\WINDOWS.0\system32\offeceo.dll
C:\WINDOWS.0\system32\xdhuk.cfg
C:\WINDOWS.0\system32\xdhuk.dll
C:\WINDOWS.0\system32\zdfgf.cfg
C:\WINDOWS.0\system32\zdfgf.dll
C:\WINDOWS.0\system32\zgtwfx.dll
C:\WINDOWS.0\tezg.exe
C:\WINDOWS.0\tinw.exe
C:\WINDOWS.0\tjwv.exe
C:\WINDOWS.0\tlch.exe
C:\WINDOWS.0\ucyp.exe
C:\WINDOWS.0\vkuf.exe
C:\WINDOWS.0\vyis.exe
C:\WINDOWS.0\xefi.exe
C:\WINDOWS.0\ycvi.exe
C:\WINDOWS.0\ynxd.exe
C:\WINDOWS.0\yril.exe
C:\wlv
C:\xnn
C:\xnn\peesj.dat
C:\zpo
C:\zpo\pqusj.dat

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-21 13:42 . 2008-07-21 15:08 121 --a------ C:\time.bat
2008-07-21 13:16 . 2008-07-21 13:16 <DIR> d-------- C:\WINDOWS.0\system32\xircom
2008-07-21 13:16 . 2008-07-21 13:16 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-21 12:51 . 2008-07-21 12:51 21,248 --a------ C:\WINDOWS.0\system32\drivers\winsyy.sys
2008-07-21 12:50 . 2008-07-21 12:50 87,040 --a------ C:\winsyscom.exe
2008-07-21 11:37 . 2008-07-21 11:37 <DIR> d-------- C:\Deckard
2008-07-21 01:52 . 2008-07-21 01:52 28,672 --a------ C:\WINDOWS.0\system32\Partizan.exe
2008-07-21 01:50 . 2008-07-21 01:50 (2) -rahs-ot- C:\WINDOWS.0\winstart.bat
2008-07-21 01:50 . 2008-07-21 01:50 (2) -rahs-ot- C:\WINDOWS.0\system32\CONFIG.NT
2008-07-21 01:39 . 2008-07-21 01:39 2,126 --a------ C:\WINDOWS.0\system32\wpa.dbl
2008-07-21 01:39 . 2008-07-21 15:13 1,746 --a------ C:\WINDOWS.0\system32\OODBS.lor
2008-07-21 00:56 . 2008-07-21 00:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-07-20 22:26 . 2008-07-20 22:26 575,160 --a------ C:\Autoruns.zip
2008-07-18 17:06 . 2008-07-21 01:37 <DIR> d-------- C:\Program Files\EMCO MoveOnBoot
2008-07-18 00:06 . 2008-07-17 12:58 <DIR> d-------- C:\SDFix
2008-07-17 23:37 . 2008-07-18 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-17 16:53 . 2007-11-10 10:11 102,664 --a------ C:\WINDOWS.0\system32\drivers\tmcomm.sys
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-15 16:39 . 2008-07-15 16:39 645,160 --a------ C:\autoruns.exe
2008-07-15 16:39 . 2008-07-15 16:39 539,688 --a------ C:\autorunsc.exe
2008-07-05 20:44 . 2008-07-05 20:44 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Malwarebytes
2008-07-03 20:14 . 2008-07-03 20:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 20:14 . 2008-07-03 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 02:10 . 2008-07-08 12:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 02:10 . 2008-07-03 02:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 02:10 . 2008-07-03 02:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-03 02:10 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS.0\system32\drivers\mbamcatchme.sys
2008-07-03 02:10 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS.0\system32\drivers\mbam.sys
2008-07-03 02:09 . 2008-07-03 02:09 <DIR> d-------- C:\VundoFix Backups
2008-07-03 01:39 . 2008-07-03 01:39 <DIR> dr------- C:\Documents and Settings\Guest\Application Data\Brother
2008-07-03 01:19 . 2008-07-03 01:19 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 03:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-20 18:58 --------- d-----w C:\Program Files\Trend Micro
2008-07-20 12:56 --------- d-----w C:\Program Files\uTorrent
2008-07-20 06:20 --------- d-----w C:\Program Files\ReGetDx
2008-07-18 11:31 --------- d-----w C:\Documents and Settings\Guest\Application Data\uTorrent
2008-07-17 12:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-07-16 13:54 --------- d-----w C:\Program Files\NJStar Chinese WP
2008-07-10 03:59 --------- d-----w C:\Program Files\Lavasoft
2008-07-08 12:43 --------- d-----w C:\Program Files\Opera
2008-07-03 11:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-26 13:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-23 02:17 11,917,655 ----a-w C:\Program Files\quicktimealt190.exe
2006-06-28 14:42 739 ----a-w C:\Program Files\INSTALL.LOG
2005-06-09 05:28 212,992 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\SlowDownCPU.exe
2005-06-08 07:18 147,456 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\RushTop.dll
2005-06-08 07:13 25,088 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\NTGLM7X.SYS
2005-06-08 06:56 94,208 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\GLM7x.dll
2005-06-08 04:02 33,280 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\RushTop.sys
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS.0\meta4.exe
2005-10-24 03:13 66,560 --sha-r C:\WINDOWS.0\MOTA113.exe
2005-10-13 13:27 422,400 --sha-r C:\WINDOWS.0\x2.64.exe
2005-10-07 11:14 308,224 --sha-r C:\WINDOWS.0\system32\avisynth.dll
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS.0\system32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS.0\system32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS.0\system32\cygz.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS.0\system32\i420vfw.dll
2006-04-27 02:24 2,945,024 --sha-r C:\WINDOWS.0\system32\Smab.dll
2005-02-28 05:16 240,128 --sha-r C:\WINDOWS.0\system32\x.264.exe
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS.0\system32\yv12vfw.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\winsyscom.exe -- Not a PE file.

------- Sigcheck -------

2002-12-31 20:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS.0\system32\svchost.exe

2002-12-31 20:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS.0\system32\ws2_32.dll

2002-12-31 20:00 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS.0\$NtUninstallKB917953$\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS.0\system32\dllcache\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS.0\system32\drivers\tcpip.sys

2002-12-31 20:00 502784 b66dbc40d428fe1293041d621d836ac8 C:\WINDOWS.0\system32\winlogon.exe

2002-12-31 20:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS.0\system32\drivers\ndis.sys

2002-12-31 20:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS.0\system32\drivers\ip6fw.sys

2002-12-31 20:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS.0\system32\services.exe

2002-12-31 20:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS.0\system32\lsass.exe

2002-12-31 20:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS.0\system32\ctfmon.exe

2005-06-11 08:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS.0\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2002-12-31 20:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS.0\$NtUninstallKB896423$\spoolsv.exe
2005-06-11 07:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS.0\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-21_13.20.01.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-21 07:13:26 16,384 ----atw C:\WINDOWS.0\Temp\Perflib_Perfdata_70c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-12-31 20:00 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS.0\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440]
"IMJPMIG8.1"="C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" [2002-08-29 12:38 208953]
"MSPY2002"="C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 12:39 59392]
"PHIME2002ASync"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 12:39 455168]
"PHIME2002A"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 12:39 455168]
"TkBellExe"="C:\Program Files\Real Alternative\Update_OB\realsched.exe" [2006-06-28 22:56 151597]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-24 21:57:18 113664]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30 61440]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Post-itr Software Notes Lite.lnk.disabled [2007-02-27 21:45:18 831]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlowDownCPU]
--a------ 2005-06-09 13:28 212992 C:\WINDOWS.0\inf\MSI\SlowDownCPU\SlowDownCPU.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\ReGetDx\\regetdx.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\Guest\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS.0\system32\drivers\aswSP.sys [2008-05-16 07:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2008-05-16 07:16]
S2 WinSYSCOM;COM+ Windows System;c:\winsyscom.exe [2008-07-21 12:50]
S3 Ndispror;Network Monitor Protocol Driver;C:\WINDOWS.0\system32\DRIVERS\winsyy.sys [2008-07-21 12:51]
S3 RushTopDevice;RushTopDevice;C:\WINDOWS.0\INF\MSI\SlowDownCPU\RushTop.sys [2005-06-08 12:02]
S3 SlowDownCPU;SlowDownCPU;C:\WINDOWS.0\INF\MSI\SlowDownCPU\NTGLM7X.sys [2005-06-08 15:13]
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\WINDOWS.0\system32\UnlockerDriver4.sys [2005-04-24 05:08]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-20 19:30:00 C:\WINDOWS.0\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 15:13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS.0\system32\ati2evxx.exe
C:\WINDOWS.0\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-21 15:16:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 07:16:23
ComboFix2.txt 2008-07-21 05:20:22

Pre-Run: 4,453,806,080 bytes free
Post-Run: 4,385,644,544 bytes free

336 --- E O F --- 2007-12-21 12:05:03

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:33 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\oodag.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Real Alternative\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://203.118.43.10...sCamControl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37D16-3959-4EC6-98C8-11C0429EBE9C}: NameServer = 202.156.1.78,202.156.1.68
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: COM+ Windows System (WinSYSCOM) - Unknown owner - c:\winsyscom.exe

--
End of file - 7320 bytes

#8
fenzodahl512

Posted 21 July 2008 - 04:56 AM

Malware Removal
9,863 posts

Please show hidden files and folders. Please visit HERE if you don't know how.

Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- C:\WINDOWS.0\system32\drivers\winsyy.sys
  C:\winsyscom.exe
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

#9
npbfs

Posted 21 July 2008 - 05:47 AM

Member

Topic Starter
Member
10 posts

here's the results:

VirSCAN.org Scanned Report :
Scanned time : 2008/07/21 19:41:34 (SGT)
Scanner results: 33% Scanner(12/36) found malware!
File Name : winsyy.sys
File Size : 21248 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 7a5a69801d5e18b12c47851149a66e2e
SHA1 : a17c26cec5ad7dfd4a8161c52274e29c425a6578
Online report : http://virscan.org/r...9fd4e8d07d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.20 2008-07-20 2.37 Trojan.Win32.Agent.kvc
AhnLab V3 2008.07.21.00 2008.07.21 2008-07-21 0.83 -
AntiVir 7.8.1.11 7.0.5.143 2008-07-21 2.08 -
Arcavir 1.0.4 200807151947 2008-07-15 1.17 -
AVAST! 3.0.1 080720-0 2008-07-20 0.63 Win32:Agent-ZNC [Trj]
AVG 7.5.51.442 270.5.3/1564 2008-07-21 1.45 Agent.XAF
BitDefender 7.60825.1382299 7.20121 2008-07-21 2.54 Rootkit.Tearspear.A
CA (VET) 9.0.0.143 31.6.5971 2008-07-21 0.90 -
ClamAV 0.93.3 7765 2008-07-21 0.01 Trojan.Agent-25163
Comodo 2.11 2.0.0.592 2008-07-21 0.42 -
CP Secure 1.1.0.715 2008.07.21 2008-07-21 6.42 Troj.W32.Agent.kvc
Dr.Web 4.44.0.9170 2008.07.21 2008-07-21 2.99 Trojan.DownLoader.62392
ewido 4.0.0.2 2008.07.21 2008-07-21 2.25 -
F-Prot 4.4.4.56 20080720 2008-07-20 0.94 -
F-Secure 5.51.6100 2008.07.21.02 2008-07-21 2.71 Trojan.Win32.Agent.qzs [AVP]
Fortinet 2.81-3.11 9.339 2008-07-21 1.60 -
ViRobot 20080721 2008.07.21 2008-07-21 0.41 -
Ikarus T3.1.01.34 2008.07.21.71131 2008-07-21 3.16 -
JiangMin 11.0.706 2008.07.21 2008-07-21 1.16 -
Kaspersky 5.5.10 2008.07.21 2008-07-21 0.02 Trojan.Win32.Agent.qzs
KingSoft 2008.1.14.15 2008.7.21.17 2008-07-21 0.62 Win32.Troj.Agent.21248
McAfee 5.2.00 5342 2008-07-18 2.02 -
Microsoft 1.3704 2008.07.21 2008-07-21 4.46 -
mks_vir 2.01 2008.07.21 2008-07-21 2.44 -
Norman 5.93.01 5.93.00 2008-07-18 4.41 -
Panda 9.05.01 2008.07.20 2008-07-20 1.91 -
Trend Micro 8.700-1004 5.420.03 2008-07-20 0.02 TROJ_TESEFO.C
Quick Heal 9.50 2008.07.15 2008-07-15 1.55 -
Rising 20.0 20.54.02.00 2008-07-21 0.79 -
Sophos 2.75.4 4.31 2008-07-21 1.83 -
Sunbelt 3.1.1536.1 2156 2008-07-18 0.42 -
Symantec 1.3.0.24 20080720.003 2008-07-20 0.24 -
nProtect 2008-07-21.00 1695598 2008-07-21 3.10 Rootkit.Tearspear.A
The Hacker 6.2.96 v00385 2008-07-19 0.40 -
VBA32 3.12.8.1 20080720.0927 2008-07-20 1.07 -
VirusBuster 4.5.11.10 10.82.12/595718 2008-07-15 0.78 -

VirSCAN.org Scanned Report :
Scanned time : 2008/07/21 19:44:48 (SGT)
Scanner results: 44% Scanner(16/36) found malware!
File Name : winsyscom.exe
File Size : 87040 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 9cc04591c3eea53a72de02a670dce231
SHA1 : b6a3446546802f795cbdbcf8bdb7013ec110f5c7
Online report : http://virscan.org/r...da7852531f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.20 2008-07-20 2.33 -
AhnLab V3 2008.07.21.01 2008.07.21 2008-07-21 0.96 -
AntiVir 7.8.1.11 7.0.5.143 2008-07-21 2.10 TR/Crypt.FKM.Gen
Arcavir 1.0.4 200807151947 2008-07-15 1.49 -
AVAST! 3.0.1 080720-0 2008-07-20 0.02 Win32:Agent-ZNC [Trj]
AVG 7.5.51.442 270.5.3/1564 2008-07-21 1.51 -
BitDefender 7.60825.1382299 7.20121 2008-07-21 2.56 Trojan.Downloader.Tearspear.A
CA (VET) 9.0.0.143 31.6.5971 2008-07-21 1.50 -
ClamAV 0.93.3 7765 2008-07-21 0.10 -
Comodo 2.11 2.0.0.592 2008-07-21 0.93 -
CP Secure 1.1.0.715 2008.07.21 2008-07-21 6.16 -
Dr.Web 4.44.0.9170 2008.07.21 2008-07-21 3.04 Trojan.MulDrop.17836
ewido 4.0.0.2 2008.07.21 2008-07-21 2.68 -
F-Prot 4.4.4.56 20080720 2008-07-20 0.98 W32/Downloader.C.gen!Eldorado (generic, not disinfectable)
F-Secure 5.51.6100 2008.07.21.02 2008-07-21 0.16 -
Fortinet 2.81-3.11 9.339 2008-07-21 1.68 Suspicious
ViRobot 20080721 2008.07.21 2008-07-21 0.56 -
Ikarus T3.1.01.34 2008.07.21.71131 2008-07-21 3.15 BehavesLikeWin32.ExplorerHijack
JiangMin 11.0.706 2008.07.21 2008-07-21 1.13 Win32/Downloader.NET
Kaspersky 5.5.10 2008.07.21 2008-07-21 0.10 -
KingSoft 2008.1.14.15 2008.7.21.17 2008-07-21 0.64 -
McAfee 5.2.00 5342 2008-07-18 2.31 New Malware.ca
Microsoft 1.3704 2008.07.21 2008-07-21 5.02 TrojanDownloader:Win32/Tesefo.A
mks_vir 2.01 2008.07.21 2008-07-21 2.61 -
Norman 5.93.01 5.93.00 2008-07-18 4.38 -
Panda 9.05.01 2008.07.20 2008-07-20 1.96 Suspicious file
Trend Micro 8.700-1004 5.420.03 2008-07-20 0.06 TROJ_TESEFO.C
Quick Heal 9.50 2008.07.15 2008-07-15 1.54 Sub7_2.0
Rising 20.0 20.54.02.00 2008-07-21 0.99 -
Sophos 2.75.4 4.31 2008-07-21 2.08 Mal/Behav-142
Sunbelt 3.1.1536.1 2156 2008-07-18 0.57 -
Symantec 1.3.0.24 20080720.003 2008-07-20 0.07 Backdoor.Trojan
nProtect 2008-07-21.00 1695598 2008-07-21 3.11 Trojan.Downloader.Tearspear.A
The Hacker 6.2.96 v00385 2008-07-19 0.41 -
VBA32 3.12.8.1 20080720.0927 2008-07-20 1.35 -
VirusBuster 4.5.11.10 10.82.12/595718 2008-07-15 1.14 -

#10
fenzodahl512

Posted 21 July 2008 - 05:55 AM

Malware Removal
9,863 posts

Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear

1. Please open Notepad

Click Start, then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
WinSYSCOM
Ndispror

File::
C:\WINDOWS.0\system32\drivers\winsyy.sys
C:\winsyscom.exe
C:\time.bat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#11
npbfs

Posted 21 July 2008 - 06:08 AM

Member

Topic Starter
Member
10 posts

hi
combofix:

ComboFix 08-07-20.5 - Administrator 2008-07-21 19:59:41.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\time.bat
C:\WINDOWS.0\system32\drivers\winsyy.sys
C:\winsyscom.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\time.bat
C:\WINDOWS.0\system32\drivers\winsyy.sys
C:\winsyscom.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISPROR
-------\Legacy_WINSYSCOM
-------\Service_Ndispror
-------\Service_WinSYSCOM

((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-21 13:16 . 2008-07-21 13:16 <DIR> d-------- C:\WINDOWS.0\system32\xircom
2008-07-21 13:16 . 2008-07-21 13:16 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-21 11:37 . 2008-07-21 11:37 <DIR> d-------- C:\Deckard
2008-07-21 01:52 . 2008-07-21 01:52 28,672 --a------ C:\WINDOWS.0\system32\Partizan.exe
2008-07-21 01:50 . 2008-07-21 01:50 (2) -rahs-ot- C:\WINDOWS.0\winstart.bat
2008-07-21 01:50 . 2008-07-21 01:50 (2) -rahs-ot- C:\WINDOWS.0\system32\CONFIG.NT
2008-07-21 01:39 . 2008-07-21 01:39 2,126 --a------ C:\WINDOWS.0\system32\wpa.dbl
2008-07-21 01:39 . 2008-07-21 20:01 2,037 --a------ C:\WINDOWS.0\system32\OODBS.lor
2008-07-21 00:56 . 2008-07-21 00:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-07-20 22:26 . 2008-07-20 22:26 575,160 --a------ C:\Autoruns.zip
2008-07-18 17:06 . 2008-07-21 01:37 <DIR> d-------- C:\Program Files\EMCO MoveOnBoot
2008-07-18 00:06 . 2008-07-17 12:58 <DIR> d-------- C:\SDFix
2008-07-17 23:37 . 2008-07-18 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-17 16:53 . 2007-11-10 10:11 102,664 --a------ C:\WINDOWS.0\system32\drivers\tmcomm.sys
2008-07-17 16:35 . 2008-07-17 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-15 16:39 . 2008-07-15 16:39 645,160 --a------ C:\autoruns.exe
2008-07-15 16:39 . 2008-07-15 16:39 539,688 --a------ C:\autorunsc.exe
2008-07-05 20:44 . 2008-07-05 20:44 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Malwarebytes
2008-07-03 20:14 . 2008-07-03 20:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 20:14 . 2008-07-03 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 02:10 . 2008-07-08 12:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 02:10 . 2008-07-03 02:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 02:10 . 2008-07-03 02:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-03 02:10 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS.0\system32\drivers\mbamcatchme.sys
2008-07-03 02:10 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS.0\system32\drivers\mbam.sys
2008-07-03 02:09 . 2008-07-03 02:09 <DIR> d-------- C:\VundoFix Backups
2008-07-03 01:39 . 2008-07-03 01:39 <DIR> dr------- C:\Documents and Settings\Guest\Application Data\Brother
2008-07-03 01:19 . 2008-07-03 01:19 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 11:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-21 09:14 --------- d-----w C:\Program Files\ReGetDx
2008-07-20 18:58 --------- d-----w C:\Program Files\Trend Micro
2008-07-20 12:56 --------- d-----w C:\Program Files\uTorrent
2008-07-18 11:31 --------- d-----w C:\Documents and Settings\Guest\Application Data\uTorrent
2008-07-17 12:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-07-16 13:54 --------- d-----w C:\Program Files\NJStar Chinese WP
2008-07-10 03:59 --------- d-----w C:\Program Files\Lavasoft
2008-07-08 12:43 --------- d-----w C:\Program Files\Opera
2008-07-03 11:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-26 13:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 12:34 98,304 ----a-w C:\WINDOWS.0\system32\CmdLineExt.dll
2007-12-23 02:17 11,917,655 ----a-w C:\Program Files\quicktimealt190.exe
2006-06-28 14:42 739 ----a-w C:\Program Files\INSTALL.LOG
2005-06-09 05:28 212,992 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\SlowDownCPU.exe
2005-06-08 07:18 147,456 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\RushTop.dll
2005-06-08 07:13 25,088 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\NTGLM7X.SYS
2005-06-08 06:56 94,208 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\GLM7x.dll
2005-06-08 04:02 33,280 ----a-w C:\WINDOWS.0\inf\MSI\SlowDownCPU\RushTop.sys
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS.0\meta4.exe
2005-10-24 03:13 66,560 --sha-r C:\WINDOWS.0\MOTA113.exe
2005-10-13 13:27 422,400 --sha-r C:\WINDOWS.0\x2.64.exe
2005-10-07 11:14 308,224 --sha-r C:\WINDOWS.0\system32\avisynth.dll
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS.0\system32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS.0\system32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS.0\system32\cygz.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS.0\system32\i420vfw.dll
2006-04-27 02:24 2,945,024 --sha-r C:\WINDOWS.0\system32\Smab.dll
2005-02-28 05:16 240,128 --sha-r C:\WINDOWS.0\system32\x.264.exe
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS.0\system32\yv12vfw.dll
.

------- Sigcheck -------

2002-12-31 20:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS.0\system32\svchost.exe

2002-12-31 20:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS.0\system32\ws2_32.dll

2002-12-31 20:00 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS.0\$NtUninstallKB917953$\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS.0\system32\dllcache\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS.0\system32\drivers\tcpip.sys

2002-12-31 20:00 502784 b66dbc40d428fe1293041d621d836ac8 C:\WINDOWS.0\system32\winlogon.exe

2002-12-31 20:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS.0\system32\drivers\ndis.sys

2002-12-31 20:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS.0\system32\drivers\ip6fw.sys

2002-12-31 20:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS.0\system32\services.exe

2002-12-31 20:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS.0\system32\lsass.exe

2002-12-31 20:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS.0\system32\ctfmon.exe

2005-06-11 08:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS.0\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2002-12-31 20:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS.0\$NtUninstallKB896423$\spoolsv.exe
2005-06-11 07:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS.0\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-21_13.20.01.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-21 05:16:33 16,384 ----atw C:\WINDOWS.0\Temp\Perflib_Perfdata_710.dat
+ 2008-07-21 12:02:13 16,384 ----atw C:\WINDOWS.0\Temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-12-31 20:00 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS.0\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440]
"IMJPMIG8.1"="C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" [2002-08-29 12:38 208953]
"MSPY2002"="C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 12:39 59392]
"PHIME2002ASync"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 12:39 455168]
"PHIME2002A"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 12:39 455168]
"TkBellExe"="C:\Program Files\Real Alternative\Update_OB\realsched.exe" [2006-06-28 22:56 151597]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-24 21:57:18 113664]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30 61440]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Post-itr Software Notes Lite.lnk.disabled [2007-02-27 21:45:18 831]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlowDownCPU]
--a------ 2005-06-09 13:28 212992 C:\WINDOWS.0\inf\MSI\SlowDownCPU\SlowDownCPU.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\ReGetDx\\regetdx.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\Guest\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS.0\system32\drivers\aswSP.sys [2008-05-16 07:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2008-05-16 07:16]
S3 RushTopDevice;RushTopDevice;C:\WINDOWS.0\INF\MSI\SlowDownCPU\RushTop.sys [2005-06-08 12:02]
S3 SlowDownCPU;SlowDownCPU;C:\WINDOWS.0\INF\MSI\SlowDownCPU\NTGLM7X.sys [2005-06-08 15:13]
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\WINDOWS.0\system32\UnlockerDriver4.sys [2005-04-24 05:08]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-20 19:30:00 C:\WINDOWS.0\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 20:02:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS.0\system32\ati2evxx.exe
C:\WINDOWS.0\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-21 20:05:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 12:05:09
ComboFix2.txt 2008-07-21 07:16:28
ComboFix3.txt 2008-07-21 05:20:22

Pre-Run: 4,347,998,208 bytes free
Post-Run: 4,347,363,328 bytes free

205 --- E O F --- 2007-12-21 12:05:03

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:31 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Real Alternative\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\explorer.exe
C:\WINDOWS.0\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://203.118.43.10...sCamControl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37D16-3959-4EC6-98C8-11C0429EBE9C}: NameServer = 202.156.1.78,202.156.1.68
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe

--
End of file - 7273 bytes

#12
fenzodahl512

Posted 21 July 2008 - 06:16 AM

Malware Removal
9,863 posts

That is good.. Tell me, do you download/use Autoruns by SysInternals? And RegRun or UnHackMe from Greatis?

Lets do an online scan so we can have a through look...

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Also tell me about your computer behaviour now..

Regards
fenzodahl512

#13
npbfs

Posted 21 July 2008 - 08:49 AM

Member

Topic Starter
Member
10 posts

Hi fenzodahl512,

yes, i have used Autoruns and RegRun. pls advice if i should not be using any of these programs.

now my computer behaviour is pretty good. no signs of system slow down. here's the result. pls advice. thank you!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 21, 2008 10:47:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/07/2008
Kaspersky Anti-Virus database records: 980538
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 49472
Number of viruses found: 64
Number of infected objects: 292
Number of suspicious objects: 2
Duration of the scan process: 01:23:27

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp43.tmp Infected: Trojan-GameThief.Win32.OnLineGames.sdkz skipped
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp45.tmp Infected: Trojan-GameThief.Win32.OnLineGames.sdkz skipped
C:\Deckard\System Scanner\backup\WINDOWS.0\temp\tmp4.tmp Infected: Trojan-GameThief.Win32.OnLineGames.sdwb skipped
C:\Documents and Settings\Administrator\.housecall\Quarantine\6b4736cf.exe.bac_a04008 Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\Documents and Settings\Administrator\.housecall\Quarantine\win389.tmp.exe.bac_a04076 Infected: Trojan-Downloader.Win32.Small.dod skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\1cd3e356.exe.bac_a03612 Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\216399c6.exe.bac_a03612 Infected: not-a-virus:FraudTool.Win32.UltimateDefender.ba skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\370b57a6.exe.bac_a03612 Infected: not-a-virus:FraudTool.Win32.UltimateDefender.ba skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\6b4736cf.exe.bac_a04008 Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00544/stream/data0002/stream/data0003 Infected: not-a-virus:AdWare.Win32.Maxifiles.aa skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00544/stream/data0002/stream/data0004 Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00544/stream/data0002/stream Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00544/stream/data0002 Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00544/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00544/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00544 NSIS: infected - 6 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00544 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00580/stream/data0002/stream/data0003 Infected: not-a-virus:AdWare.Win32.Maxifiles.aa skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00580/stream/data0002/stream/data0004 Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00580/stream/data0002/stream Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00580/stream/data0002 Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00580/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00580/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00580 NSIS: infected - 6 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a00580 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03792/stream/data0002/stream/data0003 Infected: not-a-virus:AdWare.Win32.Maxifiles.aa skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03792/stream/data0002/stream/data0004 Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03792/stream/data0002/stream Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03792/stream/data0002 Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03792/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03792/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03792 NSIS: infected - 6 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03792 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03996/stream/data0002/stream/data0003 Infected: not-a-virus:AdWare.Win32.Maxifiles.aa skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03996/stream/data0002/stream/data0004 Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03996/stream/data0002/stream Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03996/stream/data0002 Infected: Trojan-Downloader.Win32.Small.ece skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03996/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03996/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03996 NSIS: infected - 6 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03996 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\fbhshwg.dll.bak.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\flx7.dll.bac_a01408 Infected: not-virus:Hoax.Win32.Renos.ds skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\issearch.exe.bac_a03876 Infected: not-virus:Hoax.Win32.Renos.ep skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\orkylil.dll.bak.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\pvmodule.exe.bac_a03996 Infected: not-a-virus:AdWare.Win32.PrintView.a skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\sqnkbyb.dll.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\srvhyv[1].exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\srvjtm[1] .bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\srvlow[1].exe.bac_a01408 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\srvnvw[1]@.bac_a01408 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\srvsiz[1].exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\srvwjx[1].exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\system.dll.bac_a00580 Infected: Trojan-Spy.Win32.Delf.mk skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\system.dll.bac_a04044 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\temp.exe.bac_a03460 Infected: Backdoor.Win32.VB.amy skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\tinst4.exe.bac_a00580 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\tinst4.exe.bac_a03996 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Update.exe.bac_a00580 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Update.exe.bac_a03996 Infected: not-a-virus:AdWare.Win32.Mostofate.z skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Update.exe.bac_a04044 Infected: not-a-virus:AdWare.Win32.Mostofate.z skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\urroxtl.dll.bac_a01408 Infected: not-virus:Hoax.Win32.Renos.ds skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\vgodmcl.dll.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\vvdkkpe.dll.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win389.tmp.exe.bac_a04076 Infected: Trojan-Downloader.Win32.Small.dod skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win740C.tmp.exe.bac_a03996 Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win7A1D.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win7A81.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win7A82.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win7A83.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win7A84.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win7D6F.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win7D72.tmp.exe.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win801A.tmp.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win801A.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win80B5.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win8129.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win8133.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win8134.tmp.exe.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win8171.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win8207.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win8249.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win87D3.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win87D4.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win8B35.tmp.exe.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win8B37.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9225.tmp.exe.bac_a03380 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9DCF.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9DD3.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9DEC.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9DFE.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9E0B.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9E30.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9E35.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9E3E.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9E40.tmp.exe.bac_a03996/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9E40.tmp.exe.bac_a03996 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9E40.tmp.exe.bac_a03996 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9E90.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9EB0.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9EB1.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9EB2.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9EB4.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9EB5.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9EBC.tmp.exe.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win9EC0.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winA657.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winA658.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winA659.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winA65A.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winA65B.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB0AA.tmp.exe.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB112.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB113.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB114.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB115.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB116.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB172.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB22B.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB2C7.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB35F.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB3C2.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB4D8.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB50D.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB559.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB561.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winB566.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winBC4A.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winBC4B.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winBC4C.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winBC4D.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winBC4E.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC276.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC27B.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC2A9.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC2FC.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC333.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC589.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC60D.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC8B0.tmp.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC8B0.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winC931.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winDD78.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED0D.tmp.exe.bac_a00580 Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED0F.tmp.exe.bac_a00544 Infected: Trojan-Dropper.Win32.Agent.azn skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED11.tmp.exe.bac_a03996/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED11.tmp.exe.bac_a03996 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED11.tmp.exe.bac_a03996 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED18.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED58.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED59.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED5A.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED5B.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED7B.tmp.exe.bac_a00580 Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED7E.tmp.exe.bac_a00544 Infected: Trojan-Dropper.Win32.Agent.azn skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED80.tmp.exe.bac_a03996/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED80.tmp.exe.bac_a03996 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED80.tmp.exe.bac_a03996 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winED85.tmp.exe.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE09.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE4C.tmp.exe.bac_a00580 Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE57.tmp.exe.bac_a00580/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE57.tmp.exe.bac_a00580 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE57.tmp.exe.bac_a00580 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE7E.tmp.exe.bac_a00580 Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE82.tmp.exe.bac_a04044/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE82.tmp.exe.bac_a04044 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE82.tmp.exe.bac_a04044 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE88.tmp.exe.bac_a03612 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEE9E.tmp.exe.bac_a04044 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEEBD.tmp.exe.bac_a04044 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEED4.tmp.exe.bac_a04044 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEED5.tmp.exe.bac_a04044 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winEED6.tmp.exe.bac_a04044 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF494.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF495.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF497.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF498.tmp.exe.bac_a03996 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF4D2.tmp.exe.bac_a00580 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF561.tmp.exe.bac_a00580 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF5C0.tmp.exe.bac_a00580 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF5E4.tmp.exe.bac_a00580 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF5E6.tmp.exe.bac_a00580 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF695.tmp.exe.bac_a04044 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF6F0.tmp.exe.bac_a04044 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winF781.tmp.exe.bac_a04044 Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\3ef502e6.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.a skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008072120080722\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\temp\Perflib_Perfdata_7d4.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\alexing\My Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\alexing\My Documents\My Music\Sample Music.lnk Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip/ishost.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BA47DE7.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\16451C35.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\21D138EC.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\60E149C4.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\64317C28.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\649367BC.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Opera\Mail\indexer\indexer.dat Object is locked skipped
C:\Program Files\Opera\Mail\indexer\indexer_64.dat Object is locked skipped
C:\Program Files\Opera\Mail\lexicon\lexicon.dat Object is locked skipped
C:\Program Files\Opera\Mail\mailbase.dat Object is locked skipped
C:\QooBox\Quarantine\C\aeh\osxsj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\ayz\vdmsj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\btc\vdmsj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\dkn\hfvsj.dat.vir Infected: Trojan.Win32.Agent.sav skipped
C:\QooBox\Quarantine\C\gpg\rlpsj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\hss\ajhsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sgow skipped
C:\QooBox\Quarantine\C\hss\byzsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sdlo skipped
C:\QooBox\Quarantine\C\hss\cizsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shss skipped
C:\QooBox\Quarantine\C\hss\ckgsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\hss\csqsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sfzz skipped
C:\QooBox\Quarantine\C\hss\ehasj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sdlo skipped
C:\QooBox\Quarantine\C\hss\fvzsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\hss\ihhsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\hss\iltsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sdlo skipped
C:\QooBox\Quarantine\C\hss\iudsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sewn skipped
C:\QooBox\Quarantine\C\hss\ivasj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sewn skipped
C:\QooBox\Quarantine\C\hss\ogzsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sftq skipped
C:\QooBox\Quarantine\C\hss\ojhsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\hss\tcysj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shss skipped
C:\QooBox\Quarantine\C\hss\ydgsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\hss\zxysj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sftq skipped
C:\QooBox\Quarantine\C\iwl\cklsj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\meo\qdusj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\mgz\iqvsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\mgz\tbrsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\obf\bizsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sguu skipped
C:\QooBox\Quarantine\C\oft\diqsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sftq skipped
C:\QooBox\Quarantine\C\oft\kaesj.dat.vir Infected: Trojan.Win32.Agent.sav skipped
C:\QooBox\Quarantine\C\oft\lrosj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\oft\qnesj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shau skipped
C:\QooBox\Quarantine\C\oft\ylrsj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.sgow skipped
C:\QooBox\Quarantine\C\ogn\lcasj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\see\vmwsj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\toq\nnxsj.dat.vir Infected: Trojan.Win32.Agent.sav skipped
C:\QooBox\Quarantine\C\ufb\jcasj.dat.vir Infected: Trojan.Win32.StartPage.bhc skipped
C:\QooBox\Quarantine\C\uox\izisj.dat.vir Infected: Trojan-GameThief.Win32.OnLineGames.shax skipped
C:\QooBox\Quarantine\C\WINDOWS.0\explorer.exe.vir Infected: Trojan-Downloader.Win32.Agent.wdv skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\ceshleo.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sgul skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\ddserh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sgud skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\dndsaf.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sftl skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\drivers\winsyy.sys.vir Infected: Trojan.Win32.Agent.qzs skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\hhrdxd.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.shbl skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\jfrwdh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sdwe skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\jsnoer.dll.vir Infected: Trojan-Spy.Win32.Agent.dfm skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\rfdswc.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.shtp skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\sgdewg.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sdlo skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\tdfhex.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sevk skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\tdggrz.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.seru skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\wcomipe.dll.vir Infected: Trojan.Win32.Agent.shf skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\wcomipek.exe.vir Infected: Trojan.Win32.Agent.sav skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\wklsdd.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sfwo skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\wrqszl.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.shfo skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\wyhesm.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sexv skipped
C:\QooBox\Quarantine\C\WINDOWS.0\system32\zycdex.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sftw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP1\snapshot\MFEX-1.DAT Infected: Trojan-GameThief.Win32.OnLineGames.sdwb skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP1\snapshot\MFEX-2.DAT Infected: Trojan-GameThief.Win32.OnLineGames.sdwb skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP1\snapshot\MFEX-3.DAT Infected: Trojan-GameThief.Win32.OnLineGames.sdxe skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP1\snapshot\MFEX-4.DAT Infected: Trojan-GameThief.Win32.OnLineGames.sdzr skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000009.dll Infected: Trojan-GameThief.Win32.OnLineGames.shay skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000010.dll Infected: Trojan-GameThief.Win32.OnLineGames.shbe skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000011.dll Infected: Trojan-GameThief.Win32.OnLineGames.sfwo skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000012.dll Infected: Trojan-GameThief.Win32.OnLineGames.sgud skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000013.dll Infected: Trojan-GameThief.Win32.OnLineGames.sdwe skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000014.dll Infected: Trojan.Win32.Agent.shf skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000015.exe Infected: Trojan.Win32.Agent.sav skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000018.dll Infected: Trojan-GameThief.Win32.OnLineGames.sexv skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000019.dll Infected: Trojan-Spy.Win32.Agent.dex skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000020.dll Infected: Trojan-GameThief.Win32.OnLineGames.sifo skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000021.dll Infected: Trojan-GameThief.Win32.OnLineGames.sftw skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000022.dll Infected: Trojan-GameThief.Win32.OnLineGames.shfo skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000023.dll Infected: Trojan-GameThief.Win32.OnLineGames.sdlo skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000024.dll Infected: Trojan-GameThief.Win32.OnLineGames.sgul skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000025.dll Infected: Trojan-GameThief.Win32.OnLineGames.shtp skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000026.dll Infected: Trojan-GameThief.Win32.OnLineGames.shbl skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000027.dll Infected: Trojan-GameThief.Win32.OnLineGames.sevk skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000028.dll Infected: Trojan-GameThief.Win32.OnLineGames.seru skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000030.dll Infected: Trojan-GameThief.Win32.OnLineGames.sgqe skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000033.dll Infected: Trojan-Spy.Win32.Agent.dfm skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000035.dll Infected: Trojan-GameThief.Win32.OnLineGames.sftl skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000044.exe Infected: Trojan-Downloader.Win32.Agent.wdv skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000054.dll Infected: Trojan-GameThief.Win32.OnLineGames.sdvs skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000055.dll Infected: Trojan-GameThief.Win32.OnLineGames.sdwb skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000056.dll Infected: Trojan-GameThief.Win32.OnLineGames.sdxe skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\A0000057.dll Infected: Trojan-GameThief.Win32.OnLineGames.sdzr skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\snapshot\MFEX-1.DAT Infected: Trojan-GameThief.Win32.OnLineGames.sdwb skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\snapshot\MFEX-2.DAT Infected: Trojan-GameThief.Win32.OnLineGames.sdwb skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\snapshot\MFEX-3.DAT Infected: Trojan-GameThief.Win32.OnLineGames.sdxe skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP2\snapshot\MFEX-4.DAT Infected: Trojan-GameThief.Win32.OnLineGames.sdzr skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP5\A0000477.sys Infected: Trojan.Win32.Agent.qzs skipped
C:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP5\change.log Object is locked skipped
C:\WINDOWS.0\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS.0\SchedLgU.Txt Object is locked skipped
C:\WINDOWS.0\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS.0\Sti_Trace.log Object is locked skipped
C:\WINDOWS.0\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS.0\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS.0\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS.0\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS.0\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS.0\system32\config\default Object is locked skipped
C:\WINDOWS.0\system32\config\default.LOG Object is locked skipped
C:\WINDOWS.0\system32\config\SAM Object is locked skipped
C:\WINDOWS.0\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS.0\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS.0\system32\config\SECURITY Object is locked skipped
C:\WINDOWS.0\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS.0\system32\config\software Object is locked skipped
C:\WINDOWS.0\system32\config\software.LOG Object is locked skipped
C:\WINDOWS.0\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS.0\system32\config\system Object is locked skipped
C:\WINDOWS.0\system32\config\system.LOG Object is locked skipped
C:\WINDOWS.0\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS.0\system32\h323log.txt Object is locked skipped
C:\WINDOWS.0\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS.0\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS.0\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS.0\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS.0\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS.0\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS.0\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS.0\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS.0\system32\xdhuk.VIR Infected: Trojan-GameThief.Win32.OnLineGames.sdzr skipped
C:\WINDOWS.0\system32\zdfgf.VIR Infected: Trojan-GameThief.Win32.OnLineGames.sdxe skipped
C:\WINDOWS.0\Temp\Perflib_Perfdata_710.dat Object is locked skipped
C:\WINDOWS.0\wiadebug.log Object is locked skipped
C:\WINDOWS.0\wiaservc.log Object is locked skipped
C:\WINDOWS.0\WindowsUpdate.log Object is locked skipped
E:\download\reget\torrent\setupxv.exe/Antispyware/Antispyware.exe Infected: not-a-virus:FraudTool.Win32.AntiSpyware.am skipped
E:\download\reget\torrent\setupxv.exe/Antispyware/Antispyware.srv.exe Infected: not-a-virus:FraudTool.Win32.AntiSpyware.bc skipped
E:\download\reget\torrent\setupxv.exe/Antispyware/SpyCleaner.dll Infected: not-a-virus:FraudTool.Win32.SpywareStop.bi skipped
E:\download\reget\torrent\setupxv.exe/Antispyware/TCL.dll Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.fu skipped
E:\download\reget\torrent\setupxv.exe/Antispyware/zlib.dll Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.fv skipped
E:\download\reget\torrent\setupxv.exe 7-Zip: infected - 5 skipped
E:\download\reget\torrent\setupxv.exe UPX: infected - 5 skipped
E:\download\reget\torrent\setupxv.exe PE_Patch.UPX: infected - 5 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{A1AFDB31-3B9E-4DCE-9F0A-27B85BCFA287}\RP5\change.log Object is locked skipped

Scan process completed.

#14
fenzodahl512

Posted 21 July 2008 - 10:00 AM

Malware Removal
9,863 posts

yes, i have used Autoruns and RegRun. pls advice if i should not be using any of these programs.

Those programs are fine.. Just want confirmation from you..

Firstly, please empty your TrendMicro quarantine folder.. Please navigate C:\Documents and Settings\Administrator\.housecall\Quarantine folder and delete everything inside.. Don't delete the folder, just leave it empty..

NEXT

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\Documents and Settings\Administrator\Local Settings\Application Data\3ef502e6.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip
C:\WINDOWS.0\system32\xdhuk.VIR
C:\WINDOWS.0\system32\zdfgf.VIR
E:\download\reget\torrent\setupxv.exe
EmptyTemp
purity
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NEXT

Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
Please let your firewall allow the scanning/downloading process.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator

Please post the following logs in your next reply.. Post each log in separate post..

1. OTMoveIt2
2. Deckard System Scanner (both main.txt and extra.txt)

Regards
fenzodahl512

#15
npbfs

Posted 21 July 2008 - 10:19 AM

Member

Topic Starter
Member
10 posts

hi, here the logs. but there's no extra.txt from Deckard System Scanner.

OTMoveIt2:

Explorer killed successfully
C:\Documents and Settings\Administrator\Local Settings\Application Data\3ef502e6.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip moved successfully.
C:\WINDOWS.0\system32\xdhuk.VIR moved successfully.
C:\WINDOWS.0\system32\zdfgf.VIR moved successfully.
E:\download\reget\torrent\setupxv.exe moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_7d4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS.0\temp\Perflib_Perfdata_710.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07222008_000626

Files moved on Reboot...
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_7d4.dat not found!
File C:\WINDOWS.0\temp\Perflib_Perfdata_710.dat not found!