Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Task Manager won't open [RESOLVED]


  • This topic is locked This topic is locked

#1
raoXI

raoXI

    Member

  • Member
  • PipPip
  • 16 posts
Has been 3 years since I last posted for help, thought my winning streak was fairly solid but... :)

Tried addaware and did a virus scan and remove as much I know, but the task manager still will not open, tried various reg fixes from kelly something .com but no luck D:.

Really appreciate any help :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:36 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\debug.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\system32\wcnonpek.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.06\RivaTuner.exe" /S
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [kcodn] knx32.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-527237240-1960408961-682003330-500\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe (User '?')
O4 - HKUS\S-1-5-21-527237240-1960408961-682003330-500\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54A328E-8780-4909-9546-AF34E4262E90}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: wcnonpe.dll businesn.dll therbrek.dll xfimerl.dll baccops.dll keyiftp.dll
O20 - Winlogon Notify: xy3safe - C:\WINNT\system32\360mon.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 8345 bytes

Edited by raoXI, 30 July 2008 - 05:08 AM.

  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following...


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator


Regards
fenzodahl512
  • 0

#3
raoXI

raoXI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here we go :) Thanks!


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-31 17:41:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:23 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\debug.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wcnonpek.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.06\RivaTuner.exe" /S
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [kcodn] knx32.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-527237240-1960408961-682003330-500\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe (User '?')
O4 - HKUS\S-1-5-21-527237240-1960408961-682003330-500\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54A328E-8780-4909-9546-AF34E4262E90}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: w wcnonpe.dll baccops.dll xpstong.dll
O20 - Winlogon Notify: xy3safe - C:\WINNT\system32\360mon.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 7972 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\Desktop\backups\) ------------

backup-20080730-205827-124 O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
backup-20080730-205827-271 O2 - BHO: InstantGet IECatcher - {569E7719-1A11-415E-9206-AC1860FB8BFF} - C:\Program Files\InstantGet\IEBar\IGCatcher.dll (file missing)
backup-20080730-205827-453 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080730-205827-594 O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre1.dll
backup-20080730-205827-657 O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre1.dll
backup-20080730-205827-715 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080730-205827-803 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
backup-20080730-205827-989 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 cpuz126 - c:\docume~1\admini~1\locals~1\temp\cpuz.sys (file missing)
3 ENTECH - c:\winnt\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
0 giveio - c:\winnt\system32\giveio.sys
3 msiffei - system32\drivers\msiffei.sys (file missing)
3 NPF (NetGroup Packet Filter Driver) - c:\winnt\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
3 NVR0Dev - c:\winnt\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>
3 RivaTuner32 - c:\program files\rivatuner v2.06\rivatuner32.sys
2 sbbotdi - c:\program files\speedbit video accelerator\sbbotdi.sys <Not Verified; SpeedBit Ltd.; Speedbit TDI Driver>
0 speedfan - c:\winnt\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
1 StyleXPHelper - c:\program files\tgtsoft\stylexp\stylexphelper.exe <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
3 UltraMonMirror - system32\drivers\ultramonmirror.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 a2AntiMalware (a-squared Anti-Malware Service) - c:\program files\a-squared anti-malware\a2service.exe
3 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe
2 AcrSch2Svc (Acronis Scheduler2 Service) - c:\program files\common files\acronis\schedule2\schedul2.exe
3 Microsoft Office Groove Audit Service - c:\program files\microsoft office\office12\grooveauditservice.exe
3 NMIndexingService - c:\program files\common files\nero\lib\nmindexingservice.exe
2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe
2 NwSapAgent (SAP Agent) - c:\winnt\system32\svchost.exe
3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - c:\program files\winpcap\rpcapd.exe
2 StyleXPService - c:\program files\tgtsoft\stylexp\stylexpservice.exe
3 TVersityMediaServer - c:\program files\tversity\media server\mediaserver.exe
3 VideoAcceleratorEngine - c:\program files\speedbit video accelerator\videoacceleratorengine.exe
3 WLSetupSvc (Windows Live Setup Service) - c:\program files\windows live\installer\wlsetupsvc.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 17:33:33 0 d--hs---- C:\00009318
2008-07-31 07:43:42 24576 --a------ C:\WINNT\system32\xpstong.dll
2008-07-31 07:43:03 232960 --ah----- C:\WINNT\system32\kgfghd.dll
2008-07-31 07:38:48 232960 --ah----- C:\WINNT\system32\cedafb.dll
2008-07-31 07:38:09 222208 --ah----- C:\WINNT\system32\fsrgeb.dll
2008-07-31 07:31:23 0 d--hs---- C:\000092F9
2008-07-30 22:57:16 24576 --a------ C:\WINNT\system32\xfimerl.dll
2008-07-30 22:54:57 225792 --ah----- C:\WINNT\system32\zsdgff.dll
2008-07-30 22:54:18 229376 --ah----- C:\WINNT\system32\wyrsdj.dll
2008-07-30 22:53:58 240128 --ah----- C:\WINNT\system32\fmcvxy.dll
2008-07-30 22:51:19 232960 --ah----- C:\WINNT\system32\zgtwfx.dll
2008-07-30 22:47:36 236544 --ah----- C:\WINNT\system32\zefdst.dll
2008-07-30 22:47:16 229376 --ah----- C:\WINNT\system32\tdffdl.dll
2008-07-30 22:46:57 24576 --a------ C:\WINNT\system32\wcnonpe.dll
2008-07-30 22:46:38 236544 --ah----- C:\WINNT\system32\wklsdd.dll
2008-07-30 22:44:49 0 d--hs---- C:\00009BA3
2008-07-30 22:40:36 0 d--hs---- C:\0000A519
2008-07-30 22:07:36 0 d--h----- C:\WINNT\system32\GroupPolicy
2008-07-30 21:16:33 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-07-30 21:00:29 0 d--hs---- C:\0000A289
2008-07-30 20:12:52 0 d--hs---- C:\00009D2A
2008-07-30 20:08:47 0 d--hs---- C:\0000D292
2008-07-30 20:04:22 0 d--hs---- C:\00009D3A
2008-07-30 20:01:33 0 d-------- C:\Program Files\Trend Micro
2008-07-30 19:57:19 0 d--hs---- C:\00009CAD
2008-07-30 19:49:52 28672 --a------ C:\WINNT\system32\keyiftp.dll
2008-07-30 19:42:15 24576 --a------ C:\WINNT\system32\baccops.dll
2008-07-30 19:37:47 0 d--hs---- C:\00009C7E
2008-07-30 19:36:00 14854 --a------ C:\WINNT\system32\360mon.dll
2008-07-30 19:32:02 0 d--hs---- C:\00009DF5
2008-07-30 17:32:36 0 d--hs---- C:\000092BA
2008-07-30 07:57:14 35828 --a------ C:\WINNT\system32\knx32.dll
2008-07-30 07:53:37 0 d--hs---- C:\00009DE5
2008-07-30 07:46:50 11264 --a------ C:\WINNT\system32\wcnonpek.exe
2008-07-30 07:45:52 0 d--hs---- C:\000DE782
2008-07-30 07:45:51 0 d--hs---- C:\000DE281
2008-07-02 21:34:34 2829 --a------ C:\WINNT\War3Unin.pif
2008-07-02 21:34:34 139264 --a------ C:\WINNT\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-07-02 21:34:34 97595 --a------ C:\WINNT\War3Unin.dat
2008-07-01 19:43:02 11010048 --a------ C:\Documents and Settings\Administrator\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-30 22:43:39 0 d-------- C:\Program Files\free-downloads.net
2008-07-30 22:38:42 0 d-------- C:\Program Files\FlashGet
2008-07-30 22:15:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-30 22:01:21 0 d-------- C:\Program Files\Warcraft III
2008-07-30 19:30:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-10 20:08:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-29 15:33:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator
2008-06-17 23:07:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-17 23:07:11 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 18:08:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-06-17 18:08:28 0 d-------- C:\Program Files\Common Files
2008-06-17 18:00:40 8 --a------ C:\WINNT\system32\nvModes.dat
2008-05-31 23:05:26 0 d-------- C:\Program Files\Steam


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 10:32 PM]
"PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 10:32 PM]
"nwiz"="nwiz.exe" [12/05/2007 12:41 AM C:\WINNT\system32\nwiz.exe]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [04/05/2006 05:19 PM]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [12/05/2007 12:41 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\WINNT\KHALMNPR.Exe]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.06\RivaTuner.exe" [10/31/2007 06:05 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [07/24/2007 07:12 PM]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [05/25/2006 06:31 AM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"kcodn"=knx32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewContextMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"= C:\WINNT\system32\wklsdd.dll [07/31/2008 05:40 PM 236544]
"{8C41B7F7-3168-400D-A702-0E7EFE0BA304}"= C:\WINNT\system32\sgdewg.dll [ ]
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"= C:\WINNT\system32\zgtwfx.dll [07/31/2008 07:37 AM 232960]
"{461D2AB4-29A5-45C2-9134-D52272D3DE38}"= C:\WINNT\system32\rfdswc.dll [ ]
"{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}"= C:\WINNT\system32\dndsaf.dll [ ]
"{28EB3777-3E23-4E72-8449-A992D09D24C3}"= C:\WINNT\system32\zefdst.dll [07/31/2008 05:41 PM 236544]
"{F99DEFDD-200B-4410-B572-E90883D527D2}"= C:\WINNT\system32\wrqszl.dll [ ]
"{EB71E0B3-E97D-4D30-8733-E28266467617}"= C:\WINNT\system32\wyhesm.dll [ ]
"{C0595A7E-2E2F-4B34-A83A-019270A0A464}"= C:\WINNT\system32\tdffdl.dll [07/31/2008 05:40 PM 229376]
"{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}"= C:\WINNT\system32\fsrgeb.dll [07/31/2008 07:38 AM 222208]
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"= C:\WINNT\system32\fmcvxy.dll [07/31/2008 07:40 AM 240128]
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= C:\WINNT\system32\wyrsdj.dll [07/31/2008 07:40 AM 229376]
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"= C:\WINNT\system32\zsdgff.dll [07/31/2008 07:41 AM 225792]
"{AEB6717E-7E19-21d2-97EE-00C04FD91972}"= C:\WINNT\system32\360mon.dll [07/30/2008 07:36 PM 14854]
"{84143967-B645-4BFF-B873-DA1DC886E9A7}"= C:\WINNT\system32\cedafb.dll [07/31/2008 07:38 AM 232960]
"{50A8A8C4-EDC9-4ABD-A0A2-2E2418982189}"= C:\WINNT\system32\kgfghd.dll [07/31/2008 07:43 AM 232960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xy3safe]
C:\WINNT\system32\360mon.dll 07/30/2008 07:36 PM 14854 C:\WINNT\system32\360mon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=w wcnonpe.dll baccops.dll xpstong.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50b1c278-bf59-11dc-9034-001a4d9134fb}]
AutoRun\command- G:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c283ba5-5d45-11dc-990d-001a4d9134fb}]
AutoRun\command- G:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b310752f-d3a9-11dc-9064-001a4d9134fb}]
AutoRun\command- C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c182912e-6c70-11dc-8fbf-001a4d9134fb}]
AutoRun\command- C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cedb5314-6b22-11dc-8fbd-001a4d9134fb}]
AutoRun\command- C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cedb5315-6b22-11dc-8fbd-001a4d9134fb}]
AutoRun\command- C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d14e8ffa-5ebe-11dc-8f9c-001a4d9134fb}]
AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d14e8ffb-5ebe-11dc-8f9c-001a4d9134fb}]
AutoRun\command- J:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8bf3fe1-5e9c-11dc-8f98-001a4d9134fb}]
AutoRun\command- J:\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-07-31 17:43:44 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 23%
Physical Memory (total/avail): 2046.42 MiB / 1557.44 MiB
Pagefile Memory (total/avail): 3938.44 MiB / 3660.69 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 102.77 GiB total, 38.56 GiB free.
D: is CDROM (UDF)
E: is Fixed (NTFS) - 128 GiB total, 2.1 GiB free.
F: is Fixed (NTFS) - 104.88 GiB total, 8.35 GiB free.
G: is CDROM (No Media)
H: is Fixed (NTFS) - 596.16 GiB total, 525.88 GiB free.
I: is Fixed (NTFS) - 195.32 GiB total, 10.69 GiB free.
J: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SIMON
ComSpec=C:\WINNT\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\SIMON
MythosEnv=C:\Program Files\Flagship Studios\Mythos\
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
ULTRAMON_LANGDIR=C:\Program Files\UltraMon\Resources\en
USERDOMAIN=SIMON
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Leo (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINNT\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINNT\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINNT\UNNeroShowTime.exe /UNINSTALL
--> C:\WINNT\UNNeroVision.exe /UNINSTALL
--> C:\WINNT\UNRecode.exe /UNINSTALL
--> MsiExec /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E3E953-0570-4DFF-A7B5-46114C390228}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E3E953-0570-4DFF-A7B5-46114C390228}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6349CEE9-19F2-49D9-AC9D-B0350E3CBDB1}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6349CEE9-19F2-49D9-AC9D-B0350E3CBDB1}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5AF6143-E738-4768-A5E6-C07C68A464A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5AF6143-E738-4768-A5E6-C07C68A464A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C229589D-CC1A-43FF-9507-CDED3AB85325}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C229589D-CC1A-43FF-9507-CDED3AB85325}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8A544F4-AC5F-4B67-9C74-F3E976798797}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8A544F4-AC5F-4B67-9C74-F3E976798797}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
a-squared Anti-Malware 3.5 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
ACDSee 7.0 PowerPack --> MsiExec.exe /I{B0625F16-B742-4F75-9FD8-20B47ACC7DE2}
Acronis True Image Home --> MsiExec.exe /X{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
AGEIA PhysX v7.09.13 --> MsiExec.exe /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
AutoHotkey 1.0.47.04 --> C:\Program Files\AutoHotkey\uninst.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Call of Duty® 4 - Modern Warfare™ --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.4 Patch --> C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch --> C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Command & Conquer 3 --> MsiExec.exe /I{B0C30E93-D3D9-4F04-A2AC-54749B573275}
Command & Conquer Windows 95 --> C:\WINNT\UNINSTCC.EXE C:\WINNT\UNINST.EXE -fC:\WESTWOOD\C&C95\DeIsL1.isu
Counter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10
Counter-Strike: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/240
DFX 8 for Winamp --> "C:\Program Files\Winamp\uninstall_dfx.exe"
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DotA Client Build b1.7.2 (Beta) --> "C:\Program Files\DotA Gaming Network\unins000.exe"
Ease Audio Converter 4.80 --> "C:\Program Files\easetech\EaseAudioConverter\unins000.exe"
FlashGet 1.9.6.1073 --> C:\Program Files\FlashGet\uninst.exe
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
free-downloads.net Toolbar --> C:\PROGRA~1\FREE-D~1.NET\UNWISE.EXE C:\PROGRA~1\FREE-D~1.NET\INSTALL.LOG
GG E-Sports Platform --> C:\Program Files\InstallShield Installation Information\{89C89156-A70F-4C6D-9CAE-2EA71F1396FE}\setup.exe -runfromtemp -l0x0009 -removeonly
Gigabyte Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
Half-Life 2: Deathmatch --> "C:\Program Files\Steam\steam.exe" steam://uninstall/320
HD Tune 2.54 --> "C:\Program Files\HD Tune\unins000.exe"
Hellgate: London --> MsiExec.exe /X{A2B4455D-1046-4732-BFBC-0821BEFC07BC}
High Definition Audio Driver Package - KB888111 --> "C:\WINNT\$NtUninstallKB888111WXP$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINNT\$NtUninstallKB929399$\spuninst\spuninst.exe"
Jasc Animation Shop 3 --> MsiExec.exe /I{174D5678-D941-433C-BD23-58A5C7B0D36D}
Jasc Paint Shop Pro 9 --> MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Mega Codec Pack 3.5.7 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
KhalInstallWrapper --> MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0009 -removeonly
Mabinogi --> C:\Nexon\Mabinogi\Mabinogi.exe /uninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINNT\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINNT\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINNT\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Mythos --> MsiExec.exe /I{A2453998-F3D8-426D-B96F-0777B120E388}
Nero 8 Demo --> MsiExec.exe /X{B944FA21-81AF-4A77-8328-CE4F4CC51033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NJStar Communicator --> C:\Program Files\NJStar Communicator\uninst.exe
NVIDIA Drivers --> C:\WINNT\system32\nvuninst.exe UninstallGUI
NVIDIA nTune --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1028
Opera 9.50 --> MsiExec.exe /X{6F8BBDF9-1B26-4D93-BA11-7A57DC44B3D2}
PowerQuest PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
Rainlendar2 (remove only) --> "C:\Program Files\Rainlendar2\uninst.exe"
REALTEK GbE & FE Ethernet PCI-E NIC Driver --> C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RivaTuner v2.06 --> "C:\Program Files\RivaTuner v2.06\uninstall.exe"
Security Update for Excel 2007 (KB936509) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Sound Blaster X-Fi --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}\SETUP.EXE" -l0x9 /remove
SpeedBit Video Accelerator --> C:\PROGRA~1\SPEEDB~1\UNWISE.EXE C:\PROGRA~1\SPEEDB~1\INSTALL.LOG
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
SPORE™ Creature Creator Trial Edition --> "C:\Program Files\InstallShield Installation Information\{ECEE0279-785F-4CB3-9F28-E69813234BF8}\setup.exe" -runfromtemp -l0x0009 -removeonly
Statistics Calculator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEAAF4A8-190F-4430-8553-FE12EB1E8604}\Setup.exe" -l0x9
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
StuffPlug 3 --> C:\Program Files\StuffPlug3\Uninstall.exe
StyleXP (remove only) --> "C:\Program Files\TGTSoft\StyleXP\StyleXP-uninstall.exe"
Thermal Analysis Tool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6B2C675E-8040-431B-99C4-137DF4FBF75A}\setup.exe" -l0x9 -removeonly
TVersity Media Server 0.9.11.4 beta --> C:\Program Files\TVersity\Media Server\uninst.exe
Tweak UI --> "C:\WINNT\system32\mshta.exe" "res://C:\WINNT\system32\TweakUI.exe/uninstall.hta"
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Outlook 2007 (KB937608) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CBB2454D-193F-4523-8A31-FEB343B7C30E}
Update for Outlook 2007 Junk Email Filter (kb942575) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0FC27B9D-5BCD-45C1-B9ED-9F0273F7A18D}
Update for Word 2007 (KB934173) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Warcraft III: All Products --> C:\WINNT\War3Unin.exe C:\WINNT\War3Unin.dat
WC3Banlist --> "C:\Program Files\WC3Banlist\unins000.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINNT\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
WowAceUpdater --> rundll32.exe dfshim.dll,ShArpMaintain WowAceUpdater.application, Culture=neutral, PublicKeyToken=4d89fb8d52541cc9, processorArchitecture=msil


-- Application Event Log -------------------------------------------------------

Event Record #/Type12384 / Error
Event Submitted/Written: 07/31/2008 05:42:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application volpanel.exe, version 1.0.53.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [volpanel.exe!ws!]

Event Record #/Type12383 / Error
Event Submitted/Written: 07/31/2008 05:35:49 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070005 from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type12370 / Success
Event Submitted/Written: 07/31/2008 07:37:20 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type12369 / Error
Event Submitted/Written: 07/31/2008 07:37:19 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-07-30 19:37:19,968 SIMON [001716:001728] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(3864) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type12368 / Error
Event Submitted/Written: 07/31/2008 07:36:51 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070005 from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20306 / Error
Event Submitted/Written: 07/30/2008 08:11:41 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type20305 / Error
Event Submitted/Written: 07/30/2008 08:09:55 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Avg7Core
Avg7RsW
Avg7RsXP
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
StyleXPHelper
Tcpip

Event Record #/Type20304 / Error
Event Submitted/Written: 07/30/2008 08:09:55 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error:
%%1068

Event Record #/Type20303 / Error
Event Submitted/Written: 07/30/2008 08:09:55 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31

Event Record #/Type20302 / Error
Event Submitted/Written: 07/30/2008 08:09:20 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-07-31 17:43:44 ------------

Edited by raoXI, 30 July 2008 - 11:45 PM.

  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.
  • 0

#5
raoXI

raoXI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok i got some good and bad news:

bad news: I could not install Recovery console in both the cd rom n no cd rom method, eg

In the Open: field type X:\i386\winnt32.exe /cmdcons , where X is the drive letter for your CD reader, and press the OK button. An image of this step can be found below:

I had no luck with the above as it prompts me with a message saying my current xp version is newer than the cd.

When I tried the non cd version:

Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.

The above did nothing and it skipped me straight to Windows Open File Security Warning, basically as if I double clicked combofix by itself

Good news: When I was about to restart I noticed I had some window updates to install so I clicked update and auto shutdown, upon restart I noticed my task manager is working again.

Conclusion: would still like to make my computer all clean, where do I go from here? Since I could not get Combofix to install yet?

Thanks again :)

Edited by raoXI, 31 July 2008 - 12:53 AM.

  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Err... just download and run the ComboFix please.. Then post the logs here :)
  • 0

#7
raoXI

raoXI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Those files under Other Deletions are being repeatedly picked up by AVG but I have vaulted/healed them over and over and even after the combifix my avg is still poppin up with them o_0; Thanks again D:!

ComboFix 08-07-29.1 - Administrator 2008-07-31 19:51:53.1 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\C2MSGSUR\iforex.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\C2MSGSUR\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINNT\OPTIONS\CABS\_desktop.ini
C:\WINNT\system32\360mon.dll
C:\WINNT\system32\Cache
C:\WINNT\system32\cedafb.dll
C:\WINNT\system32\cliconfgzx.dll
C:\WINNT\system32\cliconfgzx.nls
C:\WINNT\system32\fmcvxy.dll
C:\WINNT\system32\fmcvxy.dll.LoG
C:\WINNT\system32\fsrgeb.dll
C:\WINNT\system32\kgfghd.dll
C:\WINNT\system32\knx32.dll
C:\WINNT\system32\ksuserfy.dll
C:\WINNT\system32\ksuserfy.nls
C:\WINNT\system32\sgdewg.dll
C:\WINNT\system32\tdffdl.dll
C:\WINNT\system32\tscfgwmijxsj.dll
C:\WINNT\system32\tscfgwmijxsj.nls
C:\WINNT\system32\wcnonpe.dll
C:\WINNT\system32\wcnonpek.exe
C:\WINNT\system32\wklsdd.dll
C:\WINNT\system32\wrqszl.dll.LoG
C:\WINNT\system32\wyrsdj.dll
C:\WINNT\system32\ytfa.dll
C:\WINNT\system32\zefdst.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msiffei


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-31 19:56 . 2008-07-31 19:58 <DIR> d--hs---- C:\000090A7
2008-07-31 18:54 . 2008-07-31 19:08 <DIR> d--hs---- C:\00008EF1
2008-07-31 18:45 . 2008-07-31 18:55 <DIR> d--hs---- C:\00009B74
2008-07-31 18:36 . 2008-07-31 18:58 1,984 --a------ C:\WINNT\system32\BeepEx.sys
2008-07-31 18:32 . 2008-07-31 18:44 <DIR> d--hs---- C:\00009923
2008-07-31 18:01 . 2008-07-31 18:01 2,620 --a------ C:\WINNT\system32\sys07002.sys
2008-07-31 18:00 . 2008-07-31 18:00 905,644 --a------ C:\WINNT\system32\slbiopfs2.dll
2008-07-31 18:00 . 2008-07-31 18:00 428 --a------ C:\WINNT\system32\slbiopfs2.nls
2008-07-31 17:59 . 2008-07-31 17:59 891,028 --a------ C:\WINNT\system32\usbmonjx2.dll
2008-07-31 17:59 . 2008-07-31 17:59 148 --a------ C:\WINNT\system32\usbmonjx2.nls
2008-07-31 17:58 . 2008-07-31 17:58 898,988 --a------ C:\WINNT\system32\lweurqhx.dll
2008-07-31 17:58 . 2008-07-31 17:58 428 --a------ C:\WINNT\system32\lweurqhx.nls
2008-07-31 17:56 . 2008-07-31 17:56 944,416 --a------ C:\WINNT\system32\certmgrkd.dll
2008-07-31 17:56 . 2008-07-31 17:56 288 --a------ C:\WINNT\system32\certmgrkd.nls
2008-07-31 17:52 . 2008-07-31 17:52 24,576 --a------ C:\WINNT\system32\businesn.dll
2008-07-31 17:51 . 2008-07-31 18:03 <DIR> d--hs---- C:\00109627
2008-07-31 17:51 . 2008-07-31 17:51 <DIR> d--hs---- C:\0010927E
2008-07-31 17:40 . 2008-07-31 17:40 <DIR> d-------- C:\Deckard
2008-07-31 17:33 . 2008-07-31 17:51 <DIR> d--hs---- C:\00009318
2008-07-31 07:43 . 2008-07-31 19:07 24,576 --a------ C:\WINNT\system32\xpstong.dll
2008-07-31 07:31 . 2008-07-31 17:35 <DIR> d--hs---- C:\000092F9
2008-07-30 22:57 . 2008-07-30 22:57 24,576 --a------ C:\WINNT\system32\xfimerl.dll
2008-07-30 22:54 . 2008-07-31 19:05 225,792 --ah----- C:\WINNT\system32\zsdgff.dll
2008-07-30 22:51 . 2008-07-31 19:01 232,960 --ah----- C:\WINNT\system32\zgtwfx.dll
2008-07-30 22:44 . 2008-07-31 07:33 <DIR> d--hs---- C:\00009BA3
2008-07-30 22:40 . 2008-07-30 22:43 <DIR> d--hs---- C:\0000A519
2008-07-30 22:07 . 2008-07-30 22:43 <DIR> d--h----- C:\WINNT\system32\GroupPolicy
2008-07-30 21:16 . 2008-07-30 22:43 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-07-30 21:00 . 2008-07-30 22:43 <DIR> d--hs---- C:\0000A289
2008-07-30 20:12 . 2008-07-30 20:26 <DIR> d--hs---- C:\00009D2A
2008-07-30 20:08 . 2008-07-30 20:08 <DIR> d--hs---- C:\0000D292
2008-07-30 20:04 . 2008-07-30 20:09 <DIR> d--hs---- C:\00009D3A
2008-07-30 20:01 . 2008-07-30 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 19:57 . 2008-07-30 20:04 <DIR> d--hs---- C:\00009CAD
2008-07-30 19:49 . 2008-07-30 22:56 28,672 --a------ C:\WINNT\system32\keyiftp.dll
2008-07-30 19:42 . 2008-07-31 18:59 24,576 --a------ C:\WINNT\system32\baccops.dll
2008-07-30 19:37 . 2008-07-30 20:09 <DIR> d--hs---- C:\00009C7E
2008-07-30 19:32 . 2008-07-30 19:36 <DIR> d--hs---- C:\00009DF5
2008-07-30 17:32 . 2008-07-30 17:45 <DIR> d--hs---- C:\000092BA
2008-07-30 07:53 . 2008-07-30 07:58 <DIR> d--hs---- C:\00009DE5
2008-07-30 07:45 . 2008-07-30 07:51 <DIR> d--hs---- C:\000DE782
2008-07-30 07:45 . 2008-07-30 07:45 <DIR> d--hs---- C:\000DE281
2008-07-17 17:30 . 2008-06-14 01:10 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys
2008-07-02 21:34 . 2008-07-02 21:36 139,264 --a------ C:\WINNT\War3Unin.exe
2008-07-02 21:34 . 2008-07-02 22:15 97,595 --a------ C:\WINNT\War3Unin.dat
2008-07-02 21:34 . 2008-07-02 21:36 2,829 --a------ C:\WINNT\War3Unin.pif
2008-06-29 15:59 . 2008-06-29 15:59 <DIR> d-------- C:\Nexon
2008-06-21 05:41 . 2008-06-21 05:41 245,248 -----c--- C:\WINNT\system32\dllcache\mswsock.dll
2008-06-20 22:44 . 2008-06-20 22:44 138,368 -----c--- C:\WINNT\system32\dllcache\afd.sys
2008-06-17 23:09 . 2008-06-29 15:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator
2008-06-17 18:08 . 2008-06-17 18:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-06-17 18:00 . 2008-06-17 18:00 8 --a------ C:\WINNT\system32\nvModes.dat
2008-06-17 17:59 . 2008-06-17 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 07:51 --------- d-----w C:\Program Files\FlashGet
2008-07-31 05:51 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys
2008-07-30 10:43 --------- d-----w C:\Program Files\free-downloads.net
2008-07-30 10:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-30 10:01 --------- d-----w C:\Program Files\Warcraft III
2008-07-30 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-30 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-07-30 07:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-17 11:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 11:07 --------- d-----w C:\Program Files\Electronic Arts
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys
2008-05-31 11:05 --------- d-----w C:\Program Files\Steam
2007-09-16 19:53 56 --sh--r C:\WINNT\system32\C680CC8D45.sys
2007-09-16 19:53 3,350 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 19:12 1298432]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 06:31 1372160]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2006-04-05 17:19 122880]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2007-12-05 00:41 8523776]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.06\RivaTuner.exe" [2007-10-31 06:05 2650112]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 08:51 580096]
"nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINNT\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINNT\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:10 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"= "C:\WINNT\system32\zgtwfx.dll" [2008-07-31 19:01 232960]
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"= "C:\WINNT\system32\zsdgff.dll" [2008-07-31 19:05 225792]
"{AEB6717E-7E19-21d2-97EE-00C04FD91972}"= "C:\WINNT\system32\360mon.dll" [2008-07-31 19:57 14854]
"{9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5}"= "C:\WINNT\system32\certmgrkd.dll" [2008-07-31 17:56 944416]
"{00260026-0026-0026-0026-00260026BB15}"= "C:\WINNT\system32\usbmonjx2.dll" [2008-07-31 17:59 891028]
"{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"= "C:\WINNT\system32\slbiopfs2.dll" [2008-07-31 18:00 905644]
"{00210021-0021-0021-0021-00210021BB15}"= "C:\WINNT\system32\olecli32pt.dll" [2001-07-31 18:02 647828]
"{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"= "C:\WINNT\system32\wklsdd.dll" [2008-07-31 19:58 236544]
"{C0595A7E-2E2F-4B34-A83A-019270A0A464}"= "C:\WINNT\system32\tdffdl.dll" [2008-07-31 19:59 229376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"certmgrkd.dll"= {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINNT\system32\certmgrkd.dll [2008-07-31 17:56 944416]
"lweurqhx.dll"= {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINNT\system32\lweurqhx.dll [2008-07-31 17:58 898988]
"usbmonjx2.dll"= {00260026-0026-0026-0026-00260026BB15} - C:\WINNT\system32\usbmonjx2.dll [2008-07-31 17:59 891028]
"slbiopfs2.dll"= {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINNT\system32\slbiopfs2.dll [2008-07-31 18:00 905644]
"olecli32pt.dll"= {00210021-0021-0021-0021-00210021BB15} - C:\WINNT\system32\olecli32pt.dll [2001-07-31 18:02 647828]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xy3safe]
2008-07-31 19:57 14854 C:\WINNT\system32\360mon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.iac2"= C:\WINDOWS\system32\iac25_32. ax
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm
"VIDC.VP40"= vp4vfw.dll
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.MSUD"= msulvc05.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50b1c278-bf59-11dc-9034-001a4d9134fb}]
\Shell\AutoRun\command - G:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c283ba5-5d45-11dc-990d-001a4d9134fb}]
\Shell\AutoRun\command - G:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d14e8ffa-5ebe-11dc-8f9c-001a4d9134fb}]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d14e8ffb-5ebe-11dc-8f9c-001a4d9134fb}]
\Shell\AutoRun\command - J:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8bf3fe1-5e9c-11dc-8f98-001a4d9134fb}]
\Shell\AutoRun\command - J:\autorun.exe
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
WebBrowser-{ECDEE021-0D17-467F-A1FF-C7A115230949} - (no file)
HKLM-Explorer_Run-kcodn - knx32.exe
ShellExecuteHooks-{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38} - C:\WINNT\system32\wyrsdj.dll
ShellExecuteHooks-{50A8A8C4-EDC9-4ABD-A0A2-2E2418982189} - C:\WINNT\system32\kgfghd.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
O8 -: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 -: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 -: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 -: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{D54A328E-8780-4909-9546-AF34E4262E90}: NameServer = 208.67.222.222,208.67.220.220

O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab
C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINNT\Java\classes\xmldso.cab
C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 19:57:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\system32\wklsdd.dll 236544 bytes executable
C:\WINNT\system32\wklsdd.dll.LoG 29 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\[bleep]ALLGUARD]
"ImagePath"="\??\C:\0010927E\00109286"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\360mon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\debug.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\CTXFISPI.EXE
C:\WINNT\system32\wcnonpek.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-31 20:02:16 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-07-31 08:02:05

Pre-Run: 41,103,118,336 bytes free
Post-Run: 41,058,881,536 bytes free

275 --- E O F --- 2008-07-31 06:44:19

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:40 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\debug.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINNT\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINNT\system32\wcnonpek.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.06\RivaTuner.exe" /S
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-527237240-1960408961-682003330-500\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe (User '?')
O4 - HKUS\S-1-5-21-527237240-1960408961-682003330-500\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54A328E-8780-4909-9546-AF34E4262E90}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: wcnonpe.dll
O20 - Winlogon Notify: xy3safe - C:\WINNT\system32\360mon.dll
O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINNT\system32\certmgrkd.dll
O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINNT\system32\lweurqhx.dll
O21 - SSODL: usbmonjx2.dll - {00260026-0026-0026-0026-00260026BB15} - C:\WINNT\system32\usbmonjx2.dll
O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINNT\system32\slbiopfs2.dll
O21 - SSODL: olecli32pt.dll - {00210021-0021-0021-0021-00210021BB15} - C:\WINNT\system32\olecli32pt.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 8737 bytes
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Installing Recovery Console:

It appears your computer has no Recovery Console installed. We need to install Recovery Console first before proceed to our next fix. Please do the following..

Please go to Microsoft's website => HERE
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After successfully install Recovery Console, a pop-on will appear asking to run ComboFix, please select NO.




NEXT



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINNT\system32\sys07002.sys
C:\WINNT\system32\slbiopfs2.dll
C:\WINNT\system32\slbiopfs2.nls
C:\WINNT\system32\usbmonjx2.dll
C:\WINNT\system32\usbmonjx2.nls
C:\WINNT\system32\lweurqhx.dll
C:\WINNT\system32\lweurqhx.nls
C:\WINNT\system32\certmgrkd.dll
C:\WINNT\system32\certmgrkd.nls
C:\WINNT\system32\businesn.dll
C:\WINNT\system32\xpstong.dll
C:\WINNT\system32\xfimerl.dll
C:\WINNT\system32\zsdgff.dll
C:\WINNT\system32\zgtwfx.dll
C:\WINNT\system32\keyiftp.dll
C:\WINNT\system32\baccops.dll
C:\WINNT\system32\360mon.dll
C:\WINNT\system32\olecli32pt.dll
C:\WINNT\system32\wklsdd.dll
C:\WINNT\system32\tdffdl.dll
C:\WINNT\system32\wklsdd.dll.LoG
C:\WINNT\system32\wcnonpek.exe
G:\autoplay.exe
G:\autorun.exe
J:\autoplay.exe
J:\autorun.exe

Folder::
C:\00009B74
C:\000090A7
C:\00008EF1
C:\00009B74
C:\00009923
C:\00109627
C:\0010927E
C:\00009318
C:\000092F9
C:\00009BA3
C:\0000A519
C:\0000A289
C:\00009D2A
C:\0000D292
C:\00009D3A
C:\00009CAD
C:\00009C7E
C:\00009DF5
C:\000092BA
C:\00009DE5
C:\000DE782
C:\000DE281

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"=-
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"=-
"{AEB6717E-7E19-21d2-97EE-00C04FD91972}"=-
"{9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5}"=-
"{00260026-0026-0026-0026-00260026BB15}"=-
"{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"=-
"{00210021-0021-0021-0021-00210021BB15}"=-
"{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"=-
"{C0595A7E-2E2F-4B34-A83A-019270A0A464}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"certmgrkd.dll"=-
"lweurqhx.dll"=-
"usbmonjx2.dll"=-
"slbiopfs2.dll"=-
"olecli32pt.dll"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xy3safe]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{006CA8A1-61BC-4774-A54C-F49034270BAD}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AEB6717E-7E19-21d2-97EE-00C04FD91972}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00260026-0026-0026-0026-00260026BB15}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00210021-0021-0021-0021-00210021BB15}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C0595A7E-2E2F-4B34-A83A-019270A0A464}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00260026-0026-0026-0026-00260026BB15}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00210021-0021-0021-0021-00210021BB15}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50b1c278-bf59-11dc-9034-001a4d9134fb}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c283ba5-5d45-11dc-990d-001a4d9134fb}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d14e8ffa-5ebe-11dc-8f9c-001a4d9134fb}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d14e8ffb-5ebe-11dc-8f9c-001a4d9134fb}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8bf3fe1-5e9c-11dc-8f98-001a4d9134fb}]

3. Save the above as CFScript.txt in your Desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Regards
fenzodahl512

Edited by fenzodahl512, 31 July 2008 - 02:33 AM.

  • 0

#9
raoXI

raoXI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here we go :) tyty :)

ComboFix 08-07-29.1 - Administrator 2008-07-31 22:34:42.2 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE ::
C:\WINNT\system32\360mon.dll
C:\WINNT\system32\baccops.dll
C:\WINNT\system32\businesn.dll
C:\WINNT\system32\certmgrkd.dll
C:\WINNT\system32\certmgrkd.nls
C:\WINNT\system32\keyiftp.dll
C:\WINNT\system32\lweurqhx.dll
C:\WINNT\system32\lweurqhx.nls
C:\WINNT\system32\olecli32pt.dll
C:\WINNT\system32\slbiopfs2.dll
C:\WINNT\system32\slbiopfs2.nls
C:\WINNT\system32\sys07002.sys
C:\WINNT\system32\tdffdl.dll
C:\WINNT\system32\usbmonjx2.dll
C:\WINNT\system32\usbmonjx2.nls
C:\WINNT\system32\wcnonpek.exe
C:\WINNT\system32\wklsdd.dll
C:\WINNT\system32\wklsdd.dll.LoG
C:\WINNT\system32\xfimerl.dll
C:\WINNT\system32\xpstong.dll
C:\WINNT\system32\zgtwfx.dll
C:\WINNT\system32\zsdgff.dll
G:\autoplay.exe
G:\autorun.exe
J:\autoplay.exe
J:\autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\00008EF1
C:\00008EF1\102187
C:\00008EF1\127828
C:\00008EF1\225437
C:\00008EF1\244953
C:\00008EF1\287109
C:\00008EF1\327343
C:\00008EF1\347406
C:\00008EF1\369218
C:\00008EF1\389937
C:\00008EF1\412265
C:\00008EF1\432453
C:\00008EF1\471515
C:\00008EF1\510578
C:\00008EF1\530078
C:\00008EF1\549562
C:\00008EF1\571562
C:\00008EF1\591562
C:\00008EF1\614875
C:\00008EF1\636046
C:\00008EF1\657359
C:\00008EF1\681812
C:\00008EF1\703031
C:\00008EF1\723078
C:\00008EF1\743062
C:\00008EF1\783375
C:\000090A7
C:\000090A7\104578
C:\000090A7\130203
C:\000090A7\168125
C:\000090A7\213578
C:\000090A7\245296
C:\000090A7\267125
C:\000090A7\288343
C:\000090A7\310984
C:\000090A7\330468
C:\000090A7\352906
C:\000090A7\396078
C:\000090A7\416656
C:\000090A7\436140
C:\000090A7\458250
C:\000090A7\478750
C:\000090A7\517781
C:\000090A7\537312
C:\000090A7\576328
C:\000090A7\595812
C:\000090A7\617812
C:\000090A7\640078
C:\000090A7\661109
C:\000090A7\681609
C:\000090A7\701625
C:\000090A7\721656
C:\000090A7\741687
C:\000090A7\761140
C:\000090A7\781750
C:\000090A7\802093
C:\000090A7\822593
C:\000090A7\842546
C:\000092BA
C:\000092BA\103859
C:\000092BA\131375
C:\000092BA\151640
C:\000092BA\195734
C:\000092BA\217015
C:\000092BA\238218
C:\000092BA\283546
C:\000092BA\324015
C:\000092BA\344218
C:\000092BA\365484
C:\000092BA\386953
C:\000092BA\428359
C:\000092BA\448171
C:\000092BA\491140
C:\000092BA\511375
C:\000092BA\531390
C:\000092BA\550765
C:\000092BA\570156
C:\000092BA\593453
C:\000092BA\614296
C:\000092BA\634546
C:\000092BA\678000
C:\000092BA\700359
C:\000092BA\721609
C:\000092BA\741421
C:\000092BA\784687
C:\000092BA\804953
C:\000092F9
C:\000092F9\104187
C:\000092F9\126093
C:\000092F9\223203
C:\000092F9\242656
C:\000092F9\284234
C:\000092F9\323031
C:\000092F9\362078
C:\000092F9\381765
C:\000092F9\403187
C:\000092F9\423281
C:\000092F9\462343
C:\000092F9\501171
C:\000092F9\520593
C:\000092F9\539968
C:\000092F9\561656
C:\000092F9\581531
C:\000092F9\600953
C:\000092F9\620390
C:\000092F9\639843
C:\000092F9\659281
C:\000092F9\678718
C:\000092F9\698109
C:\000092F9\717515
C:\000092F9\756343
C:\00009318
C:\00009318\1005578
C:\00009318\1025031
C:\00009318\1044484
C:\00009318\1083531
C:\00009318\391781
C:\00009318\414000
C:\00009318\559640
C:\00009318\604796
C:\00009318\643750
C:\00009318\666625
C:\00009318\686656
C:\00009318\706125
C:\00009318\728125
C:\00009318\748203
C:\00009318\787468
C:\00009318\826515
C:\00009318\846000
C:\00009318\865468
C:\00009318\888125
C:\00009318\908109
C:\00009318\927593
C:\00009318\947093
C:\00009318\966593
C:\00009318\986078
C:\00009923
C:\00009923\104593
C:\00009923\131000
C:\00009923\236828
C:\00009923\257859
C:\00009923\283781
C:\00009923\304875
C:\00009923\344921
C:\00009923\364921
C:\00009923\385000
C:\00009923\39226
C:\00009923\404484
C:\00009923\426562
C:\00009923\446625
C:\00009923\485687
C:\00009923\528906
C:\00009923\549468
C:\00009923\570265
C:\00009923\592203
C:\00009923\612187
C:\00009923\631703
C:\00009923\654906
C:\00009923\675562
C:\00009923\695562
C:\00009923\715546
C:\00009923\735000
C:\00009923\754468
C:\00009B74
C:\00009B74\108562
C:\00009B74\130609
C:\00009B74\234359
C:\00009B74\256843
C:\00009B74\279437
C:\00009B74\298906
C:\00009B74\338453
C:\00009B74\357937
C:\00009B74\377515
C:\00009B74\397000
C:\00009B74\39820
C:\00009B74\419156
C:\00009B74\443031
C:\00009B74\485296
C:\00009BA3
C:\00009BA3\105031
C:\00009BA3\127218
C:\00009BA3\225734
C:\00009BA3\245187
C:\00009BA3\286687
C:\00009BA3\325500
C:\00009BA3\344906
C:\00009BA3\364390
C:\00009BA3\383796
C:\00009BA3\408046
C:\00009BA3\428921
C:\00009BA3\449156
C:\00009BA3\469000
C:\00009BA3\488828
C:\00009BA3\508671
C:\00009BA3\528046
C:\00009BA3\547421
C:\00009BA3\569031
C:\00009BA3\588906
C:\00009BA3\608343
C:\00009BA3\627781
C:\00009BA3\647234
C:\00009BA3\666687
C:\00009BA3\688609
C:\00009BA3\708625
C:\00009BA3\728468
C:\00009BA3\767281
C:\00009C7E
C:\00009C7E\104875
C:\00009C7E\125984
C:\00009C7E\145531
C:\00009C7E\184812
C:\00009C7E\204453
C:\00009C7E\225578
C:\00009C7E\287921
C:\00009C7E\327484
C:\00009C7E\348000
C:\00009C7E\368234
C:\00009C7E\413890
C:\00009C7E\476937
C:\00009C7E\496875
C:\00009C7E\516921
C:\00009C7E\536531
C:\00009C7E\555843
C:\00009C7E\577046
C:\00009C7E\683500
C:\00009C7E\704000
C:\00009C7E\723609
C:\00009C7E\783796
C:\00009CAD
C:\00009CAD\105265
C:\00009CAD\127000
C:\00009CAD\147812
C:\00009CAD\187390
C:\00009CAD\207187
C:\00009CAD\227000
C:\00009CAD\294000
C:\00009CAD\333984
C:\00009CAD\354328
C:\00009CAD\374562
C:\00009CAD\40133
C:\00009D2A
C:\00009D2A\105359
C:\00009D2A\149843
C:\00009D2A\189984
C:\00009D2A\213093
C:\00009D2A\439656
C:\00009D2A\603250
C:\00009D2A\624406
C:\00009D2A\665375
C:\00009D3A
C:\00009D3A\105421
C:\00009D3A\127093
C:\00009D3A\40273
C:\00009DE5
C:\00009DE5\152984
C:\00009DE5\193375
C:\00009DE5\213578
C:\00009DE5\233359
C:\00009DE5\275484
C:\00009DE5\294843
C:\00009DE5\314203
C:\00009DE5\333562
C:\00009DE5\352921
C:\00009DE5\372328
C:\00009DE5\40445
C:\00009DF5
C:\00009DF5\105687
C:\00009DF5\131375
C:\00009DF5\151156
C:\00009DF5\192703
C:\00009DF5\212937
C:\00009DF5\233187
C:\00009DF5\297078
C:\00009DF5\40461
C:\0000A289
C:\0000A289\154718
C:\0000A289\217140
C:\0000A289\300093
C:\0000A289\340984
C:\0000A289\360906
C:\0000A289\380875
C:\0000A289\400437
C:\0000A289\421359
C:\0000A289\440968
C:\0000A289\460296
C:\0000A289\479625
C:\0000A289\501093
C:\0000A289\521609
C:\0000A289\560453
C:\0000A289\581421
C:\0000A289\601265
C:\0000A289\620609
C:\0000A289\642453
C:\0000A289\663484
C:\0000A289\684328
C:\0000A289\704281
C:\0000A289\723875
C:\0000A289\743484
C:\0000A289\782390
C:\0000A519
C:\0000A519\107718
C:\0000A519\134890
C:\0000A519\154906
C:\0000A519\218031
C:\0000A519\42289
C:\0000D292
C:\000DE281
C:\000DE281\000DE724
C:\000DE782
C:\000DE782\1099359
C:\000DE782\1167937
C:\000DE782\1189937
C:\000DE782\1210140
C:\000DE782\911235
C:\000DE782\944812
C:\0010927E
C:\0010927E\0010953D
C:\00109627
C:\00109627\1093750
C:\00109627\1120750
C:\00109627\1142390
C:\00109627\1168500
C:\00109627\1191109
C:\00109627\1213109
C:\00109627\1233234
C:\00109627\1273687
C:\00109627\1316968
C:\00109627\1338312
C:\00109627\1360078
C:\00109627\1380000
C:\00109627\1399453
C:\00109627\1419015
C:\00109627\1438546
C:\00109627\1457984
C:\00109627\1477421
C:\00109627\1496875
C:\00109627\1516312
C:\00109627\1557781
C:\00109627\1577765
C:\00109627\1617671
C:\00109627\1637109
C:\00109627\1715046
C:\00109627\1734484
C:\00109627\1759359
C:\00109627\1780125
C:\00109627\1820718
C:\WINNT\system32\360mon.dll
C:\WINNT\system32\baccops.dll
C:\WINNT\system32\businesn.dll
C:\WINNT\system32\certmgrkd.dll
C:\WINNT\system32\certmgrkd.nls
C:\WINNT\system32\fmcvxy.dll
C:\WINNT\system32\fmcvxy.dll.LoG
C:\WINNT\system32\keyiftp.dll
C:\WINNT\system32\lweurqhx.dll
C:\WINNT\system32\lweurqhx.nls
C:\WINNT\system32\olecli32pt.dll
C:\WINNT\system32\slbiopfs2.dll
C:\WINNT\system32\slbiopfs2.nls
C:\WINNT\system32\sys07002.sys
C:\WINNT\system32\tdffdl.dll
C:\WINNT\system32\tdffdl.dll.LoG
C:\WINNT\system32\usbmonjx2.dll
C:\WINNT\system32\usbmonjx2.nls
C:\WINNT\system32\wcnonpe.dll
C:\WINNT\system32\wcnonpek.exe
C:\WINNT\system32\wklsdd.dll
C:\WINNT\system32\wklsdd.dll.LoG
C:\WINNT\system32\wyrsdj.dll
C:\WINNT\system32\xfimerl.dll
C:\WINNT\system32\xpstong.dll
C:\WINNT\system32\zgtwfx.dll
C:\WINNT\system32\zsdgff.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-31 22:37 . 2008-07-31 22:39 <DIR> d--hs---- C:\00009124
2008-07-31 22:36 . 2008-07-31 22:36 <DIR> d--hs---- C:\00931D70
2008-07-31 22:36 . 2008-07-31 22:36 <DIR> d--hs---- C:\00931C56
2008-07-31 22:34 . 2008-07-31 22:34 <DIR> d--hs---- C:\00917202
2008-07-31 18:36 . 2008-07-31 18:58 1,984 --a------ C:\WINNT\system32\BeepEx.sys
2008-07-31 17:40 . 2008-07-31 17:40 <DIR> d-------- C:\Deckard
2008-07-30 22:07 . 2008-07-30 22:43 <DIR> d--h----- C:\WINNT\system32\GroupPolicy
2008-07-30 21:16 . 2008-07-31 20:12 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-07-30 20:01 . 2008-07-30 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 17:30 . 2008-06-14 01:10 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys
2008-07-02 21:34 . 2008-07-02 21:36 139,264 --a------ C:\WINNT\War3Unin.exe
2008-07-02 21:34 . 2008-07-02 22:15 97,595 --a------ C:\WINNT\War3Unin.dat
2008-07-02 21:34 . 2008-07-02 21:36 2,829 --a------ C:\WINNT\War3Unin.pif
2008-06-29 15:59 . 2008-07-31 20:21 <DIR> d-------- C:\Nexon
2008-06-21 05:41 . 2008-06-21 05:41 245,248 -----c--- C:\WINNT\system32\dllcache\mswsock.dll
2008-06-20 22:44 . 2008-06-20 22:44 138,368 -----c--- C:\WINNT\system32\dllcache\afd.sys
2008-06-17 23:09 . 2008-06-29 15:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator
2008-06-17 18:08 . 2008-06-17 18:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-06-17 18:00 . 2008-06-17 18:00 8 --a------ C:\WINNT\system32\nvModes.dat
2008-06-17 17:59 . 2008-06-17 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 10:29 --------- d-----w C:\Program Files\Warcraft III
2008-07-31 08:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-31 07:51 --------- d-----w C:\Program Files\FlashGet
2008-07-31 05:51 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys
2008-07-30 10:43 --------- d-----w C:\Program Files\free-downloads.net
2008-07-30 10:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-30 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-30 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-17 11:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 11:07 --------- d-----w C:\Program Files\Electronic Arts
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys
2008-05-31 11:05 --------- d-----w C:\Program Files\Steam
2007-09-16 19:53 56 --sh--r C:\WINNT\system32\C680CC8D45.sys
2007-09-16 19:53 3,350 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_20.01.08.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-31 07:56:27 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-31 10:37:55 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
- 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-31 10:37:55 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-31 10:37:55 32,768 --sha-w C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-31 07:56:46 211,432 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2008-07-31 10:38:17 211,427 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2008-07-31 10:38:31 16,384 ----atw C:\WINNT\temp\Perflib_Perfdata_284.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 19:12 1298432]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 06:31 1372160]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2006-04-05 17:19 122880]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2007-12-05 00:41 8523776]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.06\RivaTuner.exe" [2007-10-31 06:05 2650112]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 08:51 580096]
"nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINNT\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINNT\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:10 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= "C:\WINNT\system32\wyrsdj.dll" [BU]
"{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"= "C:\WINNT\system32\wklsdd.dll" [2008-07-31 22:40 236544]
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"= "C:\WINNT\system32\ddserh.dll" [2008-07-31 22:41 272384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wcnonpe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.iac2"= C:\WINDOWS\system32\iac25_32. ax
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm
"VIDC.VP40"= vp4vfw.dll
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.MSUD"= msulvc05.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 22:38:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\system32\wklsdd.dll
C:\WINNT\system32\wklsdd.dll.LoG

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\[bleep]ALLGUARD]
"ImagePath"="\??\C:\0010927E\00109286"
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\debug.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\CTXFISPI.EXE
C:\WINNT\system32\wcnonpek.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-31 22:42:37 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-07-31 10:42:35
ComboFix2.txt 2008-07-31 08:02:17

Pre-Run: 43,184,861,184 bytes free
Post-Run: 43,164,213,248 bytes free

576 --- E O F --- 2008-07-31 06:44:19


----------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:13 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\debug.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\SYSTEM32\CTXFISPI.EXE
C:\WINNT\system32\wcnonpek.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.06\RivaTuner.exe" /S
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-527237240-1960408961-682003330-500\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe (User '?')
O4 - HKUS\S-1-5-21-527237240-1960408961-682003330-500\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54A328E-8780-4909-9546-AF34E4262E90}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: wcnonpe.dll aliens.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 7975 bytes

Edited by raoXI, 31 July 2008 - 04:46 AM.

  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\WINNT\system32\debug.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
C:\WINNT\system32\wklsdd.dll
C:\WINNT\system32\wcnonpek.exe

File::
C:\WINNT\system32\BeepEx.sys
C:\WINNT\system32\wyrsdj.dll
C:\WINNT\system32\ddserh.dll
C:\WINNT\system32\wklsdd.dll.LoG

Folder::
C:\00009124
C:\00931D70
C:\00931C56
C:\00917202

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"=-
"{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"=-
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"=-
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org result
  • Combofix.txt
  • A new HijackThis log.

  • 0

Advertisements


#11
raoXI

raoXI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
VirusScan.org (I had to terminate the process in taskmanager before i was able to upload to VirusScan.org). Thanks again D:!

VirSCAN.org Scanned Report :
Scanned time : 2008/08/01 18:59:34 (NZST)
Scanner results: 44% Scanner(16/36) found malware!
File Name : debug.exe
File Size : 20634 byte
File Type : MS-DOS executable, PE for MS Windows (GUI) Intel 80386 32-bi
MD5 : 6b6f72846dde3f0c00df6b2932ffab71
SHA1 : 9574d4f50971a1769d3eef6a3ea5ca5eac84370b
Online report : http://virscan.org/r...2d7320ce2b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.31 2008-07-31 2.36 -
AhnLab V3 2008.08.01.01 2008.08.01 2008-08-01 0.88 -
AntiVir 7.8.1.15 7.0.5.200 2008-07-31 2.19 PCK/FSG
Arcavir 1.0.5 200807311911 2008-07-31 1.21 -
AVAST! 3.0.1 080731-0 2008-07-31 0.01 -
AVG 7.5.51.442 270.5.10/1584 2008-07-31 1.55 -
BitDefender 7.60825.1412061 7.20290 2008-08-01 2.65 Generic.Malware.dld!!.55B3305B
CA (VET) 9.0.0.143 31.6.5999 2008-07-31 0.79 -
ClamAV 0.93.3 7906 2008-08-01 0.02 -
Comodo 2.11 2.0.0.603 2008-08-01 0.49 -
CP Secure 1.1.0.715 2008.08.01 2008-08-01 5.81 -
Dr.Web 4.44.0.9170 2008.07.31 2008-07-31 3.03 Trojan.DownLoad.3234
ewido 4.0.0.2 2008.07.31 2008-07-31 2.30 -
F-Prot 4.4.4.56 20080731 2008-07-31 1.00 Possible W32/Heuristic-DL2!Eldorado (damaged, not disinfectable)
F-Secure 5.51.6100 2008.07.31.09 2008-07-31 2.89 Trojan-Downloader.Win32.Small.zie [AVP]
Fortinet 2.81-3.11 9.374 2008-08-01 1.64 Suspicious
ViRobot 20080731 2008.07.31 2008-07-31 0.42 -
Ikarus T3.1.01.34 2008.08.01.71199 2008-08-01 3.06 -
JiangMin 11.0.706 2008.08.01 2008-08-01 1.18 TrojanDownloader.Small.aeti
Kaspersky 5.5.10 2008.08.01 2008-08-01 0.05 Trojan-Downloader.Win32.Small.zie
KingSoft 2008.1.14.15 2008.7.31.17 2008-07-31 0.61 Win32.TrojDownloader.Small.24576
McAfee 5.2.00 5350 2008-07-30 2.37 -
Microsoft 1.3806 2008.08.01 2008-08-01 4.76 -
mks_vir 2.01 2008.07.31 2008-07-31 2.50 -
Norman 5.93.01 5.93.00 2008-07-31 4.70 Suspicious_F.gen
Panda 9.05.01 2008.07.31 2008-07-31 2.06 Suspicious file
Trend Micro 8.700-1004 5.448.05 2008-07-31 0.04 -
Quick Heal 9.50 2008.07.31 2008-07-31 1.60 Suspicious - DNAScan
Rising 20.0 20.55.40.00 2008-08-01 0.81 -
Sophos 2.75.4 4.31 2008-08-01 2.00 Mal/Packer
Sunbelt 3.1.1537.1 2175 2008-07-31 0.46 VIPRE.Suspicious
Symantec 1.3.0.24 20080731.003 2008-07-31 0.08 -
nProtect 2008-07-31.01 1730652 2008-07-31 4.69 Generic.Malware.dld!!.55B3305B
The Hacker 6.2.96 v00391 2008-07-31 0.41 -
VBA32 3.12.8.2 20080731.1522 2008-07-31 1.12 Win32.Trojan.Downloader (http://...) (suspicious)
VirusBuster 4.5.11.10 4.5.11/ 0010-00-00 0.80 -


--------------------------------------------------------------------------------------------------------------------------------------------------

CombFix

ComboFix 08-07-29.1 - Administrator 2008-08-01 19:05:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1583 [GMT 12:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINNT\system32\BeepEx.sys
C:\WINNT\system32\ddserh.dll
C:\WINNT\system32\wklsdd.dll.LoG
C:\WINNT\system32\wyrsdj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\00009124
C:\00009124\102437
C:\00009124\135906
C:\00009124\156875
C:\00009124\204187
C:\00009124\228640
C:\00009124\275921
C:\00009124\308218
C:\00009124\332078
C:\00009124\358234
C:\00009124\401546
C:\00009124\423765
C:\00009124\444515
C:\00009124\489812
C:\00009124\511796
C:\00009124\533734
C:\00009124\557812
C:\00009124\580328
C:\00009124\610328
C:\00009124\640796
C:\00009124\701265
C:\00009124\728109
C:\00009124\755093
C:\00009124\776984
C:\00009124\820843
C:\00009124\841390
C:\00009124\862296
C:\00009124\883000
C:\00009124\904890
C:\00009124\925593
C:\00917202
C:\00931C56
C:\00931D70
C:\WINNT\system32\BeepEx.sys
C:\WINNT\system32\ddserh.dll
C:\WINNT\system32\fmcvxy.dll
C:\WINNT\system32\fmcvxy.dll.LoG
C:\WINNT\system32\jdsaex.dll
C:\WINNT\system32\jhfrxz.dll
C:\WINNT\system32\sgdewg.dll
C:\WINNT\system32\wcnonpe.dll
C:\WINNT\system32\wcnonpek.exe
C:\WINNT\system32\wklsdd.dll
C:\WINNT\system32\wklsdd.dll.LoG
C:\WINNT\system32\wyrsdj.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 19:09 . 2008-08-01 19:11 <DIR> d--hs---- C:\00008EB3
2008-08-01 19:08 . 2008-08-01 19:08 <DIR> d--hs---- C:\003143F0
2008-08-01 19:08 . 2008-08-01 19:08 <DIR> d--hs---- C:\0031424A
2008-08-01 19:05 . 2008-08-01 19:05 <DIR> d--hs---- C:\002EBD26
2008-08-01 19:02 . 2008-08-01 19:05 <DIR> d--hs---- C:\002C5AAC
2008-08-01 18:14 . 2008-08-01 18:29 <DIR> d--hs---- C:\00008DE8
2008-08-01 18:08 . 2008-08-01 18:08 <DIR> d--hs---- C:\0019548E
2008-08-01 17:48 . 2008-08-01 17:48 <DIR> d--h----- C:\WINNT\PIF
2008-08-01 17:41 . 2008-08-01 17:54 <DIR> d--hs---- C:\00009039
2008-08-01 07:58 . 2008-08-01 07:58 14,336 --a------ C:\WINNT\system32\aliensk.exe
2008-08-01 07:42 . 2008-08-01 17:42 <DIR> d--hs---- C:\00008E65
2008-08-01 07:30 . 2008-08-01 07:30 <DIR> d--hs---- C:\00008F01
2008-07-31 22:50 . 2008-08-01 18:26 225,792 --ah----- C:\WINNT\system32\zsdgff.dll
2008-07-31 22:45 . 2008-08-01 18:22 232,960 --ah----- C:\WINNT\system32\zgtwfx.dll
2008-07-31 22:43 . 2008-08-01 07:58 28,672 --a------ C:\WINNT\system32\aliens.dll
2008-07-31 17:40 . 2008-07-31 17:40 <DIR> d-------- C:\Deckard
2008-07-30 22:07 . 2008-07-30 22:43 <DIR> d--h----- C:\WINNT\system32\GroupPolicy
2008-07-30 21:16 . 2008-07-31 20:12 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-07-30 20:01 . 2008-07-30 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 17:30 . 2008-06-14 01:10 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys
2008-07-02 21:34 . 2008-07-02 21:36 139,264 --a------ C:\WINNT\War3Unin.exe
2008-07-02 21:34 . 2008-07-02 22:15 97,595 --a------ C:\WINNT\War3Unin.dat
2008-07-02 21:34 . 2008-07-02 21:36 2,829 --a------ C:\WINNT\War3Unin.pif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 07:04 --------- d-----w C:\Program Files\FlashGet
2008-08-01 07:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-01 06:08 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys
2008-07-31 10:29 --------- d-----w C:\Program Files\Warcraft III
2008-07-30 10:43 --------- d-----w C:\Program Files\free-downloads.net
2008-07-30 10:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-30 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-30 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-06-29 03:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator
2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-17 11:09 107,888 ----a-w C:\WINNT\system32\CmdLineExt.dll
2008-06-17 11:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 11:07 --------- d-----w C:\Program Files\Electronic Arts
2008-06-17 06:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-06-17 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-09-16 19:53 56 --sh--r C:\WINNT\system32\C680CC8D45.sys
2007-09-16 19:53 3,350 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_20.01.08.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-31 07:56:27 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-01 07:09:33 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
- 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-01 07:09:33 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-01 07:09:33 32,768 --sha-w C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-31 05:51:02 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys
+ 2008-08-01 06:08:35 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys
- 2008-07-31 07:56:46 211,432 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2008-08-01 07:10:09 211,427 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 19:12 1298432]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 06:31 1372160]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2006-04-05 17:19 122880]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2007-12-05 00:41 8523776]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.06\RivaTuner.exe" [2007-10-31 06:05 2650112]
"nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINNT\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINNT\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:10 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"= "C:\WINNT\system32\zgtwfx.dll" [2008-08-01 18:22 232960]
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"= "C:\WINNT\system32\zsdgff.dll" [2008-08-01 18:26 225792]
"{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"= "C:\WINNT\system32\wklsdd.dll" [2008-08-01 19:12 236544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wcnonpe.dll aliens.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.iac2"= C:\WINDOWS\system32\iac25_32. ax
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm
"VIDC.VP40"= vp4vfw.dll
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.MSUD"= msulvc05.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=

R2 NwSapAgent;SAP Agent;C:\WINNT\system32\svchost.exe [2004-08-04 00:56]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2007-10-18 11:12]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINNT\system32\drivers\ha20x2k.sys [2006-05-24 15:40]
S3 cpuz126;cpuz126;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpuz.sys []
S3 [bleep]ALLGUARD;[bleep]ALLGUARD;C:\0010927E\00109286 []
S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys [2005-08-03 09:10]
S3 SaiH8000;SaiH8000;C:\WINNT\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]
S3 UltraMonMirror;UltraMonMirror;C:\WINNT\system32\DRIVERS\UltraMonMirror.sys []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 19:10:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\[bleep]ALLGUARD]
"ImagePath"="\??\C:\0010927E\00109286"
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\debug.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\CTXFISPI.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\system32\wcnonpek.exe
.
**************************************************************************
.
Completion time: 2008-08-01 19:14:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 07:14:05
ComboFix2.txt 2008-07-31 10:42:43
ComboFix3.txt 2008-07-31 08:02:17

Pre-Run: 43,145,097,216 bytes free
Post-Run: 43,132,088,320 bytes free

243 --- E O F --- 2008-07-31 06:44:19

---------------------------------------------------------------------------------------------------------------------------------------

Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:53 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\debug.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\SYSTEM32\CTXFISPI.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\system32\wcnonpek.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.06\RivaTuner.exe" /S
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54A328E-8780-4909-9546-AF34E4262E90}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: wcnonpe.dll aliens.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 7688 bytes

Edited by raoXI, 01 August 2008 - 01:16 AM.

  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hey, can you please find the combofix log and attach it here.. Don't post it this time, but please attach it.. It is located in C:\combofix.txt or in C:\qoobox folder..


Please do that before proceed with this fix..


After you attach your latest combofix log, then do the following...


Somehow you are getting re-infected.. Do you surf/downloading/gaming online while we are cleaning your computer? Does this computer linked to other computer (via networking)?

Please refrain yourself from surfing the internet while we are cleaning your computer..



Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1098640
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O20 - AppInit_DLLs: wcnonpe.dll aliens.dll


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
C:\WINNT\system32\wklsdd.dll
C:\WINNT\system32\wcnonpek.exe
C:\WINNT\system32\debug.exe

File::
C:\WINNT\system32\aliensk.exe
C:\WINNT\system32\zsdgff.dll
C:\WINNT\system32\zgtwfx.dll
C:\WINNT\system32\aliens.dll

Folder::
C:\00008EB3
C:\003143F0
C:\0031424A
C:\002EBD26
C:\002C5AAC
C:\00008DE8
C:\0019548E
C:\WINNT\PIF
C:\00009039
C:\00008E65
C:\00008F01

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"=-
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"=-
"{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"=-

DirLook::
C:\WINNT\system32\GroupPolicy

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.




NEXT


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.



Please attach the following logs in your next reply..

1. Previous ComboFix log (before run today's instruction)
2. ComboFix log (the one you run today via CFScript)
3. Kaspersky Online
4. GMER
5. A fresh HijackThis log..


Regards
fenzodahl512
  • 0

#13
raoXI

raoXI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
here we go! :) thanksss

Attached Files


  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\WINDOWS\System32\Drivers\ajsmty3i.SYS
      C:\WINDOWS\System32\Drivers\a1cx1ahn.SYS
      C:\WINDOWS\System32\Drivers\spph.sys
      C:\WINNT\system32\GroupPolicy\User\Registry.pol
      C:\WINNT\system32\GroupPolicy\Adm\conf.adm
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


Please drag the CFScript.txt that I attached below into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org
  • Combofix.txt
  • A new HijackThis log.

  • 0

#15
raoXI

raoXI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I have enabled view hidden files/folders from the beginning of last batch of instructions :) could not upload the first 3 files due to the Path Does not exist error, please verify the correct path. But the other two are below:

registry.pol http://www.virustota...3f491d111255a25
conf.adm http://www.virustota...8d4f4d54582b008

thanks again :)

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP