Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

BV: Malware-gen


  • Please log in to reply

#1
hermyrtle

hermyrtle

    New Member

  • Member
  • Pip
  • 6 posts
uhm,my pc was infected with BV: Malware-gen and it's quite irritating already..i tried to delete if in the windows folder (the pcof.bat) but my antivirus keeps detecting it..even though it can no longer be found in the folder and i can't set my folder options into showing the hidden files.. i found a thread with the same problem and i don't know if i got rid of it already..anyways, the following the the logs..

before i started with the removal:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:45 PM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ?????.lnk
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5922 bytes
  • 0

Advertisements


#2
hermyrtle

hermyrtle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
the SDFix log:


SDFix: Version 1.240
Run by Tin on Fri 01/30/2009 at 10:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\Tin\LOCALS~1\Temp\tmp29.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmp2A.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmp46.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmp47.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmpC1.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmpC2.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmpC3.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmpC4.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmpC5.tmp - Deleted
C:\DOCUME~1\Tin\LOCALS~1\Temp\tmpC6.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 23:02:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 15 Sep 2008 239,283 A.SHR --- "C:\WINDOWS\Auto.exe"
Mon 19 Jan 2009 108,753 ..SHR --- "C:\WINDOWS\system32\olhrwef.exe"

Finished!
  • 0

#3
hermyrtle

hermyrtle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
the combo fix log:


ComboFix 09-01-21.04 - Tin 2009-01-31 9:52:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.137 [GMT -8:00]
Running from: c:\documents and settings\Tin\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1296 [VPS 090115-0] *On-access scanning disabled* (Outdated)
AV: Bitdefender Antivirus *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-31 09:43 . 2009-01-31 09:43 95,744 -r-hs---- c:\windows\system32\nmdfgds0.dll
2009-01-30 22:54 . 2009-01-30 22:55 <DIR> d-------- c:\windows\ERUNT
2009-01-30 19:21 . 2009-01-30 19:21 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-30 19:21 . 2009-01-30 19:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-30 19:21 . 2009-01-30 19:21 <DIR> d-------- c:\documents and settings\Tin\Application Data\SUPERAntiSpyware.com
2009-01-30 19:21 . 2009-01-30 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-30 19:06 . 2009-01-30 19:06 <DIR> d-------- c:\program files\Softwin
2009-01-30 19:06 . 2009-01-30 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-01-30 18:23 . 2009-01-30 18:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-30 14:41 . 2009-01-19 17:37 108,753 -r-hs---- C:\j60osk9.cmd
2009-01-30 14:06 . 2009-01-30 23:03 <DIR> d-------- C:\SDFix
2009-01-29 14:16 . 2009-01-29 14:16 30 -rahs---- c:\windows\pcof.bat
2009-01-25 12:15 . 2008-09-15 18:33 239,283 -rahs---- c:\windows\Auto.exe
2009-01-22 22:19 . 2009-01-22 22:19 <DIR> d-------- c:\documents and settings\Administrator
2009-01-21 17:25 . 2009-01-19 17:37 108,753 -r-hs---- c:\windows\system32\olhrwef.exe
2009-01-08 12:39 . 2009-01-08 12:39 <DIR> d-------- c:\program files\GIMP-2.0
2009-01-07 12:39 . 2009-01-16 11:45 <DIR> d-------- c:\documents and settings\Tin\Application Data\gtk-2.0
2009-01-07 12:39 . 2009-01-07 12:39 <DIR> d-------- c:\documents and settings\Tin\.thumbnails
2009-01-07 12:38 . 2009-01-16 11:46 <DIR> d-------- c:\documents and settings\Tin\.gimp-2.4
2008-12-29 18:21 . 2008-12-29 18:22 <DIR> d-------- c:\program files\Winamp
2008-12-29 18:21 . 2008-12-29 18:37 <DIR> d-------- c:\documents and settings\Tin\Application Data\Winamp
2008-12-29 18:20 . 2008-12-29 18:20 <DIR> d-------- c:\program files\7art
2008-12-29 18:20 . 2006-01-18 15:25 212,480 --a------ c:\windows\Romantic Clock.scr
2008-12-29 18:19 . 2008-12-29 18:19 <DIR> d-------- c:\program files\clock-desktop
2008-12-29 18:19 . 2007-09-26 15:50 883,712 --a------ c:\windows\teddy_bears_clock.scr
2008-12-29 18:19 . 2008-12-03 19:19 303,104 --a------ c:\windows\halloween_clock.scr
2008-12-23 15:35 . 2008-12-23 15:35 <DIR> d-------- c:\documents and settings\Guest
2008-12-22 13:03 . 2008-12-22 13:03 <DIR> d-------- c:\program files\Expstudio
2008-12-22 13:03 . 2008-12-22 13:03 161,105 --a------ c:\windows\Expstudio Audio Editor FREE Uninstaller.exe
2008-12-22 13:01 . 2008-12-22 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\{F481FC18-57D5-4479-B2FB-083BFF223F8F}
2008-12-18 10:26 . 2008-12-18 10:26 <DIR> d-------- c:\windows\system32\QuickTime
2008-12-18 10:26 . 2008-12-18 10:26 <DIR> d-------- c:\program files\QuickTime Alternative
2008-12-18 10:26 . 2008-12-18 10:26 <DIR> d-------- c:\program files\Media Player Classic
2008-12-18 10:26 . 2004-09-23 18:57 6,676,480 --a------ c:\windows\system32\QuickTime.qts
2008-12-18 10:26 . 2004-09-23 18:57 747,008 --a------ c:\windows\system32\Indeo4.qtx
2008-12-18 10:26 . 2002-12-20 12:40 675,328 --a------ c:\windows\system32\ir50_32.qtx
2008-12-18 10:26 . 2004-09-23 18:57 430,592 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-12-18 10:26 . 2005-06-10 17:40 360,504 --a------ c:\windows\system32\QTPlugin.ocx
2008-12-18 10:26 . 2004-09-23 18:57 323,072 --a------ c:\windows\system32\QuickTime.cpl
2008-12-18 10:26 . 2002-11-08 20:04 225,280 --a------ c:\windows\system32\qtmlClient.dll
2008-12-18 10:26 . 2004-01-12 17:57 86,016 --a------ c:\windows\system32\QuickTime.ax
2008-12-18 10:26 . 2004-09-23 18:57 70,144 --a------ c:\windows\system32\QuickTimeCheck.ocx
2008-12-13 10:05 . 2008-12-13 10:05 290 --a------ c:\windows\SCRABOUT.INI
2008-12-13 10:02 . 2008-12-13 10:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreshGames
2008-12-09 11:04 . 2008-12-09 11:04 <DIR> dr------- c:\program files\TypingMaster
2008-12-09 11:04 . 2009-01-06 17:35 <DIR> d-------- c:\documents and settings\Tin\Application Data\TypingMaster7
2008-12-03 23:58 . 2008-12-03 23:58 <DIR> d-------- c:\program files\MaxType LITE
2008-12-03 23:57 . 2008-12-03 23:57 <DIR> d-------- c:\program files\RapidTyping
2008-12-03 23:57 . 2008-12-04 00:01 <DIR> d-------- c:\documents and settings\Tin\Application Data\RapidTyping
2008-12-03 18:55 . 2008-12-03 18:55 <DIR> d-------- c:\program files\EA GAMES

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 03:20 --------- d-----w c:\program files\Common Files\Softwin
2009-01-31 03:17 81,984 ----a-w c:\windows\system32\bdod.bin
2009-01-30 21:56 --------- d-----w c:\program files\Alwil Software
2009-01-29 21:56 --------- d-----w c:\program files\PhotoScape
2009-01-29 16:26 --------- d-----w c:\documents and settings\Tin\Application Data\OpenOffice.org2
2009-01-24 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 20:01 --------- d-----w c:\program files\ProModel
2009-01-13 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-01-13 15:02 --------- d-----w c:\documents and settings\Tin\Application Data\SpinTop
2009-01-13 15:02 --------- d-----w c:\documents and settings\Tin\Application Data\Apple Computer
2008-12-26 01:40 --------- d-----w c:\program files\Magic Vines
2008-12-22 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2008-12-22 03:27 --------- d-----w c:\program files\GameHouse
2008-11-27 03:17 737,280 ----a-w c:\windows\iun6002.exe
2008-11-15 10:39 847,718 ----a-w c:\windows\Bigbang Screensaver05.scr
2008-11-15 10:39 4,817,056 ----a-w c:\windows\Bigbang Screensaver04.scr
2008-10-14 20:54 51,716 ----a-w c:\windows\system32\pdf995mon.dll
2008-10-14 20:54 249,856 ----a-w c:\windows\system32\pdfmona.dll
2008-10-13 22:37 45,056 ----a-w c:\windows\system32\wnaspi32.dll
2008-10-03 03:35 45,056 ----a-w c:\windows\NCUNINST.EXe
2008-10-03 03:35 40,960 ----a-w c:\windows\NCLAUNCH.EXe
2008-09-16 02:33 239,283 --sha-r c:\windows\Auto.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2008-10-02 40960]
"cdoosoft"="c:\windows\system32\olhrwef.exe" [2009-01-19 108753]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-14 363008]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SkyTel"="SkyTel.EXE" [2006-05-17 c:\windows\SkyTel.exe]
"VTTimer"="VTTimer.exe" [2006-08-03 c:\windows\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-07-11 c:\windows\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-31 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Tin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-30 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2008-09-02 659456]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-30 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d436bfd-cd43-11dd-9216-001d60a1315a}]
\Shell\AutoPlay\Command - F:\console.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL console.exe
\Shell\Explore\Command - F:\console.exe
\Shell\Open\Command - F:\console.exe
\Shell\Scan For Viruses\Command - F:\console.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55941e9d-7df1-11dd-915e-001d60a1315a}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5abdba8e-96d8-11dd-919c-001d60a1315a}]
\Shell\AutoRun\command - F:\j60osk9.cmd
\Shell\open\Command - F:\j60osk9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{699bf8d4-dcf8-11dd-9233-001d60a1315a}]
\Shell\AutoRun\command - xih9.cmd
\Shell\explore\Command - xih9.cmd
\Shell\open\Command - xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{751df030-899d-11dd-917b-001d60a1315a}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ddeeeae-ce03-11dd-9218-001d60a1315a}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99c30261-93fc-11dd-9195-001d60a1315a}]
\Shell\AutoRun\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
\Shell\open\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ae5ce4b-8aa7-11dd-917d-001d60a1315a}]
\Shell\AutoRun\command - 08dgu.com
\Shell\explore\Command - 08dgu.com
\Shell\open\Command - 08dgu.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3c09ba2-90eb-11dd-918e-001d60a1315a}]
\Shell\AutoRun\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
\Shell\open\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3d77717-7c2d-11dd-915a-001d60a1315a}]
\Shell\AutoRun\command - g:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
\Shell\open\command - g:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df1020f3-cde6-11dd-9217-001d60a1315a}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e05de9b8-7986-11dd-9154-001d60a1315a}]
\Shell\AutoRun\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
\Shell\open\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e796aa0e-9a31-11dd-91ac-001d60a1315a}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e796aa12-9a31-11dd-91ac-001d60a1315a}]
\Shell\AutoRun\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ROX.exe
\Shell\open\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ROX.exe
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 09:53:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,63,dc,f4,47,4b,
a8,dd,a2,c8,28,51,af,b0,29,a3,98,35,61,fc,d4,ab,62,f6,03,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,d9,f6,35,74,2d,
93,69,12,71,3b,04,66,8b,46,0d,96,cd,bb,d2,04,72,88,ef,e4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,83,51,5b,f3,f6,
df,e9,8f,25,da,ec,7e,55,20,c9,26,b0,b4,33,b0,b7,5c,0f,bf,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,61,df,bf,6b,2a,
be,61,f9,3e,1e,9e,e0,57,5a,93,61,f0,36,a0,de,40,ff,cd,af,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,cb,6f,50,16,35,
70,fa,d7,cd,44,cd,b9,a6,33,6c,cd,5a,77,37,be,5b,11,42,f2,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,a0,36,8f,bb,5e,
69,2b,5a,b0,18,ed,a7,3f,8d,37,a4,0e,43,a3,93,9e,02,9c,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,8d,86,ff,51,b5,
7d,52,96,31,77,e1,ba,b1,f8,68,02,93,da,55,be,ca,40,65,14,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,8a,8e,00,77,41,
1a,ca,94,83,6c,56,8b,a0,85,96,ab,c3,e1,c1,ed,ca,ce,8b,09,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,4b,c9,4b,0b,c1,
af,ad,f6,51,fa,6e,91,28,9e,14,cc,54,3a,c7,1d,ff,cd,a4,54,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ea,bb,e9,98,76,
04,d4,f6,b1,cd,45,5a,a8,c4,f8,b9,cb,36,4f,12,f8,67,04,32,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,82,c6,f7,a4,c2,
26,3b,d7,e3,0e,66,d5,eb,bc,2f,6b,38,ba,6e,e3,03,3c,69,97,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,39,73,94,0f,07,
2d,dc,76,fa,ea,66,7f,d4,3b,6b,70,fd,5c,36,e3,db,31,69,d2,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-31 9:54:19
ComboFix-quarantined-files.txt 2009-01-31 17:54:17

Pre-Run: 13,158,752,256 bytes free
Post-Run: 13,196,832,768 bytes free

271
  • 0

#4
hermyrtle

hermyrtle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
the OTMoveIt3 log:


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\Auto.exe moved successfully.
File/Folder C:\WINDOWS\1163354374 not found.
File/Folder C:\WINDOWS\Auto.exe not found.
C:\WINDOWS\pcof.bat moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Tin\LOCALS~1\Temp\~DFBE2C.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_53c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01312009_095810

Files moved on Reboot...
File C:\DOCUME~1\Tin\LOCALS~1\Temp\~DFBE2C.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_53c.dat moved successfully.
  • 0

#5
hermyrtle

hermyrtle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
the 2nd combofix log:

ComboFix 09-01-21.04 - Tin 2009-01-31 10:07:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.126 [GMT -8:00]
Running from: c:\documents and settings\Tin\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1296 [VPS 090115-0] *On-access scanning disabled* (Outdated)
AV: Bitdefender Antivirus *On-access scanning disabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-31 10:00 . 2009-01-31 10:00 95,744 -r-hs---- c:\windows\system32\nmdfgds0.dll
2009-01-31 09:58 . 2009-01-31 09:58 <DIR> d-------- C:\_OTMoveIt
2009-01-30 22:54 . 2009-01-30 22:55 <DIR> d-------- c:\windows\ERUNT
2009-01-30 19:21 . 2009-01-30 19:21 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-30 19:21 . 2009-01-30 19:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-30 19:21 . 2009-01-30 19:21 <DIR> d-------- c:\documents and settings\Tin\Application Data\SUPERAntiSpyware.com
2009-01-30 19:21 . 2009-01-30 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-30 19:06 . 2009-01-30 19:06 <DIR> d-------- c:\program files\Softwin
2009-01-30 19:06 . 2009-01-30 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-01-30 18:23 . 2009-01-30 18:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-30 14:41 . 2009-01-19 17:37 108,753 -r-hs---- C:\j60osk9.cmd
2009-01-30 14:06 . 2009-01-30 23:03 <DIR> d-------- C:\SDFix
2009-01-22 22:19 . 2009-01-22 22:19 <DIR> d-------- c:\documents and settings\Administrator
2009-01-21 17:25 . 2009-01-19 17:37 108,753 -r-hs---- c:\windows\system32\olhrwef.exe
2009-01-08 12:39 . 2009-01-08 12:39 <DIR> d-------- c:\program files\GIMP-2.0
2009-01-07 12:39 . 2009-01-16 11:45 <DIR> d-------- c:\documents and settings\Tin\Application Data\gtk-2.0
2009-01-07 12:39 . 2009-01-07 12:39 <DIR> d-------- c:\documents and settings\Tin\.thumbnails
2009-01-07 12:38 . 2009-01-16 11:46 <DIR> d-------- c:\documents and settings\Tin\.gimp-2.4
2008-12-29 18:21 . 2008-12-29 18:22 <DIR> d-------- c:\program files\Winamp
2008-12-29 18:21 . 2008-12-29 18:37 <DIR> d-------- c:\documents and settings\Tin\Application Data\Winamp
2008-12-29 18:20 . 2008-12-29 18:20 <DIR> d-------- c:\program files\7art
2008-12-29 18:20 . 2006-01-18 15:25 212,480 --a------ c:\windows\Romantic Clock.scr
2008-12-29 18:19 . 2008-12-29 18:19 <DIR> d-------- c:\program files\clock-desktop
2008-12-29 18:19 . 2007-09-26 15:50 883,712 --a------ c:\windows\teddy_bears_clock.scr
2008-12-29 18:19 . 2008-12-03 19:19 303,104 --a------ c:\windows\halloween_clock.scr
2008-12-23 15:35 . 2008-12-23 15:35 <DIR> d-------- c:\documents and settings\Guest
2008-12-22 13:03 . 2008-12-22 13:03 <DIR> d-------- c:\program files\Expstudio
2008-12-22 13:03 . 2008-12-22 13:03 161,105 --a------ c:\windows\Expstudio Audio Editor FREE Uninstaller.exe
2008-12-22 13:01 . 2008-12-22 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\{F481FC18-57D5-4479-B2FB-083BFF223F8F}
2008-12-18 10:26 . 2008-12-18 10:26 <DIR> d-------- c:\windows\system32\QuickTime
2008-12-18 10:26 . 2008-12-18 10:26 <DIR> d-------- c:\program files\QuickTime Alternative
2008-12-18 10:26 . 2008-12-18 10:26 <DIR> d-------- c:\program files\Media Player Classic
2008-12-18 10:26 . 2004-09-23 18:57 6,676,480 --a------ c:\windows\system32\QuickTime.qts
2008-12-18 10:26 . 2004-09-23 18:57 747,008 --a------ c:\windows\system32\Indeo4.qtx
2008-12-18 10:26 . 2002-12-20 12:40 675,328 --a------ c:\windows\system32\ir50_32.qtx
2008-12-18 10:26 . 2004-09-23 18:57 430,592 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-12-18 10:26 . 2005-06-10 17:40 360,504 --a------ c:\windows\system32\QTPlugin.ocx
2008-12-18 10:26 . 2004-09-23 18:57 323,072 --a------ c:\windows\system32\QuickTime.cpl
2008-12-18 10:26 . 2002-11-08 20:04 225,280 --a------ c:\windows\system32\qtmlClient.dll
2008-12-18 10:26 . 2004-01-12 17:57 86,016 --a------ c:\windows\system32\QuickTime.ax
2008-12-18 10:26 . 2004-09-23 18:57 70,144 --a------ c:\windows\system32\QuickTimeCheck.ocx
2008-12-13 10:05 . 2008-12-13 10:05 290 --a------ c:\windows\SCRABOUT.INI
2008-12-13 10:02 . 2008-12-13 10:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreshGames
2008-12-09 11:04 . 2008-12-09 11:04 <DIR> dr------- c:\program files\TypingMaster
2008-12-09 11:04 . 2009-01-06 17:35 <DIR> d-------- c:\documents and settings\Tin\Application Data\TypingMaster7
2008-12-03 23:58 . 2008-12-03 23:58 <DIR> d-------- c:\program files\MaxType LITE
2008-12-03 23:57 . 2008-12-03 23:57 <DIR> d-------- c:\program files\RapidTyping
2008-12-03 23:57 . 2008-12-04 00:01 <DIR> d-------- c:\documents and settings\Tin\Application Data\RapidTyping
2008-12-03 18:55 . 2008-12-03 18:55 <DIR> d-------- c:\program files\EA GAMES

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 03:20 --------- d-----w c:\program files\Common Files\Softwin
2009-01-31 03:17 81,984 ----a-w c:\windows\system32\bdod.bin
2009-01-30 21:56 --------- d-----w c:\program files\Alwil Software
2009-01-29 21:56 --------- d-----w c:\program files\PhotoScape
2009-01-29 16:26 --------- d-----w c:\documents and settings\Tin\Application Data\OpenOffice.org2
2009-01-24 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 20:01 --------- d-----w c:\program files\ProModel
2009-01-13 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-01-13 15:02 --------- d-----w c:\documents and settings\Tin\Application Data\SpinTop
2009-01-13 15:02 --------- d-----w c:\documents and settings\Tin\Application Data\Apple Computer
2008-12-26 01:40 --------- d-----w c:\program files\Magic Vines
2008-12-22 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2008-12-22 03:27 --------- d-----w c:\program files\GameHouse
2008-11-27 03:17 737,280 ----a-w c:\windows\iun6002.exe
2008-11-15 10:39 847,718 ----a-w c:\windows\Bigbang Screensaver05.scr
2008-11-15 10:39 4,817,056 ----a-w c:\windows\Bigbang Screensaver04.scr
2008-10-14 20:54 51,716 ----a-w c:\windows\system32\pdf995mon.dll
2008-10-14 20:54 249,856 ----a-w c:\windows\system32\pdfmona.dll
2008-10-13 22:37 45,056 ----a-w c:\windows\system32\wnaspi32.dll
2008-10-03 03:35 45,056 ----a-w c:\windows\NCUNINST.EXe
2008-10-03 03:35 40,960 ----a-w c:\windows\NCLAUNCH.EXe
.

((((((((((((((((((((((((((((( [email protected]_ 9.53.31.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-31 18:00:11 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2008-10-02 40960]
"cdoosoft"="c:\windows\system32\olhrwef.exe" [2009-01-19 108753]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-14 363008]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SkyTel"="SkyTel.EXE" [2006-05-17 c:\windows\SkyTel.exe]
"VTTimer"="VTTimer.exe" [2006-08-03 c:\windows\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-07-11 c:\windows\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-31 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Tin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-30 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2008-09-02 659456]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-30 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d436bfd-cd43-11dd-9216-001d60a1315a}]
\Shell\AutoPlay\Command - F:\console.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL console.exe
\Shell\Explore\Command - F:\console.exe
\Shell\Open\Command - F:\console.exe
\Shell\Scan For Viruses\Command - F:\console.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55941e9d-7df1-11dd-915e-001d60a1315a}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5abdba8e-96d8-11dd-919c-001d60a1315a}]
\Shell\AutoRun\command - F:\j60osk9.cmd
\Shell\open\Command - F:\j60osk9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{699bf8d4-dcf8-11dd-9233-001d60a1315a}]
\Shell\AutoRun\command - xih9.cmd
\Shell\explore\Command - xih9.cmd
\Shell\open\Command - xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{751df030-899d-11dd-917b-001d60a1315a}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ddeeeae-ce03-11dd-9218-001d60a1315a}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99c30261-93fc-11dd-9195-001d60a1315a}]
\Shell\AutoRun\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
\Shell\open\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ae5ce4b-8aa7-11dd-917d-001d60a1315a}]
\Shell\AutoRun\command - 08dgu.com
\Shell\explore\Command - 08dgu.com
\Shell\open\Command - 08dgu.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3c09ba2-90eb-11dd-918e-001d60a1315a}]
\Shell\AutoRun\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
\Shell\open\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3d77717-7c2d-11dd-915a-001d60a1315a}]
\Shell\AutoRun\command - g:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
\Shell\open\command - g:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df1020f3-cde6-11dd-9217-001d60a1315a}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e05de9b8-7986-11dd-9154-001d60a1315a}]
\Shell\AutoRun\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
\Shell\open\command - f:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e796aa0e-9a31-11dd-91ac-001d60a1315a}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e796aa12-9a31-11dd-91ac-001d60a1315a}]
\Shell\AutoRun\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ROX.exe
\Shell\open\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ROX.exe
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 10:07:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,63,dc,f4,47,4b,
a8,dd,a2,c8,28,51,af,b0,29,a3,98,35,61,fc,d4,ab,62,f6,03,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,d9,f6,35,74,2d,
93,69,12,71,3b,04,66,8b,46,0d,96,cd,bb,d2,04,72,88,ef,e4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,83,51,5b,f3,f6,
df,e9,8f,25,da,ec,7e,55,20,c9,26,b0,b4,33,b0,b7,5c,0f,bf,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,61,df,bf,6b,2a,
be,61,f9,3e,1e,9e,e0,57,5a,93,61,f0,36,a0,de,40,ff,cd,af,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,cb,6f,50,16,35,
70,fa,d7,cd,44,cd,b9,a6,33,6c,cd,5a,77,37,be,5b,11,42,f2,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,a0,36,8f,bb,5e,
69,2b,5a,b0,18,ed,a7,3f,8d,37,a4,0e,43,a3,93,9e,02,9c,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,8d,86,ff,51,b5,
7d,52,96,31,77,e1,ba,b1,f8,68,02,93,da,55,be,ca,40,65,14,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,8a,8e,00,77,41,
1a,ca,94,83,6c,56,8b,a0,85,96,ab,c3,e1,c1,ed,ca,ce,8b,09,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,4b,c9,4b,0b,c1,
af,ad,f6,51,fa,6e,91,28,9e,14,cc,54,3a,c7,1d,ff,cd,a4,54,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ea,bb,e9,98,76,
04,d4,f6,b1,cd,45,5a,a8,c4,f8,b9,cb,36,4f,12,f8,67,04,32,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,82,c6,f7,a4,c2,
26,3b,d7,e3,0e,66,d5,eb,bc,2f,6b,38,ba,6e,e3,03,3c,69,97,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,39,73,94,0f,07,
2d,dc,76,fa,ea,66,7f,d4,3b,6b,70,fd,5c,36,e3,db,31,69,d2,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-31 10:10:17
ComboFix-quarantined-files.txt 2009-01-31 18:10:03
ComboFix2.txt 2009-01-31 17:54:20

Pre-Run: 13,196,357,632 bytes free
Post-Run: 13,185,200,128 bytes free

273
  • 0

#6
hermyrtle

hermyrtle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
and lastly, the recent HJIT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:13 AM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ?????.lnk
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6330 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP