Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

So many Malware virus! kindly please help me..... T_T [RESOLVED]

Started by moogart , Apr 07 2008 11:40 AM

  • This topic is locked This topic is locked

#1
moogart
Posted 07 April 2008 - 11:40 AM

moogart

    Member

  • Member
  • PipPip
  • 53 posts
pls help my pc... T_T

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:06 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Administrator\ie_updates3r.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\winself.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [advap32] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\loader2.exe" /r
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.arcadetow...aploader_v6.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.44 58.69.254.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.44 58.69.254.46
O20 - AppInit_DLLs: C:\WINDOWS\system32\drivers\77589.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\Administrator\ie_updates3r.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MSSysInterv - Unknown owner - c:\winself.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9960 bytes
  • 0

Advertisements

#2
andrewuk
Posted 07 April 2008 - 01:22 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi moogart

welcome back to geekstogo :)

firstly, please dont post multiple logs. just post one log, if it goes 3 days without answer then post in the waiting room part of the forum

secondly, you have quite an inffected system there, so in this post we will clear the infections i can see, run a scan and then do a deeper scan of your machine to see what other infections you have.

this will take quite a few posts from myself to clean, and you may not see much improvement to begin with.


====STEP 1====
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

====STEP 2====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do NOT run it yet


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.arcadetow...aploader_v6.cab

O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 4====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


In your next reply could i see:
1. the Report.txt log
2. the OTMoveIT log
3. the malwarebytes log
4. the 2 DSS logs (though there may only be one log)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#3
moogart
Posted 07 April 2008 - 07:26 PM

moogart

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
sorry for making multiple topics, i kinda resolve my previous post, but it turns out a new malware pops out so i have to post a new one, sorry T_T


SDFix: Version 1.167
Run by Administrator on Tue 04/08/2008 at 08:06 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
Google Online Services
IXX55

Path:
C:\Documents and Settings\Administrator\ie_updates3r.exe -A
System32\Drivers\Ixx55.sys

Google Online Services - Deleted
IXX55 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Missing Security Center Service

Rebooting

Service IXX55 - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\-39751~1 - Deleted
C:\autorun.inf - Deleted
C:\Documents and Settings\Administrator\ie_updates3r.exe - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\system32\svchost.t__ - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
C:\WINDOWS\system32\drivers\IXX55.sys - Deleted





Removing Temp Files

ADS Check :


--------

Malwarebytes' Anti-Malware 1.10
Database version: 598

Scan type: Full Scan (C:\|)
Objects scanned: 146748
Time elapsed: 34 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 28
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 63

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_adw.bhoad (Unknown.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_adw.bhoad.1 (Unknown.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9ca1536d-5689-40ca-b92a-f646301517d7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{09dc28c6-bce2-42b1-b3ea-8ab82f0f3b0a} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\as_ie_monitor.ie_monitor (Rogue.AntispyStorm) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mdReg.clsReg (Rogue.AntispyStorm) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\salm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\updatetc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIXU.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WER8274.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\id53.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrjz469.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrjz472.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrjz487.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrjz497.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrjz501.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrjz504.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Services.cpi (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Services.cpl (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

----------
C:\WINDOWS\system32\wmsdkns.exe moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\WLCtrl32.dll not found.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04082008_082932
------------

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-08 09:20:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:14 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\winself.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.44 58.69.254.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.44 58.69.254.46
O20 - AppInit_DLLs: C:\WINDOWS\system32\drivers\77589.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MSSysInterv - Unknown owner - c:\winself.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9496 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 09:17:37 0 d-------- C:\Program Files\stc
2008-04-08 09:17:36 0 d-------- C:\Program Files\seekmo
2008-04-08 09:17:36 0 d-------- C:\Program Files\180search assistant
2008-04-08 09:17:35 0 d-------- C:\Program Files\zango
2008-04-08 09:17:35 0 d-------- C:\Program Files\180searchassistant
2008-04-08 09:17:34 0 d-------- C:\WINDOWS\FLEOK
2008-04-08 09:17:34 0 d-------- C:\Program Files\180solutions
2008-04-08 09:17:32 0 d-------- C:\Program Files\Sysmnt
2008-04-08 08:32:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-08 08:32:47 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 08:32:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-08 08:01:37 0 d-------- C:\WINDOWS\ERUNT
2008-04-08 07:59:08 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-08 01:30:21 9728 --a------ C:\WINDOWS\swin32.dll
2008-04-08 01:30:21 23040 --a------ C:\WINDOWS\stcloader.exe
2008-04-08 01:30:20 17664 --a------ C:\WINDOWS\bjam.dll
2008-04-08 01:30:20 21248 --a------ C:\WINDOWS\2020search2.dll
2008-04-08 01:30:20 13312 --a------ C:\WINDOWS\2020search.dll
2008-04-08 01:30:18 27648 --a------ C:\WINDOWS\system32\MSIXU.DLL
2008-04-08 01:30:17 18176 --a------ C:\WINDOWS\system32\WER8274.DLL
2008-04-08 01:30:16 27648 --a------ C:\WINDOWS\180ax.exe
2008-04-08 01:30:15 28160 --a------ C:\WINDOWS\updatetc.exe
2008-04-08 00:55:43 2464 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 00:54:56 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-08 00:54:56 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-08 00:54:56 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-08 00:54:56 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-08 00:54:56 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-08 00:54:56 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-08 00:54:56 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 00:07:55 16896 --a------ C:\WINDOWS\cdsm32.dll
2008-04-08 00:07:53 24576 --a------ C:\WINDOWS\salm.exe
2008-04-08 00:07:53 28928 --a------ C:\WINDOWS\saiemod.dll
2008-04-07 23:22:53 0 d-------- C:\Program Files\PCPitstop
2008-04-07 23:07:09 17664 --a------ C:\WINDOWS\voiceip.dll
2008-04-07 23:07:08 15104 --a------ C:\WINDOWS\mssvr.exe
2008-04-07 23:07:08 23040 --a------ C:\WINDOWS\mspphe.dll
2008-04-07 23:07:08 24064 --a------ C:\WINDOWS\bokja.exe
2008-04-07 23:07:06 16128 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-04-07 23:07:05 24832 --a------ C:\WINDOWS\msapasrc.dll
2008-04-07 23:07:05 24320 --a------ C:\WINDOWS\msa64chk.dll
2008-04-07 23:07:04 9728 --a------ C:\WINDOWS\winsb.dll
2008-04-07 23:07:04 28160 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-04-07 23:07:04 12032 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-07 23:07:04 27136 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-07 23:07:04 20736 --a------ C:\WINDOWS\shdocpl.dll
2008-04-07 23:07:04 22016 --a------ C:\WINDOWS\shdocpe.dll
2008-04-07 23:07:04 18432 --a------ C:\WINDOWS\ntnut.exe
2008-04-07 23:07:04 22528 --a------ C:\WINDOWS\browserad.dll
2008-04-07 23:07:03 20480 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-07 23:07:03 24064 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-07 23:07:03 27392 --a------ C:\WINDOWS\avifile32.dll
2008-04-07 23:07:03 27648 --a------ C:\WINDOWS\autodisc32.dll
2008-04-07 23:07:03 22528 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-07 23:07:03 15104 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-07 23:07:03 28416 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-07 23:07:03 11008 --a------ C:\WINDOWS\athprxy32.dll
2008-04-07 23:07:02 27904 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-07 23:07:02 15104 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-07 23:07:02 13312 --a------ C:\WINDOWS\asferror32.dll
2008-04-07 23:07:02 19200 --a------ C:\WINDOWS\apphelp32.dll
2008-04-07 22:45:45 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-07 22:45:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-07 22:45:41 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-07 22:45:40 91563 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-07 21:49:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Regrun
2008-04-07 21:49:13 0 d-------- C:\backreg
2008-04-07 21:48:40 0 d-------- C:\Program Files\Greatis
2008-04-07 21:39:33 20992 --a------ C:\winself.exe
2008-04-07 21:33:30 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-07 21:33:30 2549 --a------ C:\WINDOWS\unins000.dat
2008-04-07 21:20:11 20992 --a------ C:\WINDOWS\winself.exe
2008-04-06 18:38:54 0 d-------- C:\WINDOWS\system32\drivers\character
2008-04-05 18:45:51 0 d-------- C:\Program Files\Trend Micro
2008-04-05 14:56:36 0 d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-04-05 12:48:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-04-05 12:25:20 0 d-------- C:\Program Files\VideoLAN
2008-04-05 09:47:54 29760 --a------ C:\WINDOWS\system32\diTg2wV2.exe
2008-04-04 12:42:52 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-04 07:43:39 0 d-------- C:\WINDOWS\NV26162628.TMP
2008-04-03 19:41:52 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-03-31 13:23:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-03-31 13:10:48 0 d-------- C:\Program Files\Acronis
2008-03-31 13:10:47 0 d-------- C:\Program Files\Common Files\Acronis
2008-03-31 13:09:06 0 d-------- C:\Program Files\Acronis Disk Director Suite 10 build 2160
2008-03-30 22:29:33 0 d-------- C:\Program Files\EuphRO2
2008-03-29 21:06:47 0 d-------- C:\UnrealEngine2Runtime
2008-03-19 10:46:20 0 d-------- C:\Program Files\Anino Games
2008-03-14 07:31:22 0 d-------- C:\Program Files\AeriaGames
2008-03-11 10:25:01 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-10 15:52:02 36868 --a------ C:\Program Files\uninst-3DStroke.exe
2008-03-10 15:52:02 0 d-------- C:\Program Files\Trapcode
2008-03-10 12:41:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-03-10 12:41:17 0 d-------- C:\Program Files\Common Files\Realtime Soft
2008-03-10 12:41:16 0 d-------- C:\Program Files\UltraMon
2008-03-10 12:41:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-03-08 09:39:22 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-03-08 09:39:01 0 d-------- C:\Program Files\Crazybump Beta Test


-- Find3M Report ---------------------------------------------------------------

2008-04-08 09:20:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-04-08 08:11:49 12615 --a------ C:\WINDOWS\system32\tablet.dat
2008-04-08 08:11:45 0 --a------ C:\WINDOWS\TempFile
2008-04-08 01:04:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-08 00:07:41 0 d-------- C:\Program Files\Common Files
2008-04-07 21:19:48 0 d-------- C:\Program Files\SpywareBlaster
2008-04-05 12:48:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-04-04 12:42:54 0 d-------- C:\Program Files\Realtek
2008-04-04 12:31:50 0 d-------- C:\Program Files\Intel
2008-03-31 15:46:29 0 d-------- C:\Program Files\Warcraft III
2008-03-19 12:48:16 0 d-------- C:\Program Files\World of Warcraft
2008-03-11 10:24:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-03-11 07:54:50 0 d-------- C:\Program Files\FreeStyle Philippines
2008-03-05 18:07:48 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-03-03 14:16:26 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-03 14:16:26 0 d-------- C:\Program Files\Dragonfly
2008-02-25 20:24:02 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-02-25 16:42:27 0 d-------- C:\Program Files\Your Company Name
2008-02-25 16:30:34 0 d-------- C:\Program Files\LineageII
2008-02-25 16:25:30 0 d-------- C:\Program Files\AMPED
2008-02-25 16:24:55 0 d-------- C:\Program Files\Acoustica Mixcraft 3
2008-02-24 14:49:06 0 d-------- C:\Program Files\NVIDIA Corporation
2008-02-24 14:48:15 0 d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-02-16 20:42:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-01-27 09:49:15 24224 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-01-13 19:39:40 1343 --a------ C:\WINDOWS\checkip.dat
2008-01-13 19:38:47 1716 --a------ C:\WINDOWS\ipconfig.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07/21/2007 02:05 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [02/22/2007 07:53 PM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\Alcmtr.exe]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [11/14/2007 11:43 PM]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" []
"@RegRunOnSecure"="C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 09:26 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [12/17/2007 05:13 PM]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" []
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"nlhr"=RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TaskSwitchXP"=C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
"Free Download Manager"=C:\Program Files\Free Download Manager\fdm.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)
"DisableCAD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMHelp"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\drivers\77589.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bvl03.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chr47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iii77.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iss25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ixx55.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rrr14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vbl17.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskSwitchXP]
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltraMon]
"C:\Program Files\UltraMon\UltraMon.exe" /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nTuneService"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
Auto\command- F:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
Browser\command- F:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a208089-2ed5-436f-b5b9-596b4c14a234}]
Auto\command- F:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
Browser\command- F:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4366319a-17e0-11dc-a1d8-0019d16179ca}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68d1db2c-514d-11dc-b693-0019d16179ca}]
AutoRun\command- password_viewer.exe %1
Explore\command- password_viewer.exe %1
Open\command- password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a732ecce-fee2-11dc-ba89-0013d37d139b}]
Auto\command- E:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
Browser\command- E:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b55d053a-6574-11dc-b6fb-0019d16179ca}]
AutoRun\command- E:\
explore\Command- WScript.exe .\azkaban.vbs
open\Command- WScript.exe .\azkaban.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9bc6d22-2f6f-11dc-b604-0019d16179ca}]
AutoRun\command- E:\photos.zip.exe %1
Explore\command- E:\photos.zip.exe %1
Open\command- E:\photos.zip.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52588d8-2eea-11dc-b600-806d6172696f}]
AutoRun\command- D:\Installer.exe




-- End of Deckard's System Scanner: finished at 2008-04-08 09:20:38 ------------
  • 0

#4
andrewuk
Posted 08 April 2008 - 01:27 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
that certainly cleared a number of infections, we will now clean some more and set ourselves up to clear further infections in my following post after this one.

firslty some questions:

1. do you recognise this address? is it your company? or ISP?
Philippine Long Distance Telephone Company 14/F Ramon Cojuangco Building Makati Avenue Makati City 1200 Philippines

2. did you disable the Task Manager? (i.e. did you want to prevent the Task Manager from being displayed when you press ctrl alt delete)?


Then, Please visit this webpage for instructions for downloading and running ComboFix:

<http://www.bleepingc...o-use-combofix>

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



In your next reply could i see:
1. the answers to the 2 questions
2. the combofix log
3. a new hijackthis log

andrewuk
  • 0

#5
moogart
Posted 08 April 2008 - 08:09 PM

moogart

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
1. do you recognise this address? is it your company? or ISP?
Philippine Long Distance Telephone Company 14/F Ramon Cojuangco Building Makati Avenue Makati City 1200 Philippines
yes, thats my Internet provider PLDT

2. did you disable the Task Manager? (i.e. did you want to prevent the Task Manager from being displayed when you press ctrl alt delete)?
I actually don't know how to disable it, i want it to be back.. hope you could fix it thanks! ^^

combo fix
ComboFix 08-04-08.7 - Administrator 2008-04-09 10:00:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.608 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\msettings.ini
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\624855\624855.dll
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 21:41 . 2008-04-09 10:02 <DIR> d-------- C:\WINDOWS\system32\624855
2008-04-08 09:17 . 2008-04-08 09:17 <DIR> d-------- C:\WINDOWS\FLEOK
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-08 08:29 . 2008-04-08 08:29 <DIR> d-------- C:\_OTMoveIt
2008-04-08 08:01 . 2008-04-08 08:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 07:58 . 2008-04-08 08:19 <DIR> d-------- C:\SDFix
2008-04-08 01:30 . 2008-04-08 09:17 16,128 --a------ C:\WINDOWS\didduid.ini
2008-04-08 00:55 . 2008-04-08 07:46 2,464 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 00:54 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-08 00:54 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-08 00:54 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-08 00:54 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-08 00:54 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-08 00:54 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 00:54 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-08 00:45 . 2008-04-08 00:46 3,089,408 --a------ C:\backup.bkf
2008-04-08 00:06 . 2008-04-08 00:06 251 --a------ C:\WINDOWS\wininit.ini
2008-04-07 23:22 . 2008-04-07 23:22 <DIR> d-------- C:\Program Files\PCPitstop
2008-04-07 22:45 . 2008-04-07 22:45 91,563 --a------ C:\WINDOWS\lfn.exe
2008-04-07 22:03 . 2008-04-08 01:00 76 --a------ C:\WINDOWS\lsoon.ini
2008-04-07 21:50 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-04-07 21:49 . 2008-04-07 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Regrun
2008-04-07 21:48 . 2008-04-07 21:48 <DIR> d-------- C:\Program Files\Greatis
2008-04-07 21:48 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-04-07 21:39 . 2008-04-07 21:39 20,992 --a------ C:\winself.exe
2008-04-07 21:33 . 2008-04-07 21:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-07 21:33 . 2008-04-07 21:33 2,549 --a------ C:\WINDOWS\unins000.dat
2008-04-07 21:20 . 2008-04-07 21:20 20,992 --a------ C:\WINDOWS\winself.exe
2008-04-07 21:20 . 2008-04-08 21:41 200 -r-hs---- C:\WINDOWS\mscon.sio
2008-04-07 21:20 . 2008-04-08 21:41 16 -r-hs---- C:\WINDOWS\conf.inf
2008-04-07 21:20 . 2008-04-08 23:15 12 --------- C:\WINDOWS\ky.sxc
2008-04-07 18:12 . 2008-04-08 01:17 464 --a------ C:\WINDOWS\system32\zzxbkb.tmp
2008-04-06 18:38 . 2008-04-06 18:38 <DIR> d-------- C:\WINDOWS\system32\drivers\character
2008-04-05 18:45 . 2008-04-05 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 14:56 . 2008-04-05 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-04-05 12:48 . 2008-04-05 12:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-04-05 12:25 . 2008-04-05 12:25 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-05 09:47 . 2008-04-05 09:47 29,760 --a------ C:\WINDOWS\system32\diTg2wV2.exe
2008-04-04 12:43 . 2007-11-14 15:18 553 --a------ C:\WINDOWS\USetup.iss
2008-04-04 12:42 . 2008-04-04 12:42 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-04-04 12:42 . 2005-05-03 18:43 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-04-04 07:43 . 2008-04-04 07:44 <DIR> d-------- C:\WINDOWS\NV26162628.TMP
2008-04-03 19:41 . 2008-04-03 19:41 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-03-31 13:23 . 2008-03-31 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-03-31 13:11 . 2008-03-31 13:11 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-03-31 13:10 . 2008-03-31 13:10 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-03-31 13:10 . 2008-03-31 13:10 <DIR> d-------- C:\Program Files\Acronis
2008-03-31 13:09 . 2008-03-31 13:09 <DIR> d-------- C:\Program Files\Acronis Disk Director Suite 10 build 2160
2008-03-30 22:29 . 2008-03-31 19:39 <DIR> d-------- C:\Program Files\EuphRO2
2008-03-29 21:06 . 2008-03-29 21:07 <DIR> d-------- C:\UnrealEngine2Runtime
2008-03-28 09:33 . 2008-04-07 14:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 09:33 . 2008-03-28 09:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-19 10:46 . 2008-03-19 10:46 <DIR> d-------- C:\Program Files\Anino Games
2008-03-14 07:31 . 2008-03-14 07:31 <DIR> d-------- C:\Program Files\AeriaGames
2008-03-11 10:25 . 2008-03-11 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-10 15:52 . 2008-03-10 15:52 <DIR> d-------- C:\Program Files\Trapcode
2008-03-10 15:52 . 2008-03-10 16:04 36,868 --a------ C:\Program Files\uninst-3DStroke.exe
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Program Files\UltraMon
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Program Files\Common Files\Realtime Soft
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 01:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-04-08 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 17:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-07 13:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-07 13:19 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-05 04:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-04-04 04:42 --------- d-----w C:\Program Files\Realtek
2008-04-04 04:31 --------- d-----w C:\Program Files\Intel
2008-03-31 07:46 --------- d-----w C:\Program Files\Warcraft III
2008-03-26 10:37 4,713,472 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-26 08:14 16,859,136 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-19 04:48 --------- d-----w C:\Program Files\World of Warcraft
2008-03-10 23:54 --------- d-----w C:\Program Files\FreeStyle Philippines
2008-03-08 01:39 --------- d-----w C:\Program Files\Crazybump Beta Test
2008-03-05 10:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-05 08:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 08:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 08:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 07:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 07:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-03 06:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 06:16 --------- d-----w C:\Program Files\Dragonfly
2008-02-25 12:24 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-25 08:42 --------- d-----w C:\Program Files\Your Company Name
2008-02-25 08:30 --------- d-----w C:\Program Files\LineageII
2008-02-25 08:25 --------- d-----w C:\Program Files\AMPED
2008-02-25 08:24 --------- d-----w C:\Program Files\Acoustica Mixcraft 3
2008-02-24 06:49 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-24 06:48 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-02-05 15:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
2008-01-27 01:49 24,224 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-12 03:32 5,668 ----a-w C:\Program Files\install.log
2007-09-23 04:45 421 --sha-r C:\WINDOWS\system32\azkaban.bat
2007-09-22 15:31 542 --sha-r C:\WINDOWS\system32\azkaban.reg
2007-09-22 15:29 1,137 --sha-r C:\WINDOWS\system32\azkaban.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:26 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [ ]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-21 02:05 6731312]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 19:53 2209224]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-11-14 23:43 286720]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [ ]
"@RegRunOnSecure"="C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:26 15360]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-23 15:17 2068527]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-28 08:36 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-04 09:26 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-04 09:26 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 07:29 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\drivers\77589.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bvl03.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chr47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iii77.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iss25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ixx55.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rrr14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vbl17.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-07-21 02:05 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-12-22 08:49 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 09:26 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2006-08-23 15:17 2068527 C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 19:25 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime Alternative\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-03-26 16:14 16859136 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskSwitchXP]
--a------ 2005-08-24 15:11 61952 C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltraMon]
--a------ 2005-05-14 18:23 187904 C:\Program Files\UltraMon\UltraMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-05-03 17:43 2019328 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-12-17 17:13 3810544 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nTuneService"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"C:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"=
"C:\\Program Files\\Dragonfly\\Special Force\\specialforce.exe"=
"C:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"C:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R2 MSSysInterv;MSSysInterv;c:\winself.exe service []
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2005-06-02 13:54]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2005-05-14 18:41]
S0 Bvl03;Bvl03;C:\WINDOWS\system32\Drivers\Bvl03.sys []
S0 Chr47;Chr47;C:\WINDOWS\system32\Drivers\Chr47.sys []
S0 Iii77;Iii77;C:\WINDOWS\system32\Drivers\Iii77.sys []
S0 Iss25;Iss25;C:\WINDOWS\system32\Drivers\Iss25.sys []
S0 Rrr14;Rrr14;C:\WINDOWS\system32\Drivers\Rrr14.sys []
S0 Vbl17;Vbl17;C:\WINDOWS\system32\Drivers\Vbl17.sys []
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\AeriaGames\ProjectTorque\GameGuard\dump_wmimmc.sys []
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]
S3 XDva011;XDva011;C:\WINDOWS\system32\XDva011.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\Auto\command - F:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
\Shell\Browser\command - F:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4366319a-17e0-11dc-a1d8-0019d16179ca}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68d1db2c-514d-11dc-b693-0019d16179ca}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b55d053a-6574-11dc-b6fb-0019d16179ca}]
\Shell\AutoRun\command - E:\
\Shell\explore\Command - WScript.exe .\azkaban.vbs
\Shell\open\Command - WScript.exe .\azkaban.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9bc6d22-2f6f-11dc-b604-0019d16179ca}]
\Shell\AutoRun\command - E:\photos.zip.exe %1
\Shell\Explore\command - E:\photos.zip.exe %1
\Shell\Open\command - E:\photos.zip.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52588d8-2eea-11dc-b600-806d6172696f}]
\Shell\AutoRun\command - D:\Installer.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 08:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 10:02:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-09 10:02:54
ComboFix-quarantined-files.txt 2008-04-09 02:02:46
ComboFix2.txt 2008-02-16 10:09:57
Pre-Run: 21,696,954,368 bytes free
Post-Run: 21,682,184,192 bytes free


New Hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:06 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\winself.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\dmadmin.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.44 58.69.254.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.44 58.69.254.46
O17 - HKLM\System\CS2\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.44 58.69.254.46
O20 - AppInit_DLLs: C:\WINDOWS\system32\drivers\77589.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MSSysInterv - Unknown owner - c:\winself.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8552 bytes
  • 0

#6
andrewuk
Posted 09 April 2008 - 01:02 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

2. did you disable the Task Manager? (i.e. did you want to prevent the Task Manager from being displayed when you press ctrl alt delete)?
I actually don't know how to disable it, i want it to be back.. hope you could fix it thanks! ^^

hmm.......looks as though that may have been fixed in the prior post, could you check to see if you can get the Task Manager up by pressing ctrl alt delete. if not, let me know and we can fix that.

in this post we will clear the rest of the malware i can see, and then see where we stand.


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O20 - AppInit_DLLs: C:\WINDOWS\system32\drivers\77589.dll
O23 - Service: MSSysInterv - Unknown owner - c:\winself.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 2====
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


====STEP 3====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\didduid.ini
C:\winself.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\Alcmtr.exe
C:\WINDOWS\system32\azkaban.bat
C:\WINDOWS\system32\azkaban.reg
C:\WINDOWS\system32\azkaban.vbs
C:\WINDOWS\system32\drivers\77589.dll
C:\WINDOWS\system32\Drivers\Bvl03.sys
C:\WINDOWS\system32\Drivers\Chr47.sys
C:\WINDOWS\system32\Drivers\Iii77.sys
C:\WINDOWS\system32\Drivers\Iss25.sys
C:\WINDOWS\system32\Drivers\Rrr14.sys
C:\WINDOWS\system32\Drivers\Vbl17.sys
C:\Program Files\AeriaGames\ProjectTorque\GameGuard\dump_wmimmc.sys
C:\WINDOWS\mscon.sio
C:\WINDOWS\conf.inf
C:\WINDOWS\ky.sxc

Folder::
C:\WINDOWS\FLEOK

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bvl03.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chr47.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iii77.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iss25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ixx55.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rrr14.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vbl17.sys]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4366319a-17e0-11dc-a1d8-0019d16179ca}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68d1db2c-514d-11dc-b693-0019d16179ca}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b55d053a-6574-11dc-b6fb-0019d16179ca}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9bc6d22-2f6f-11dc-b604-0019d16179ca}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52588d8-2eea-11dc-b600-806d6172696f}]

Driver::
MSSysInterv
Bvl03
Chr47
Iii77
Iss25
Rrr14
Vbl17
dump_wmimmc


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


in your next reply could i see:
1. the answer to the question of can you get your Task Manager to work
2. the combofix log
3. a new hijackthis log

andrewuk
  • 0

#7
moogart
Posted 09 April 2008 - 06:20 PM

moogart

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
1. yes, I can now use the task manager thanks ^^
2. do i have to use flash disinfector to all my flash disk including my external hardisk? and also, like camera and phones?

sir, is there any chance that you could find any problems why my computer startup so slow, it takes 2-4min before i could run any programs... but if i unplug my dsl or remove my dsl cable, my startup runs smoothly, is there a problem with my network connection? thanks

-----------------------------------------
ComboFix 08-04-08.7 - Administrator 2008-04-10 8:01:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.659 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\PROGRAMS\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\AeriaGames\ProjectTorque\GameGuard\dump_wmimmc.sys
C:\WINDOWS\Alcmtr.exe
C:\WINDOWS\conf.inf
C:\WINDOWS\didduid.ini
C:\WINDOWS\ky.sxc
C:\WINDOWS\mscon.sio
C:\WINDOWS\system32\azkaban.bat
C:\WINDOWS\system32\azkaban.reg
C:\WINDOWS\system32\azkaban.vbs
C:\WINDOWS\system32\drivers\77589.dll
C:\WINDOWS\system32\Drivers\Bvl03.sys
C:\WINDOWS\system32\Drivers\Chr47.sys
C:\WINDOWS\system32\Drivers\Iii77.sys
C:\WINDOWS\system32\Drivers\Iss25.sys
C:\WINDOWS\system32\Drivers\Rrr14.sys
C:\WINDOWS\system32\Drivers\Vbl17.sys
C:\WINDOWS\winself.exe
C:\winself.exe
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Alcmtr.exe
C:\WINDOWS\conf.inf
C:\WINDOWS\didduid.ini
C:\WINDOWS\FLEOK
C:\WINDOWS\FLEOK\180ax.exe
C:\WINDOWS\ky.sxc
C:\WINDOWS\mscon.sio
C:\WINDOWS\system32\azkaban.bat
C:\WINDOWS\system32\azkaban.reg
C:\WINDOWS\system32\azkaban.vbs
C:\WINDOWS\winself.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DUMP_WMIMMC
-------\Legacy_MSSYSINTERV
-------\Service_Chr47
-------\Service_dump_wmimmc
-------\Service_Iii77
-------\Service_Iss25
-------\Service_MSSysInterv
-------\Service_Rrr14
-------\Service_Vbl17


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-08 21:41 . 2008-04-09 10:02 <DIR> d-------- C:\WINDOWS\system32\624855
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-08 08:29 . 2008-04-08 08:29 <DIR> d-------- C:\_OTMoveIt
2008-04-08 08:01 . 2008-04-08 08:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 07:58 . 2008-04-08 08:19 <DIR> d-------- C:\SDFix
2008-04-08 00:55 . 2008-04-08 07:46 2,464 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 00:54 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-08 00:54 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-08 00:54 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-08 00:54 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-08 00:54 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-08 00:54 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 00:54 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-08 00:45 . 2008-04-08 00:46 3,089,408 --a------ C:\backup.bkf
2008-04-08 00:06 . 2008-04-08 00:06 251 --a------ C:\WINDOWS\wininit.ini
2008-04-07 23:22 . 2008-04-07 23:22 <DIR> d-------- C:\Program Files\PCPitstop
2008-04-07 22:45 . 2008-04-07 22:45 91,563 --a------ C:\WINDOWS\lfn.exe
2008-04-07 22:03 . 2008-04-08 01:00 76 --a------ C:\WINDOWS\lsoon.ini
2008-04-07 21:50 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-04-07 21:49 . 2008-04-07 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Regrun
2008-04-07 21:49 . 2008-04-08 01:00 <DIR> d-------- C:\backreg
2008-04-07 21:48 . 2008-04-07 21:48 <DIR> d-------- C:\Program Files\Greatis
2008-04-07 21:48 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-04-07 21:33 . 2008-04-07 21:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-07 21:33 . 2008-04-07 21:33 2,549 --a------ C:\WINDOWS\unins000.dat
2008-04-07 18:12 . 2008-04-08 01:17 464 --a------ C:\WINDOWS\system32\zzxbkb.tmp
2008-04-06 18:38 . 2008-04-06 18:38 <DIR> d-------- C:\WINDOWS\system32\drivers\character
2008-04-05 18:45 . 2008-04-05 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 14:56 . 2008-04-05 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-04-05 12:48 . 2008-04-05 12:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-04-05 12:25 . 2008-04-05 12:25 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-05 09:47 . 2008-04-05 09:47 29,760 --a------ C:\WINDOWS\system32\diTg2wV2.exe
2008-04-04 12:43 . 2007-11-14 15:18 553 --a------ C:\WINDOWS\USetup.iss
2008-04-04 12:42 . 2008-04-04 12:42 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-04-04 07:43 . 2008-04-04 07:44 <DIR> d-------- C:\WINDOWS\NV26162628.TMP
2008-04-03 19:41 . 2008-04-03 19:41 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-03-31 13:23 . 2008-03-31 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-03-31 13:11 . 2008-03-31 13:11 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-03-31 13:10 . 2008-03-31 13:10 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-03-31 13:10 . 2008-03-31 13:10 <DIR> d-------- C:\Program Files\Acronis
2008-03-31 13:09 . 2008-03-31 13:09 <DIR> d-------- C:\Program Files\Acronis Disk Director Suite 10 build 2160
2008-03-30 22:29 . 2008-03-31 19:39 <DIR> d-------- C:\Program Files\EuphRO2
2008-03-29 21:06 . 2008-03-29 21:07 <DIR> d-------- C:\UnrealEngine2Runtime
2008-03-28 09:33 . 2008-04-07 14:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 09:33 . 2008-03-28 09:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-19 10:46 . 2008-03-19 10:46 <DIR> d-------- C:\Program Files\Anino Games
2008-03-14 07:31 . 2008-03-14 07:31 <DIR> d-------- C:\Program Files\AeriaGames
2008-03-11 10:25 . 2008-03-11 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-10 15:52 . 2008-03-10 15:52 <DIR> d-------- C:\Program Files\Trapcode
2008-03-10 15:52 . 2008-03-10 16:04 36,868 --a------ C:\Program Files\uninst-3DStroke.exe
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Program Files\UltraMon
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Program Files\Common Files\Realtime Soft
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 00:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-09 23:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-04-08 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 13:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-07 13:19 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-05 04:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-04-04 04:42 --------- d-----w C:\Program Files\Realtek
2008-04-04 04:31 --------- d-----w C:\Program Files\Intel
2008-03-31 07:46 --------- d-----w C:\Program Files\Warcraft III
2008-03-26 10:37 4,713,472 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-26 08:14 16,859,136 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-19 04:48 --------- d-----w C:\Program Files\World of Warcraft
2008-03-10 23:54 --------- d-----w C:\Program Files\FreeStyle Philippines
2008-03-08 01:39 --------- d-----w C:\Program Files\Crazybump Beta Test
2008-03-05 10:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-03 06:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 06:16 --------- d-----w C:\Program Files\Dragonfly
2008-02-25 12:24 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-25 08:42 --------- d-----w C:\Program Files\Your Company Name
2008-02-25 08:30 --------- d-----w C:\Program Files\LineageII
2008-02-25 08:25 --------- d-----w C:\Program Files\AMPED
2008-02-25 08:24 --------- d-----w C:\Program Files\Acoustica Mixcraft 3
2008-02-24 06:49 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-24 06:48 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-01-27 01:49 24,224 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-12 03:32 5,668 ----a-w C:\Program Files\install.log
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_10.02.40.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 12:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-04-09 01:32:08 12,615 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-04-09 23:57:35 12,615 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:26 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [ ]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-21 02:05 6731312]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 19:53 2209224]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-11-14 23:43 286720]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [ ]
"@RegRunOnSecure"="C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:26 15360]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-23 15:17 2068527]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-28 08:36 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-04 09:26 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-04 09:26 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 07:29 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-07-21 02:05 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-12-22 08:49 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 09:26 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2006-08-23 15:17 2068527 C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 19:25 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime Alternative\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-03-26 16:14 16859136 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskSwitchXP]
--a------ 2005-08-24 15:11 61952 C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltraMon]
--a------ 2005-05-14 18:23 187904 C:\Program Files\UltraMon\UltraMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-05-03 17:43 2019328 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-12-17 17:13 3810544 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nTuneService"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"C:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"=
"C:\\Program Files\\Dragonfly\\Special Force\\specialforce.exe"=
"C:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"C:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2005-06-02 13:54]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2005-05-14 18:41]
S0 Bvl03;Bvl03;C:\WINDOWS\system32\Drivers\Bvl03.sys []
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]
S3 XDva011;XDva011;C:\WINDOWS\system32\XDva011.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 08:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 08:06:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
.
**************************************************************************
.
Completion time: 2008-04-10 8:10:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 00:10:23
ComboFix2.txt 2008-04-09 02:02:54
ComboFix3.txt 2008-02-16 10:09:57
Pre-Run: 21,674,065,920 bytes free
Post-Run: 21,592,403,968 bytes free




---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:11 AM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CS2\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.44 58.69.254.46
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8271 bytes
  • 0

#8
andrewuk
Posted 10 April 2008 - 11:56 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

2. do i have to use flash disinfector to all my flash disk including my external hardisk? and also, like camera and phones?

if it asks you to, then yes - one of your drives infected you.

sir, is there any chance that you could find any problems why my computer startup so slow, it takes 2-4min before i could run any programs... but if i unplug my dsl or remove my dsl cable, my startup runs smoothly, is there a problem with my network connection? thanks

does not look like a malware problem and is most likely beyind my knowledge. so we will finish up on the malware fix (2 or 3 more posts from to go, i suspect) then i can forward you on to another part of this forum.

in this post we will do a final couple of scans to ensure your system is clean.

====STEP 1====
i see you have AVG antispyware. if it is still in date (i.e. the trial version has not overrun) then follow the instructions below. if you are using the trial version and it is out of date and cant be updated then do step 2 instead.

Double-click the AVG antispyware icon to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select ""Do no automatically generate report""
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

====STEP 2====
only do this step if AVG Antispyware is out of date and cant be updated:

firstly, uninstall AVG Antispyware via Add/Remove Programs on your control panel

and then Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

====STEP 3====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

In your next reply could i see:
1. the AVG or SUPERantispyware log
2. the kaspersky scan log

andrewuk
  • 0

#9
moogart
Posted 11 April 2008 - 06:00 AM

moogart

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:10:26 AM 4/11/2008

+ Scan result:



C:\SDFix\backups\catchme.zip/IXX55.sys -> Downloader.Agent.lxa : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 7:58:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/04/2008
Kaspersky Anti-Virus database records: 697273
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 123692
Number of viruses found: 11
Number of infected objects: 16
Number of suspicious objects: 4
Duration of the scan process: 01:27:37

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\azkaban.bat Object is locked skipped
C:\azkaban.vbs Object is locked skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\cmdow.exe.bac_a01416 Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\PROGRAMS\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\PROGRAMS\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\PROGRAMS\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\PROGRAMS\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Administrator\Incomplete\Preview-T-3045692-01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Administrator\Incomplete\T-3045692-01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008041120080412\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\fla20.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Free Download Manager\tic1F.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Free Download Manager\tic2.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Free Download Manager\tic21.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Free Download Manager\tic5.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_550.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EQYDLTGA\get_video[1].67&ipbits=16&expire=1207929449&key=yt1&sver=2 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\Downloads\antispystorm_setup.exe Infected: not-a-virus:FraudTool.Win32.SpyAway.h skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/updatetc.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant9.zip/180ax.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Administrator.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Administrator.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Administrator.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\performance_build_922.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\voice_Administrator_0.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\ycp_Administrator.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\624855\624855.dll.vir Infected: not-a-virus:AdWare.Win32.E404.y skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\azkaban.vbs.vir Infected: Virus.VBS.AutoRun.b skipped
C:\QooBox\Quarantine\C\WINDOWS\winself.exe.vir Infected: Trojan-Downloader.Win32.Small.ufd skipped
C:\SDFix\backups\backups.zip/backups/default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\SDFix\backups\backups.zip/backups/ie_updates3r.exe Infected: Trojan-Downloader.Win32.Winlagons.bs skipped
C:\SDFix\backups\backups.zip/backups/WLCtrl32.dll Infected: Trojan-Downloader.Win32.Mutant.ci skipped
C:\SDFix\backups\backups.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8492FDC5-ACD5-4F62-BCED-339C6C518A1B}\RP2\A0007140.exe Object is locked skipped
C:\System Volume Information\_restore{8492FDC5-ACD5-4F62-BCED-339C6C518A1B}\RP3\A0007162.bat Object is locked skipped
C:\System Volume Information\_restore{8492FDC5-ACD5-4F62-BCED-339C6C518A1B}\RP3\A0007164.vbs Object is locked skipped
C:\System Volume Information\_restore{8492FDC5-ACD5-4F62-BCED-339C6C518A1B}\RP3\A0007165.exe Object is locked skipped
C:\System Volume Information\_restore{8492FDC5-ACD5-4F62-BCED-339C6C518A1B}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\lfn.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\diTg2wV2.exe Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\04082008_082932\WINDOWS\system32\wmsdkns.exe Object is locked skipped

Scan process completed.
  • 0

#10
andrewuk
Posted 11 April 2008 - 07:02 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
The AVG scan only picked up on a safely quarantined item and a couple of cookies. the kaspersky scan mostly picked up quarantined items though also some infected files which we will clear now.

also, i can see that you downloaded antispystorm, this is considered a rogue antispyware program, see more here the malwarebytes scan we ran cleared out parts of it also, but could you check in the add/remove programs in your control panel that it is not installed, if so then you should uninstall it.


====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\azkaban.bat
C:\azkaban.vbs
C:\azkaban.reg
C:\Documents and Settings\Administrator\Incomplete\Preview-T-3045692-01 Track 1.wma
C:\Documents and Settings\Administrator\Incomplete\T-3045692-01 Track 1.wma
C:\Documents and Settings\Administrator\My Documents\Downloads\antispystorm_setup.exe

Driver::
Bvl03


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


In your next reply could i see:
1. the combofix log
2. the hijackthis log
3. some idea of how your machine is running now

andrewuk
  • 0

Advertisements

#11
moogart
Posted 11 April 2008 - 07:46 AM

moogart

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
ComboFix 08-04-08.7 - Administrator 2008-04-11 21:33:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.554 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\PROGRAMS\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\azkaban.bat
C:\azkaban.reg
C:\azkaban.vbs
C:\Documents and Settings\Administrator\Incomplete\Preview-T-3045692-01 Track 1.wma
C:\Documents and Settings\Administrator\Incomplete\T-3045692-01 Track 1.wma
C:\Documents and Settings\Administrator\My Documents\Downloads\antispystorm_setup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\azkaban.bat
C:\azkaban.reg
C:\azkaban.vbs
C:\Documents and Settings\Administrator\Incomplete\Preview-T-3045692-01 Track 1.wma
C:\Documents and Settings\Administrator\Incomplete\T-3045692-01 Track 1.wma
C:\Documents and Settings\Administrator\My Documents\Downloads\antispystorm_setup.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 15:37 . 2008-04-11 15:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-11 15:37 . 2008-04-11 15:37 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-11 15:37 . 2008-04-11 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-08 21:41 . 2008-04-09 10:02 <DIR> d-------- C:\WINDOWS\system32\624855
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-08 08:32 . 2008-04-08 08:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-08 08:29 . 2008-04-08 08:29 <DIR> d-------- C:\_OTMoveIt
2008-04-08 08:01 . 2008-04-08 08:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 07:58 . 2008-04-08 08:19 <DIR> d-------- C:\SDFix
2008-04-08 00:55 . 2008-04-08 07:46 2,464 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 00:54 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-08 00:54 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-08 00:54 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-08 00:54 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-08 00:54 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-08 00:54 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 00:54 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-08 00:45 . 2008-04-08 00:46 3,089,408 --a------ C:\backup.bkf
2008-04-08 00:06 . 2008-04-08 00:06 251 --a------ C:\WINDOWS\wininit.ini
2008-04-07 23:22 . 2008-04-07 23:22 <DIR> d-------- C:\Program Files\PCPitstop
2008-04-07 22:45 . 2008-04-07 22:45 91,563 --a------ C:\WINDOWS\lfn.exe
2008-04-07 22:03 . 2008-04-08 01:00 76 --a------ C:\WINDOWS\lsoon.ini
2008-04-07 21:50 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-04-07 21:49 . 2008-04-07 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Regrun
2008-04-07 21:49 . 2008-04-08 01:00 <DIR> d-------- C:\backreg
2008-04-07 21:48 . 2008-04-07 21:48 <DIR> d-------- C:\Program Files\Greatis
2008-04-07 21:48 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-04-07 21:33 . 2008-04-07 21:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-07 21:33 . 2008-04-07 21:33 2,549 --a------ C:\WINDOWS\unins000.dat
2008-04-07 18:12 . 2008-04-08 01:17 464 --a------ C:\WINDOWS\system32\zzxbkb.tmp
2008-04-06 18:38 . 2008-04-06 18:38 <DIR> d-------- C:\WINDOWS\system32\drivers\character
2008-04-05 18:45 . 2008-04-05 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 14:56 . 2008-04-05 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-04-05 12:48 . 2008-04-05 12:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-04-05 12:25 . 2008-04-05 12:25 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-05 09:47 . 2008-04-05 09:47 29,760 --a------ C:\WINDOWS\system32\diTg2wV2.exe
2008-04-04 12:43 . 2007-11-14 15:18 553 --a------ C:\WINDOWS\USetup.iss
2008-04-04 12:42 . 2008-04-04 12:42 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-04-04 07:43 . 2008-04-04 07:44 <DIR> d-------- C:\WINDOWS\NV26162628.TMP
2008-04-03 19:41 . 2008-04-03 19:41 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-03-31 13:23 . 2008-03-31 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-03-31 13:11 . 2008-03-31 13:11 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-03-31 13:10 . 2008-03-31 13:10 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-03-31 13:10 . 2008-03-31 13:10 <DIR> d-------- C:\Program Files\Acronis
2008-03-31 13:09 . 2008-03-31 13:09 <DIR> d-------- C:\Program Files\Acronis Disk Director Suite 10 build 2160
2008-03-30 22:29 . 2008-03-31 19:39 <DIR> d-------- C:\Program Files\EuphRO2
2008-03-29 21:06 . 2008-03-29 21:07 <DIR> d-------- C:\UnrealEngine2Runtime
2008-03-28 09:33 . 2008-04-11 11:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 09:33 . 2008-03-28 09:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-19 10:46 . 2008-03-19 10:46 <DIR> d-------- C:\Program Files\Anino Games
2008-03-14 07:31 . 2008-03-14 07:31 <DIR> d-------- C:\Program Files\AeriaGames
2008-03-11 10:25 . 2008-03-11 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 12:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-09 23:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-04-08 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 13:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-07 13:19 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-05 04:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-04-04 04:42 --------- d-----w C:\Program Files\Realtek
2008-04-04 04:31 --------- d-----w C:\Program Files\Intel
2008-03-31 07:46 --------- d-----w C:\Program Files\Warcraft III
2008-03-26 10:37 4,713,472 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-26 08:14 16,859,136 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-19 04:48 --------- d-----w C:\Program Files\World of Warcraft
2008-03-10 23:54 --------- d-----w C:\Program Files\FreeStyle Philippines
2008-03-10 08:04 36,868 ----a-w C:\Program Files\uninst-3DStroke.exe
2008-03-10 07:52 --------- d-----w C:\Program Files\Trapcode
2008-03-10 04:41 --------- d-----w C:\Program Files\UltraMon
2008-03-10 04:41 --------- d-----w C:\Program Files\Common Files\Realtime Soft
2008-03-10 04:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-03-10 04:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-03-08 01:39 --------- d-----w C:\Program Files\Crazybump Beta Test
2008-03-05 10:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-05 08:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 08:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 08:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 07:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 07:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-03 06:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 06:16 --------- d-----w C:\Program Files\Dragonfly
2008-02-25 12:24 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-25 08:42 --------- d-----w C:\Program Files\Your Company Name
2008-02-25 08:30 --------- d-----w C:\Program Files\LineageII
2008-02-25 08:25 --------- d-----w C:\Program Files\AMPED
2008-02-25 08:24 --------- d-----w C:\Program Files\Acoustica Mixcraft 3
2008-02-24 06:49 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-24 06:48 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-02-05 15:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
2008-01-27 01:49 24,224 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-12 03:32 5,668 ----a-w C:\Program Files\install.log
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_10.02.40.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 12:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-09 01:32:08 12,615 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-04-11 06:52:44 12,615 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:26 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [ ]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-21 02:05 6731312]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 19:53 2209224]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-11-14 23:43 286720]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [ ]
"@RegRunOnSecure"="C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:26 15360]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-23 15:17 2068527]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-28 08:36 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-04 09:26 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-04 09:26 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 07:29 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-07-21 02:05 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-12-22 08:49 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 09:26 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2006-08-23 15:17 2068527 C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 19:25 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime Alternative\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-03-26 16:14 16859136 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskSwitchXP]
--a------ 2005-08-24 15:11 61952 C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltraMon]
--a------ 2005-05-14 18:23 187904 C:\Program Files\UltraMon\UltraMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-05-03 17:43 2019328 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-12-17 17:13 3810544 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nTuneService"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"C:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"=
"C:\\Program Files\\Dragonfly\\Special Force\\specialforce.exe"=
"C:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"C:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2005-06-02 13:54]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2005-05-14 18:41]
S0 Bvl03;Bvl03;C:\WINDOWS\system32\Drivers\Bvl03.sys []
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\AeriaGames\ProjectTorque\GameGuard\dump_wmimmc.sys []
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]
S3 XDva011;XDva011;C:\WINDOWS\system32\XDva011.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 08:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 21:35:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 21:36:18
ComboFix-quarantined-files.txt 2008-04-11 13:36:10
ComboFix2.txt 2008-04-10 00:10:28
ComboFix3.txt 2008-04-09 02:02:54
ComboFix4.txt 2008-02-16 10:09:57
Pre-Run: 21,523,677,184 bytes free
Post-Run: 21,511,749,632 bytes free



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:49 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.77 58.69.254.79
O17 - HKLM\System\CS1\Services\Tcpip\..\{34E2A552-FCC7-4DCB-B63E-0255E6D34129}: NameServer = 58.69.254.77 58.69.254.79
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8560 bytes


I didnt find the antispystorm on my add/remove program... is it still on my computer?
I think my pc now is already ok.. but i have to observe well if theres still a virus
thanks again sir for fixing my computer
  • 0

#12
andrewuk
Posted 11 April 2008 - 11:40 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi moogart

congratulations, your logs are clean :)

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

we will also update your java - it is out of date.

I didnt find the antispystorm on my add/remove program... is it still on my computer?

most likely not anymore :)

====STEP 1====
Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are two or three options in the window to clear the cache - Leave ALL Checked
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

====STEP 2====
clearing away the fix tools:
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

====STEP 3====
Resetting your restore points:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

Instructions with screenshots to help is http://www.f-secure..../sfc_dis1.shtml

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#13
moogart
Posted 11 April 2008 - 08:08 PM

moogart

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
thank you very much!!!
  • 0

#14
moogart
Posted 12 April 2008 - 04:44 AM

moogart

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
sir, if it is okay for you to also check/fix my other comptuer which is a laptop. I havent used it for a while and it runs really slow.. hope is it ok.. ^^ thanks
  • 0

#15
andrewuk
Posted 12 April 2008 - 06:39 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
could you post it as a new log in the forum then, and i will close this one off.

andrewuk
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP