PDA

View Full Version : Help! Bizarre malware problem


cakes
2007-12-30, 07:05
Hello good people of this forum,

I am having a strange problem. You guys helped me out one time before, and I am hoping you will be able to figure this one out too. Here are the symptoms I am seeing (all these are happening after I ran AVG Free, Spybot, and AVG Spyware in safe mode and fixed all problems):

1. The Pro Tools application (an audio recording program) will not launch - it appears as a process in the Task Manager but doesn't load. It was working fine a couple days ago.

2. If I look at Process Monitor after I double-click the Pro Tools icon, I see that the application is up to all kinds of strange things, including creating an Internet Explorer cookie called "oren@www.gaiglu[2].txt" which is bigger than normal cookies (13 Kb) and contains lots of random characters, with "www.gaiglu.com" at the end. That domain is unregistered according to whois. Oren is my name.

3. I can't uninstall or even repair the Pro Tools application using Add/Remove Programs. The InstallShield gets part of the way through and then seems to get stuck while running the regsvr32.exe application - if I kill the regsvr32 process in the Task Manager, InstallShield starts moving again.

4. The file C:\Windows\system32\regsvr32.exe has Date Created = 12/29/07 4:39 PM (though the Date Modified is 8/3/2004 - tricky). I can delete the file, but within a couple seconds it comes back (with the exact same Date Created). This does not happen in safe mode - the file stays deleted. But as soon as I reboot, a new one is created. I even downloaded a fresh copy of regsvr32.exe from Microsoft, but it was overwritten within seconds.

Help!!!! :sick:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:43:18 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Installers\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187561118453
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5715 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 29, 2007 9:07:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/12/2007
Kaspersky Anti-Virus database records: 500142
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 155180
Number of viruses found: 5
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:30:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\D8B.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\D8B.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\D90.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\D90.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\D90.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\D90.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\IMG2.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VXhABetterInternet.zip/preInsln.exe Infected: not-a-virus:AdWare.Win32.BiSpy.o skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VXhABetterInternet.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VXhABetterInternet1.zip/localNRD.dll Infected: not-a-virus:AdWare.Win32.BiSpy.n skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VXhABetterInternet1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Spamihilator\SPA1EDD.tmp.log Object is locked skipped
C:\Program Files\Spamihilator\SPA1EE0.tmp.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
ndmmxiaomayi
2008-01-03, 04:56
Hi cakes. :)

Welcome to Safer Networking.

I see that you are using the Beta version of HijackThis. As this is a Beta program, it may not be stable and may cause problems for your computer. Please remove this version and download the stable version from here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe). Do Not run it directly via a browser. Save it to your desktop.

Go to Start > Control Panel. Double click on Add/Remove Programs. Locate HijackThis 2.0.0 from the list of installed programs and click on the Change/Remove button to uninstall it. Close Add/Remove Programs and Control Panel.
Double click on HJTInstall.exe to install it. Click on Install. By default, it will install to C:\Program Files\Trend Micro\HijackThis.
Read through the License Agreement presented to you on the next screen and click on I Accept.
Once installed, HijackThis will start automatically. If it doesn't, please go to your desktop and double click on the HijackThis shortcut created there.
Select Do a system scan and save a logfile.
Close HijackThis.

Note: Do not click on the AnalyzeThis button.

Do not fix any lines you see in HijackThis as most entries are harmless and needed for the normal functioning of Windows.

In addition, please do the following:

Please download and install CCleaner Slim (http://www.ccleaner.com/download/builds/downloading-slim).
Once installed, double click on the desktop shortcut created.
On the leftmost column, click on Tools.
On the middle column, click on Uninstall.
At the bottom right hand corner, click on the Save to text file... button.
By default, it saves this file to C:\Program Files\CCleaner named install.txt. You may want to save it to your desktop to find it easily. Click Save.
Close CCleaner.

In your next reply, please post:

A new HijackThis log
CCleaner install.txt
cakes
2008-01-03, 05:07
Hi ndmmxiaomayi,

Thanks for your help! Let me know if I can uninstall the CCLeaner application.

cakes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:36 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198994988640
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5727 bytes


Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 7.0.5
Adobe Shockwave Player
AIM 6.0
Alcohol 120%
AmpliTube
AnswerWorks 5.0 English Runtime
Antares Autotune VST RTAS TDM v5.08
Antares Kantos v1.02 VST & RTAS
Antares Tube v1.02 RTAS
AOL Instant Messenger
ASUS Probe V2.24.10
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoCAD LT 2008 - English
Autodesk DWF Viewer 7
AutoUpdate
AVG 7.5
BitZip (remove only)
Bomb Factory (48k Edition) v3.15
Canon Utilities PhotoStitch
ccCommon
CCleaner (remove only)
CDXtract v4.1.5
Celemony Melodyne Plugin VST RTAS v1.0
CoCSoft Stream Down 3.0
Connection Keep Alive
Delta
Digidesign D-Fi
Digidesign DigiDelivery
Digidesign DV Toolkit 2 7.1
Digidesign EQ III
Digidesign HFS+ Disk Support
Digidesign Pro Tools Documentation 7.0
Digidesign Pro Tools LE 7.3.1cs4
Digidesign Shared Plug-Ins 7.3
Digidesign Soundreplacer
DivX
DivX Player
Dolet Light for Finale
DVD Shrink 3.2
eags on! 0.8.81
eMule
FairUse Wizard
ffdshow [rev 610] [2006-12-01]
File Rescue Plus
FilterBank
Finale 2006
Flickr Uploadr 2.3
Free Bomb Factory Plug-Ins 7.3
Helix Producer Basic 9
HijackThis 2.0.2
hp officejet 4100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 4100 series
HT Video Editor
iLok Client Helper
InterLok Driver Kit
ISScript
iTunes
iZotope Trash v1.04
iZotope Vinyl 1.6
Kaspersky Online Scanner
Live 6.0.1
LiveUpdate 2.7 (Symantec Corporation)
MacDrive 6
Massey CT4 Full Version (Remove only)
Melodyne plugin
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.11)
MP3 To Wave Converter PLUS
MSRedist
MSXML 6.0 Parser
Nero Suite
Norton Cleanup
Norton Protection Center
Norton SystemWorks
Norton SystemWorks 2006 Basic Edition
Norton SystemWorks 2006 Basic Edition (Symantec Corporation)
Norton Utilities
NSW_DRM_COLLECTION
Olympus Digital Wave Player
OpenSource Flash Video Splitter (remove only)
Pitch 'n Time
Pitch'n'Time RTAS v2.1
PODxt Drivers 2.5.1.0 (Remove Only)
Prime95
PSP VintageWarmer2 2.0.1
Quicken 2008
QuickTime
Quintessential Player
RealOne Player
Reason
ReCycle 2.0
ReFill Packer
Reload 1.0
sdTwoWav
Serato Scratch Studio Edition RTAS v1.0
Spamihilator
SPBBC
Spybot - Search & Destroy 1.4
StuffIt Standard
Synth One
TL Space Impulse Response Library
TL Space Native 7.4
TradeKeys (PC Magazine)
TurboTax 2005
TurboTax Deluxe 2004
TurboTax Deluxe Deduction Maximizer 2006
Update for Windows XP (KB898461)
Update for Windows XP (KB938828)
User Profile Hive Cleanup Service
VideoLAN VLC media player 0.8.6c
Waves Diamond Bundle v5.0
Waves L3 Multimaximizer v1.0
Waves SSL Collection v1.2
WebFldrs XP
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows WMF Metafile Vulnerability HotFix 1.4
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Service Pack 2
WinPcap 3.01 alpha
WinRAR archiver
Wise-FTP
Xpand!
ndmmxiaomayi
2008-01-03, 14:13
Hi,

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer (http://download.bleepingcomputer.com/sUBs/ComboFix.exe). Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware (http://www.forospyware.com/sUBs/ComboFix.exe)
Geeks to Go (http://subs.geekstogo.com/ComboFix.exe)

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

Combofix log (C:\Combofix.txt)
A new HijackThis log
cakes
2008-01-03, 17:39
(HijackThis log in next reply)

ComboFix 08-01-03.3 - Oren 2008-01-03 8:25:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1744 [GMT -8:00]
Running from: C:\Installers\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 08:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 22:22 . 2008-01-02 22:22 <DIR> d-------- C:\Program Files\Finale 2003
2008-01-02 20:00 . 2008-01-02 20:00 <DIR> d-------- C:\Program Files\CCleaner
2008-01-02 19:59 . 2008-01-02 19:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 11:23 . 2008-01-02 11:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MPEG Streamclip
2008-01-02 10:38 . 2008-01-02 10:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-02 10:38 . 2008-01-02 10:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 08:57 . 2008-01-02 10:00 <DIR> d-------- C:\Program Files\Finale 2006
2007-12-31 17:07 . 2007-12-31 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-31 16:24 . 2007-12-31 16:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Download Manager
2007-12-30 16:43 . 2007-12-31 11:25 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2007-12-30 16:43 . 2007-07-26 17:13 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2007-12-30 16:43 . 2007-07-26 17:13 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2007-12-29 22:10 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-29 19:10 . 2007-12-29 19:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 19:10 . 2007-12-29 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-29 18:49 . 2007-12-29 18:49 <DIR> d-------- C:\Program Files\InterLok
2007-12-29 16:39 . 2004-08-03 23:56 11,776 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-12-29 16:39 . 2004-08-03 23:56 11,776 --a--c--- C:\WINDOWS\system32\dllcache\regsvr32.exe
2007-12-29 16:17 . 1996-08-09 00:30 30,720 -ra------ C:\WINDOWS\system32\REGSVR32.EXE.bak
2007-12-06 17:10 . 2007-12-06 18:23 58,276 --a------ C:\WINDOWS\system32\updown.msc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 16:22 --------- d-----w C:\Program Files\Spamihilator
2008-01-03 06:44 --------- d-----w C:\Program Files\Quicken
2008-01-02 21:23 --------- d-----w C:\Program Files\eMule
2008-01-01 01:05 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-31 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-31 20:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-31 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-31 05:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Canon
2007-12-31 00:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 21:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2007-12-22 02:44 --------- d-----w C:\Program Files\BarSoft
2007-12-08 03:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2007-12-05 22:51 --------- d-----w C:\Program Files\Reason
2007-12-02 07:16 --------- d-----w C:\Program Files\Windows Media Components
2007-11-30 23:16 --------- d-----w C:\Program Files\Canon
2007-11-30 23:15 --------- d-----w C:\Program Files\Common Files\Canon
2007-11-27 04:17 --------- d-----w C:\Program Files\DVD Shrink
2007-11-27 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-24 23:40 472,833 ----a-w C:\Program Files\uninstal.log
2005-08-22 23:56 100,240 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2003-07-22 23:40 217,600 ----a-w C:\Program Files\HOG.exe
2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2004-11-01 01:49 56 --sh--r C:\WINDOWS\system32\373EA363F5.sys
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2005-03-15 05:45 595968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54 282624]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 13:12 86016]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 15:43 61440]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-11-14 00:05 61440]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-31 11:18 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-31 11:18 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 23:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"= 01000000
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk
backup=C:\WINDOWS\pss\Device Detector 3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp officejet 4100 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp officejet 4100 series.lnk
backup=C:\WINDOWS\pss\hp officejet 4100 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SonnReg.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SonnReg.lnk
backup=C:\WINDOWS\pss\SonnReg.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^True Internet Color Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\True Internet Color Icon.lnk
backup=C:\WINDOWS\pss\True Internet Color Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
C:\Program Files\ASUS\Probe\AsusProb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avuz]
C:\WINDOWS\avuz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-12-27 14:32 52896 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]
DeltTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmfww.exe]
C:\WINDOWS\system32\dmfww.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fhgux.exe]
C:\WINDOWS\system32\fhgux.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hclean32.exe]
C:\WINDOWS\system32\hclean32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
C:\Program Files\Internet Optimizer\optimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
C:\Program Files\ISTsvc\istsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\napav.exe]
C:\WINDOWS\system32\napav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oytfh.exe]
C:\WINDOWS\system32\oytfh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
C:\Program Files\QdrModule\QdrModule10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealOne Player\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
C:\WINDOWS\system32\regscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
c:\program files\180solutions\sais.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow! Deluxe]
2005-03-15 05:45 595968 --a------ C:\Program Files\Spamihilator\spamihilator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spamihilator]
2005-03-15 05:45 595968 --a------ C:\Program Files\Spamihilator\spamihilator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyMarshal]
C:\Program Files\SpyMarshal\SpyMarshal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskopen.exe]
taskopen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twstu.exe]
C:\WINDOWS\system32\twstu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WareOut]
C:\Program Files\WareOut\WareOut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wtlyn.exe]
C:\WINDOWS\system32\wtlyn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xcdxd.exe]
C:\WINDOWS\system32\xcdxd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xxy_Shell]
C:\Documents and Settings\Administrator\xxy_jops.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Avg7UpdSvc"=2 (0x2)
"Pcilinrvacmm"=3 (0x3)
"NSCService"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Speed Disk service"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"NProtectService"=2 (0x2)
"iPod Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys [2003-10-05 10:41]
R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys [2003-09-28 10:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-13 10:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 21:38]
R3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2006-10-05 16:06]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\System32\drivers\ASUSHWIO.sys []
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 21:36]
S3 L6POD;L6 PODxt Service;C:\WINDOWS\system32\Drivers\L6POD.sys [2004-07-14 17:49]
S3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2005-11-03 16:56]
S3 scsk4;SCSK4 Driver Service;C:\WINDOWS\system32\drivers\scsk4.sys [2006-01-10 02:15]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-11-03 16:43]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2007-02-28 04:36]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]

*Newly Created Service* - WMIAPSRV
.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 00:09:09 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2007-04-21 20:57:58 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 08:31:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 8:34:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 16:34:22
cakes
2008-01-03, 17:39
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:26 AM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198994988640
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5568 bytes
cakes
2008-01-03, 17:41
BTW, the regsvr32.exe.bak file is something I created when I was trying to get rid of the malware regsvr32.exe.

Thanks for your help.

cakes
ndmmxiaomayi
2008-01-03, 18:33
Hi,

regsvr32.exe is not malware. It's a Windows file. Windows will regenerate it if it's missing.

A question for you. Did you install WinPCap?

Step 1

Please open Notepad and copy and paste the following in the Code box into Notepad:


File::
C:\Documents and Settings\Administrator\xxy_jops.exe
C:\WINDOWS\system32\xcdxd.exe
C:\WINDOWS\system32\wtlyn.exe
C:\WINDOWS\system32\twstu.exe
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\oytfh.exe
C:\WINDOWS\system32\hclean32.exe
C:\WINDOWS\system32\fhgux.exe
C:\WINDOWS\system32\dmfww.exe
C:\WINDOWS\system32\373EA363F5.sys

Folder::
C:\Program Files\WareOut
C:\Program Files\SpyMarshal
c:\program files\180solutions
C:\Program Files\QdrModule
C:\Program Files\ISTsvc
C:\Program Files\Internet Optimizer

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xxy_Shell]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xcdxd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wtlyn.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WareOut]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twstu.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskopen.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyMarshal]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oytfh.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hclean32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fhgux.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmfww.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"=-

Warning: The above script is just for cakes. If you are not cakes, do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript.txt into Combofix.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Combofix will start running. When done, a log will be produced. Please post back this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 2

Please go to Virus Total (http://www.virustotal.com/) or Jotti (http://virusscan.jotti.org/) and upload C:\Program Files\HOG.exe for scanning.

For Virus Total

Please copy and paste C:\Program Files\HOG.exe in the text box next to the Browse button.
Click on Send File.

For Jotti

Please copy and paste C:\Program Files\HOG.exe in the text box next to the Browse button.
Click on Submit.

In your next reply, please post:

Combofix log (C:\Combofix.txt)
Virus Total or Jotti's scan results of the HOG.exe file
A new HijackThis log
Whether or not you installed WinPCap
cakes
2008-01-03, 19:10
ndmmxiaomayi ni hao,

I installed WinPCap myself a few months ago.

As for regsvr32.exe, I know it's a system file. This is what is happening: if I delete the file, within 1 or 2 seconds, a new one is created. The Date Modified is 8/3/2004, but the Date Created is 12/29/07 4:39 PM. I downloaded a fresh copy of the file from Microsoft (the size of the fresh file was different - 30k vs. 12k), and it was overwritten within seconds. The overwriting does not happen in safe mode. Is this normal Windows behavior?



ComboFix 08-01-03.3 - Oren 2008-01-03 9:46:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1680 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\xxy_jops.exe
C:\WINDOWS\system32\373EA363F5.sys
C:\WINDOWS\system32\dmfww.exe
C:\WINDOWS\system32\fhgux.exe
C:\WINDOWS\system32\hclean32.exe
C:\WINDOWS\system32\oytfh.exe
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\twstu.exe
C:\WINDOWS\system32\wtlyn.exe
C:\WINDOWS\system32\xcdxd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\373EA363F5.sys

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 08:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 22:22 . 2008-01-02 22:22 <DIR> d-------- C:\Program Files\Finale 2003
2008-01-02 20:00 . 2008-01-02 20:00 <DIR> d-------- C:\Program Files\CCleaner
2008-01-02 19:59 . 2008-01-02 19:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 11:23 . 2008-01-02 11:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MPEG Streamclip
2008-01-02 10:38 . 2008-01-02 10:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-02 10:38 . 2008-01-02 10:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 08:57 . 2008-01-02 10:00 <DIR> d-------- C:\Program Files\Finale 2006
2007-12-31 17:07 . 2007-12-31 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-31 16:24 . 2007-12-31 16:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Download Manager
2007-12-30 16:43 . 2007-12-31 11:25 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2007-12-30 16:43 . 2007-07-26 17:13 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2007-12-30 16:43 . 2007-07-26 17:13 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2007-12-29 22:10 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-29 19:10 . 2007-12-29 19:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 19:10 . 2007-12-29 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-29 18:49 . 2007-12-29 18:49 <DIR> d-------- C:\Program Files\InterLok
2007-12-29 16:39 . 2004-08-03 23:56 11,776 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-12-29 16:39 . 2004-08-03 23:56 11,776 --a--c--- C:\WINDOWS\system32\dllcache\regsvr32.exe
2007-12-29 16:17 . 1996-08-09 00:30 30,720 -ra------ C:\WINDOWS\system32\REGSVR32.EXE.bak
2007-12-06 17:10 . 2007-12-06 18:23 58,276 --a------ C:\WINDOWS\system32\updown.msc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 17:43 --------- d-----w C:\Program Files\Spamihilator
2008-01-03 06:44 --------- d-----w C:\Program Files\Quicken
2008-01-02 21:23 --------- d-----w C:\Program Files\eMule
2008-01-01 01:05 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-31 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-31 20:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-31 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-31 05:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Canon
2007-12-31 00:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 21:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2007-12-22 02:44 --------- d-----w C:\Program Files\BarSoft
2007-12-08 03:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2007-12-05 22:51 --------- d-----w C:\Program Files\Reason
2007-12-02 07:16 --------- d-----w C:\Program Files\Windows Media Components
2007-11-30 23:16 --------- d-----w C:\Program Files\Canon
2007-11-30 23:15 --------- d-----w C:\Program Files\Common Files\Canon
2007-11-28 21:35 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-27 04:17 --------- d-----w C:\Program Files\DVD Shrink
2007-11-27 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-24 23:40 472,833 ----a-w C:\Program Files\uninstal.log
2005-08-22 23:56 100,240 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2003-07-22 23:40 217,600 ----a-w C:\Program Files\HOG.exe
2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2005-03-15 05:45 595968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54 282624]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 13:12 86016]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 15:43 61440]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-11-14 00:05 61440]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-31 11:18 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-31 11:18 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 23:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk
backup=C:\WINDOWS\pss\Device Detector 3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp officejet 4100 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp officejet 4100 series.lnk
backup=C:\WINDOWS\pss\hp officejet 4100 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SonnReg.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SonnReg.lnk
backup=C:\WINDOWS\pss\SonnReg.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^True Internet Color Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\True Internet Color Icon.lnk
backup=C:\WINDOWS\pss\True Internet Color Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
C:\Program Files\ASUS\Probe\AsusProb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avuz]
C:\WINDOWS\avuz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-12-27 14:32 52896 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]
DeltTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\napav.exe]
C:\WINDOWS\system32\napav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealOne Player\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow! Deluxe]
2005-03-15 05:45 595968 --a------ C:\Program Files\Spamihilator\spamihilator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spamihilator]
2005-03-15 05:45 595968 --a------ C:\Program Files\Spamihilator\spamihilator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Avg7UpdSvc"=2 (0x2)
"Pcilinrvacmm"=3 (0x3)
"NSCService"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Speed Disk service"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"NProtectService"=2 (0x2)
"iPod Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys [2003-10-05 10:41]
R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys [2003-09-28 10:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-13 10:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 21:38]
R3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2006-10-05 16:06]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\System32\drivers\ASUSHWIO.sys []
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 21:36]
S3 L6POD;L6 PODxt Service;C:\WINDOWS\system32\Drivers\L6POD.sys [2004-07-14 17:49]
S3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2005-11-03 16:56]
S3 scsk4;SCSK4 Driver Service;C:\WINDOWS\system32\drivers\scsk4.sys [2006-01-10 02:15]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-11-03 16:43]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2007-02-28 04:36]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]

*Newly Created Service* - WMIAPSRV
.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 00:09:09 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2007-04-21 20:57:58 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 09:47:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 9:48:31
ComboFix-quarantined-files.txt 2008-01-03 17:48:10
ComboFix2.txt 2008-01-03 16:34:25



Virustotal results:

File HOG.exe received on 01.03.2008 18:49:53 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.1.4.10 2008.01.03 -
AntiVir 7.6.0.46 2008.01.03 -
Authentium 4.93.8 2008.01.02 -
Avast 4.7.1098.0 2008.01.03 -
AVG 7.5.0.516 2008.01.03 -
BitDefender 7.2 2008.01.03 -
CAT-QuickHeal 9.00 2008.01.03 -
ClamAV 0.91.2 2008.01.03 -
DrWeb 4.44.0.09170 2008.01.03 -
eSafe 7.0.15.0 2008.01.03 -
eTrust-Vet 31.3.5427 2008.01.03 -
Ewido 4.0 2008.01.03 -
FileAdvisor 1 2008.01.03 -
Fortinet 3.14.0.0 2008.01.03 -
F-Prot 4.4.2.54 2008.01.02 -
F-Secure 6.70.13030.0 2008.01.03 -
Ikarus T3.1.1.15 2008.01.03 -
Kaspersky 7.0.0.125 2008.01.03 -
McAfee 5199 2008.01.03 -
Microsoft 1.3109 2008.01.03 -
NOD32v2 2763 2008.01.03 -
Norman 5.80.02 2008.01.03 -
Panda 9.0.0.4 2008.01.03 -
Prevx1 V2 2008.01.03 Heuristic: Suspicious Self Modifying File
Rising 20.25.32.00 2008.01.03 -
Sophos 4.24.0 2008.01.03 -
Sunbelt 2.2.907.0 2008.01.03 -
Symantec 10 2008.01.03 -
TheHacker 6.2.9.178 2008.01.03 -
VBA32 3.12.2.5 2008.01.02 -
VirusBuster 4.3.26:9 2008.01.03 -
Webwasher-Gateway 6.6.2 2008.01.03 -
Additional information
File size: 217600 bytes
MD5: 53671b345bf059ce71bd487a86622234
SHA1: 44a97e7197acb90f314747cd38e928af57f622c6
PEiD: InstallShield 2000
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=A1996C3E006D82B852A7036899CFD400E496CA6E
cakes
2008-01-03, 19:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:43 AM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198994988640
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5601 bytes
ndmmxiaomayi
2008-01-03, 19:56
ni hao. :)


2007-12-29 16:39 . 2004-08-03 23:56 11,776 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-12-29 16:39 . 2004-08-03 23:56 11,776 --a--c--- C:\WINDOWS\system32\dllcache\regsvr32.exe

This is the legitimate copy.

The other one wasn't... so it was replaced by Windows.

As for why it doesn't occur in Safe Mode, it's because the protection mechanism doesn't work in Safe Mode.

I would want to double check if other infections are present.

Please print out or save this set of instructions as you will be rebooting the PC.

Please download Fixwareout from Bleeping Computer (http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe) and save it to your desktop.
Double click to run it.
Click Next, followed by Install.
Once installation is done, checked (ticked) Run fixit box.
Click Finish.
The fix will start, follow the prompts. You will be asked to reboot the PC, please do so. Your system will take longer to start, this is normal.
Once your PC rebooted, go to Start > Control Panel. Double click on Network Connections.
Right click on your default connection and select Properties.
Select the General tab.
Double click on Internet Protocol (TCP/IP) under This connection uses the following items:
Select Obtain an IP address automatically and Obtain DNS server address automatically.
Click OK twice to save the settings. Reboot when prompted to.
Go to Start > Run and type in cmd.
Type in the following in the code box line by line, pressing Enter after each line:

ipconfig /renew
ipconfig /flushdns
exit

In your next reply, please post:

Fixwareout report (C:\Fixwareout\report.txt)
A new HijackThis log
cakes
2008-01-03, 21:48
Username "Oren" - 01/03/2008 12:43:15 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "wlysc" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "dmygb.exe" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "tezsc" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "aqssc" Value deleted
HKCR\CLSID\{53634830-4B0F-404A-A033-5997A5FC8F23}\_h\4 Deleted.
HKCR\CLSID\{792BE411-B15E-40DC-8859-5C1F538AC74F}\_h\4 Deleted.
HKCR\CLSID\{DB012F56-5963-4BD2-8F61-1C4321F79481}\_h\4 Deleted.
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MDDiskProtect.exe"="C:\\Program Files\\Mediafour\\MacDrive\\MDDiskProtect.exe"
"MediafourGettingStartedWithMacDrive6"="\"C:\\Program Files\\Mediafour\\MacDrive\\MacDrive.exe\" /runonce"
"Mediafour Mac Volume Notifications"="\"C:\\Program Files\\Common Files\\Mediafour\\MACVNTFY.EXE\" /auto"
"DigidesignMMERefresh"="C:\\Program Files\\Digidesign\\Drivers\\MMERefresh.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Spamihilator"="\"C:\\Program Files\\Spamihilator\\spamihilator.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:32 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198994988640
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5553 bytes
ndmmxiaomayi
2008-01-05, 06:34
Hi,

Step 1

Please download AVG Anti-Spyware (http://free.grisoft.com/filedir/inst/avgas-setup-7.5.1.43.exe) and save it to your desktop.
Double click on avgas-setup-7.5.0.50.exe to install AVG Anti-Spyware. Install it in the default location.
Once installed, start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
In the main screen, you should see Your Computer's Security. Next to Resident Shield, click on Change state. It should now be Inactive.
Next to Automatic Updates, click on Change state. It should now be Inactive.
Next to Last Update, click on Update now. If your firewall prompts you, tell your firewall to allow it. Should you be unable to update it, download the updates from here (http://downloads.ewido.net/avgas-signatures-full-current.exe). Save it to your desktop. Double click to run the installation and the updates will be installed. Make sure AVG Anti-Spyware is closed during the installation.
Right-click the AVG Anti-Spyware icon near the clock and uncheck (untick) Start with Windows. Confirm by clicking Yes. Now click on the Scanner button at the top.
Select the Settings tab.
Under How to act?, click on Recommended actions and select Quarantine.
Under How to scan?, check (tick) all the boxes.
Under Possibly unwanted software:, check (tick) all the boxes.
Under Reports:, uncheck (untick) the Only if threats were found box and select Do not automatically generate report.
Under What to scan?, select Scan every file.

Do not run a scan yet. You will run a scan later.

Step 2

Click on Start > All Programs > CCleaner > CCleaner.
On the Windows tab, leave the default options alone.
On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
Click on the Run Cleaner button at the bottom right hand corner.
Close CCleaner.

Step 3

Please print out or save this set of instructions as you will not have internet access during the fix.

Reboot into Safe Mode by following the instructions below:

When you see BIOS screen, start pressing F8.
A boot menu will appear shortly.
Using the up down arrows, select Safe Mode and press the Enter key.
Windows will now load.
Log in to your usual account.

Step 4

Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
Click on the Scanner button at the top.
Select the Scan tab.
Click on Complete System Scan to start the scan.
When the scan has finished, follow the instructions below.
IMPORTANT: Don't click on the Save Scan Report button before you did hit the Apply all Actions button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Restart your computer in Normal Mode.

In your next reply, please post:

AVG Antispyware scan report
A new HijackThis log
cakes
2008-01-05, 10:10
Hi,

I already ran the AVG Spyware scan before I posted originally. I ran it again today and it found nothing. BTW I am still having the problems I described in my original post.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:05:51 AM 1/5/2008

+ Scan result:



Nothing found.



::Report end



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:21 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198994988640
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5753 bytes
cakes
2008-01-05, 20:31
Actually I was wrong! My problem seems to be at least partially fixed. I was able to uninstall Pro Tools (which I wasn't able to do before), and now it is reinstalled and runing properly. It still creates that strange www.gaiglu.com cookie, which seems suspicious (Pro Tools is an audio recording program, nothing to do with the internet), but perhaps this is standard behavior. In any case, I am back up and running, so thank you!

I have two questions:

1. Is our process finished? Were there any other steps you wanted me to take?

2. What was I infected with?

Thanks,

cakes
ndmmxiaomayi
2008-01-06, 05:06
1. One more scan we should be done unless you report other problems.

2. Main one - Wareout. As you've disabled the bad entries via MSConfig, your computer works as if it's not infected. There are other infections as well, which you disabled via MSConfig as well.

I couldn't find anything about gaiglu.com, but since it's a cookie, it's harmless. You can clean it with CCleaner.

Please go to Kaspersky website (http://www.kaspersky.com/virusscanner) and perform an online antivirus scan. Please use Internet Explorer as it uses ActiveX.

Click on Kaspersky Online Scanner button.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
When the downloads have finished, click on Next button.
Click on Scan Settings button.
Select extended under Scan using the following antivirus database:
Check (tick) these boxes under Scan options: Scan Archives
Scan Mail Bases Click OK
Click on My Computer under Please select a target to scan:
Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
Copy and paste this log in your next reply.

In your next reply, please post:

Kaspersky Antivirus scan report
A new HijackThis log
cakes
2008-01-07, 01:02
Thank you for the info.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 06, 2008 3:59:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/01/2008
Kaspersky Anti-Virus database records: 503226
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 136913
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:27:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\.BitZip\2fastbt.log Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\.BitZip\bsddb\mydata.bsd Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\.BitZip\bsddb\mypreferences.bsd Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\.BitZip\bsddb\owners.bsd Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\.BitZip\bsddb\peers.bsd Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\.BitZip\bsddb\preferences.bsd Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\.BitZip\bsddb\torrents.bsd Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008010620080107\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\IMG695.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KPANGX2B\index[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L5F68VIR\index[1] Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\jolly jailbait.rar Object is locked skipped
C:\Program Files\BitZip\BitZip.exe.log Object is locked skipped
C:\Program Files\Spamihilator\SPA495F.tmp.log Object is locked skipped
C:\Program Files\Spamihilator\SPA4960.tmp.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BD938AD9-AAA8-4769-97BF-2FB2268FE396}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{BD938AD9-AAA8-4769-97BF-2FB2268FE396}\RP8\change.log Object is locked skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:48 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198994988640
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5668 bytes
ndmmxiaomayi
2008-01-07, 16:21
Hi,

Update Adobe Reader

Please uninstall Adobe Reader 7.0.5 before installing the latest version by going to Start > Control Panel and double clicking on Add/Remove Programs. Locate Adobe Reader 7.0.5 and click on Change/Remove to uninstall it.
Click here (http://www.adobe.com/products/acrobat/readstep2.html) to download the latest version of Adobe Acrobat Reader.
Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you.

If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
Close your Internet browser and open it again.

Please post back a new Hijackthis log after you're done.

Also, do you have any other problems?
cakes
2008-01-07, 19:35
Everything seems to be working fine. Thank you!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:55 AM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198994988640
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5758 bytes
ndmmxiaomayi
2008-01-10, 14:01
Hi,

Glad to hear that. :)

Flush the system restore points

Right click on My Computer and select Properties.
Select the System Restore tab.
Check (tick) Turn off system restore on all drives box.
Click OK.
Restart your computer.

After restarting your computer, follow these steps:

Right click on My Computer and select Properties.
Select the System Restore tab.
Uncheck (untick) Turn off system restore on all drives box.
Click OK.
Restart your computer.

Note: Do this only ONCE, don't flush it regularly.

Here are some things to do to prevent another infection.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update (http://update.microsoft.com/)
Office Update (http://office.microsoft.com/en-us/officeupdate/default.aspx)

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

Go to Start > Control Panel > Automatic Updates
Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article (http://www.microsoft.com/athome/security/update/howbackup.mspx) to learn how to backup. Follow this article (http://support.microsoft.com/kb/309340) by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer (http://www.bleepingcomputer.com/tutorials/tutorial127.html).

Make your Internet Explorer safer

For Internet Explorer 6

Open Internet Explorer. Click on Tools > Options.
Click on the Security tab.
Click on the Internet icon.
Click on the Custom Level button.
Under Download signed ActiveX controls, select Prompt.
Under Download unsigned ActiveX controls, select Disable.
Under Initialize and script ActiveX controls not marked as safe, select Disable.
Under Installation of desktop items, select Prompt.
Under Launching programs and files in an IFRAME, select Prompt.
Under Navigate sub-frames across different domains, select Prompt.
Under Allow paste operations via script, select Disable.
Click OK to apply these settings.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Press OK to exit the Internet Properties page.
For a pictorial guide, please refer to this article (http://surfthenetsafely.com/slides/ieconfigureslide1.htm).

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs (http://p2p.malawreremoval.com/) if you need to use one.

Prevent a re-infection

Spyware Blaster
SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX (http://surfthenetsafely.com/activex.htm) programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

You can download SpywareBlaster from Javacool (http://www.javacoolsoftware.com/spywareblaster.html).

If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial (http://www.bleepingcomputer.com/tutorials/tutorial49.html) at Bleeping Computer.

SpywareGuard
Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.

You can download SpywareGuard from Javacool (http://www.javacoolsoftware.com/spywareguard.html).

If you need help in using SpywareGuard, you can SpywareGuard's tutorial (http://www.bleepingcomputer.com/tutorials/tutorial50.html) at Bleeping Computer.

IE-SPYAD
IE-SPYAD adds over 5000 sites to your Internet Explorer restricted zone so that you will be protected if the website turns out to be a bad one. Sites that are in the restricted zone of Internet Explorer can't have any scripts ran, no downloads and cookies. However, you can still connect to these sites.

You can download IE-SPYAD from Spyware Warrior (http://www.spywarewarrior.com/uiuc/resource.htm). Be sure to read the whole website carefully for instructions on usage of IE-SPYAD.

Hosts File
A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

MVPS Hosts File (http://www.mvps.org/winhelp2002/hosts.htm)
Bluetack's Hosts File (http://www.bluetack.co.uk/forums/index.php?showtopic=8406)
Bluetack's Host Manager (http://www.bluetack.co.uk/forums/index.php?autocom=faq&CODE=02&qid=16)
hpHosts (http://hphosts.mysteryfcm.co.uk/?s=Download)

A tutorial (http://forum.malwareremoval.com/viewtopic.php?t=22187) about Hosts File can be found at Malware Removal.

a-squared Free
a-squared Free is also another program for scanning spywares and adwares. It doesn't have preventive features like Spybot Search & Destroy though.

You can download a-squared Free from here (http://www.emsisoft.com/en/software/download/).

Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs (http://www.spywarewarrior.com/rogue_anti-spyware.htm) and Malwarebytes RogueNET (http://www.malwarebytes.org/roguenet.php). This will save you from a lot of trouble. If in doubt, don't ever download it.

SiteHound Toolbar
SiteHound (http://www.firetrust.com/en/products/sitehound) is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

Winpatrol
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here (http://www.winpatrol.com/features.html).

You can get a free copy (http://www.winpatrol.com/wpsetup.exe) of Winpatrol or use the Plus version (http://winpatrol.stores.yahoo.net/winplusmemre.html) for more features.

You can read Winpatrol's FAQ (http://www.winpatrol.com/faq.html) if you run into problems.

Use an alternative Internet Browser

Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead.

Firefox (http://www.mozilla.com/en-US/firefox/)
Opera (http://www.opera.com/download/)
K-Meleon (http://kmeleon.sourceforge.net/download.php)

Use an alternative email client

If you are using Outlook Express as your default email client, try using Thunderbird (http://www.mozilla.com/en-US/thunderbird/) or Pegasus Mail (http://www.pmail.com/) instead.

Here are some more things to read about:

List of clean and infected download managers (http://www.safer-networking.org/en/articles/download-managers.html)
Configuring Skype (http://www.tcd.ie/iss/internet/skype.php)
Greater email safety (http://surfthenetsafely.com/ieseczone7.htm)
Phishing - what is it? (http://surfthenetsafely.com/phishing.htm)
Configuring Outlook Express (http://surfthenetsafely.com/slides/oeconfigureslide1.htm)
The Unofficial Cookie FAQ (http://www.cookiecentral.com/faq)
Securing your home wireless network (http://www.windowsecurity.com/articles/Wireless-Network-Security-Home.html)
80 Super Security Tips (http://www.pcmag.com/article2/0,1895,1838690,00.asp)
The different classes of security softwares (http://wiki.castlecops.com/Different_classes_of_security_software)
cakes
2008-01-10, 17:39
Thanks for all your help.

cakes