PDA

View Full Version : Another virtumonde infection :(



6stringevil
2007-08-04, 08:24
Hi, i went through this forum and saw many virtumonde effected people posting here. i tried going through all of the steps mentioned in your other topcics.. but virtumone kept crawling back again and again even after using vundo fix and other spyware removal softwares. I have spybot, Spyhunter, AVG anti spyware installed but virtumonde keeps coming back.. so i thought of registering and show u my logs and please help me out ..i am going nuts :(

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53, on 2007-08-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Documents and Settings\6stringevil\Start Menu\Programs\Startup\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox 2 Beta 2\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A4A2D56-931A-4733-9121-033A2D95A274} - C:\WINDOWS\system32\hggheeb.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6019A00E-60FC-43DA-994B-CD6AC344DD9D} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9F9E1CDA-7B57-4D63-9D41-EABD48178B6F} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {ED0D5B46-2470-4A42-A6D6-652E5B1B47B1} - C:\WINDOWS\system32\geebc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {C70E30C7-140A-4166-A2E8-43557E62B41A} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: TeaTimer.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\program files\microsoft office\office10\excel.exe/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145002959796
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92403600-8966-4CC7-A6A7-5D3DB193A536}: NameServer = 192.168.222.4,202.88.149.6
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: hggheeb - hggheeb.dll (file missing)
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11071 bytes

I know O20 lines are the dll's for virtumonde but i cannot delete them not even vundo scans and identify them. I have uploaded them to uploadmalware.com site too. Please sir help me out!!!

6stringevil
2007-08-04, 08:26
Also to let you know i have Java SDK 1.6.0 installed... and updated JRE last nite..do i need to update JDK too? does it matter?

pskelley
2007-08-04, 15:25
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page, and it will help you avoid mistakes like this:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to 'bumping'. It looks like you have killed the vundo infection, but you have another trojan: C:\WINDOWS\SYSTEM32\winhdn32.dll Here is the Google:
http://www.google.com/search?hl=en&q=winhdn32.dll&btnG=Google+Search
and Prevx: http://spywaredlls.prevx.com/RRHDIC3925959/WINHDN32.DLL.html
says it is Malware Group: Rootkit Haxdoor. Since we may be dealing with a Rootkit infection, let's tackle that first.

(turn your spyware tools off so they won't block the tools we must use)

1) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

2) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

3) Please download HaxFix.exe
http://users.telenet.be/marcvn/tools/haxfix.exe
Save it to the Desktop.
Double click on haxfix.exe to install.
Check: "Create a desktop icon"
Click: "Next"
When the installation is completed, make sure "Launch HaxFix" is checked.
Click "Finish"
A red "DOS window" opens with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix starts scanning the computer.
When finished, a logfile opens: haxlog.txt
Please copy the contents of the logfile and provide them in your reply. (c:\haxfix.txt)
Please post the contents of haxfix.txt .

Thanks

6stringevil
2007-08-05, 07:26
Actually my combofix was showing problems when i used it earlier. i use teatimer to avoid virtumonde make registry i blacklisted a weird '.dll' file to make registry..when combofix was on, teatimer kept naging me with blacklist entry.. i got irritated and cancelled combofix.

After posting here i ran combofix again it had this log to show:

ComboFix 07-08-03.4 - "6stringevil" 2007-08-04 11:04:12.2 [GMT 5.5:30] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\6STRIN~1\APPLIC~1.\sks~1
C:\Program Files\Common Files\{603E2~1
C:\Program Files\perfect codec
C:\WINDOWS\system32\components
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\winhdn32.dll
C:\WINDOWS\system32\wwrpfoer.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RUNTIME
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-07-04 to 2007-08-04 )))))))))))))))))))))))))))))))


2007-08-03 23:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 21:49 <DIR> d-------- C:\HJT
2007-08-03 20:25 <DIR> d-------- C:\VundoFix Backups
2007-08-02 22:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-02 09:58 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-02 09:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-08-01 20:42 520,192 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-08-01 20:41 <DIR> d-------- C:\Program Files\ATI Technologies
2007-08-01 12:50 <DIR> d-------- C:\DOCUME~1\6STRIN~1\APPLIC~1\SmartFTP
2007-08-01 12:49 <DIR> d-------- C:\Program Files\SmartFTP Client
2007-07-31 02:07 23 --ahs---- C:\WINDOWS\system32\dffcfdc_r.dll
2007-07-31 00:59 <DIR> d-------- C:\DOCUME~1\WYSIWYG\Phone Browser
2007-07-30 23:50 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-07-30 23:50 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-07-30 23:50 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-07-30 23:50 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-07-30 23:50 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-07-30 23:50 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-07-30 23:50 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-07-30 23:50 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-07-30 23:50 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-07-30 23:50 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-07-30 23:50 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-07-30 23:50 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-07-30 23:50 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-07-30 23:49 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-07-30 23:49 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-07-30 23:49 82,432 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-07-30 23:49 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-07-30 23:49 794,399 --a--c--- C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-07-30 23:49 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2007-07-30 23:49 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2007-07-30 23:49 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-07-30 23:49 7,556 --a--c--- C:\WINDOWS\system32\dllcache\usroslba.sys
2007-07-30 23:49 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-07-30 23:49 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-07-30 23:49 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2007-07-30 23:49 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2007-07-30 23:49 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-07-30 23:49 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2007-07-30 23:49 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-07-30 23:49 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-07-30 23:49 5,376 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2007-07-30 23:49 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-07-30 23:49 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2007-07-30 23:49 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2007-07-30 23:49 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-07-30 23:49 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2007-07-30 23:49 35,871 --a--c--- C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-07-30 23:49 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2007-07-30 23:49 33,599 --a--c--- C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-07-30 23:49 32,384 --a--c--- C:\WINDOWS\system32\dllcache\usb101et.sys
2007-07-30 23:49 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2007-07-30 23:49 31,744 --a--c--- C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-07-30 23:49 29,311 --a--c--- C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-07-30 23:49 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-07-30 23:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-07-30 23:49 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-07-30 23:49 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2007-07-30 23:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2007-07-30 23:49 23,615 --a--c--- C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-07-30 23:49 224,802 --a--c--- C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-07-30 23:49 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-07-30 23:49 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-07-30 23:49 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2007-07-30 23:49 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2007-07-30 23:49 19,551 --a--c--- C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-07-30 23:49 19,528 --a--c--- C:\WINDOWS\system32\dllcache\w840nd.sys
2007-07-30 23:49 19,016 --a--c--- C:\WINDOWS\system32\dllcache\w926nd.sys
2007-07-30 23:49 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-07-30 23:49 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-07-30 23:49 16,925 --a--c--- C:\WINDOWS\system32\dllcache\w940nd.sys
2007-07-30 23:49 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-07-30 23:49 12,415 --a--c--- C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-07-30 23:49 12,127 --a--c--- C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-07-30 23:49 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2007-07-30 23:49 11,775 --a--c--- C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-07-30 23:49 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2007-07-30 23:48 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-07-30 23:48 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2007-07-30 23:48 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2007-07-30 23:48 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-07-30 23:48 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2007-07-30 23:48 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2007-07-30 23:48 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2007-07-30 23:48 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2007-07-30 23:48 6,912 --a--c--- C:\WINDOWS\system32\dllcache\smbclass.sys
2007-07-30 23:48 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2007-07-30 23:48 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2007-07-30 23:48 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-07-30 23:48 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-07-30 23:48 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-07-30 23:48 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2007-07-30 23:48 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-07-30 23:48 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2007-07-30 23:48 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-07-30 23:48 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2007-07-30 23:48 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-07-30 23:48 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2007-07-30 23:48 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys

6stringevil
2007-08-05, 07:27
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-04 08:31 --------- d-------- C:\Program Files\Mozilla Firefox 2 Beta 2
2007-08-01 21:10 --------- d-------- C:\DOCUME~1\6STRIN~1\APPLIC~1\ATI
2007-08-01 20:13 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-31 02:16 --------- d-------- C:\Program Files\Tally 7.2
2007-07-31 02:16 --------- d-------- C:\Program Files\Syncrosoft
2007-07-31 02:16 --------- d-------- C:\Program Files\Recolored
2007-07-31 02:16 --------- d-------- C:\Program Files\RADVideo
2007-07-31 02:16 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-07-31 02:16 --------- d-------- C:\Program Files\LogMeIn
2007-07-31 02:16 --------- d-------- C:\Program Files\LimeWire
2007-07-31 02:16 --------- d-------- C:\Program Files\Last.fm
2007-07-31 02:16 --------- d-------- C:\Program Files\Easy Icon Maker
2007-07-31 02:16 --------- d-------- C:\Program Files\DAP
2007-07-31 02:07 --------- d-------- C:\Program Files\jv16 PowerTools 2006
2007-07-31 02:01 41 --a------ C:\WINDOWS\system32\be8_s.dll
2007-07-28 23:37 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-28 20:51 --------- d-------- C:\Program Files\ASIO4ALL v2
2007-07-22 22:52 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-22 20:29 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-11 21:25 --------- d-------- C:\Program Files\Windows NT
2007-07-04 22:22 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-25 22:16 28 --a------ C:\WINDOWS\system32\substpntx8.dll
2007-05-16 20:42 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 20:42 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 20:42 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 20:42 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 20:42 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 20:42 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 14:54 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-04-17 13:41 59376 --a------ C:\DOCUME~1\6STRIN~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-03-21 13:37 16056 --a------ C:\Program Files\owcstp16.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A4A2D56-931A-4733-9121-033A2D95A274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6019A00E-60FC-43DA-994B-CD6AC344DD9D}]
C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F9E1CDA-7B57-4D63-9D41-EABD48178B6F}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED0D5B46-2470-4A42-A6D6-652E5B1B47B1}]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 09:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-07 12:49]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-30 10:02]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 12:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\6stringevil\Start Menu\Programs\Startup\
TeaTimer.exe [2005-05-31 01:04:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
24Online Client.lnk - C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2003-12-17 12:10:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoLowDiskSpaceChecks"=0 (0x0)
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"StartmenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-10-06 20:56 11504 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhdn32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^6stringevil^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^6stringevil^Start Menu^Programs^Startup^BOINC Manager.lnk]
backup=C:\WINDOWS\pss\BOINC Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^6stringevil^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
backup=C:\WINDOWS\pss\SDK Tray Menu.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^6stringevil^Start Menu^Programs^Startup^Shortcut to msnmsgr.lnk]
backup=C:\WINDOWS\pss\Shortcut to msnmsgr.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMONTRAY]
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"e:\PowerDvd PLayer\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="e:\PowerDvd PLayer\PDVDServ.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"SpyHunter"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

R1 sf;SFI Service;C:\WINDOWS\system32\drivers\sf.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\RaInfo.sys
R2 Nsynas32;Nsynas32;C:\WINDOWS\system32\drivers\Nsynas32.sys
R2 sfcure01;StarForce Cure Driver (version 1.x);C:\WINDOWS\system32\drivers\sfcure01.sys
R2 SIODRV;SIODRV;\??\C:\WINDOWS\system32\drivers\SIODRV.SYS
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
R3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
R3 SMBios;Intel (R) System Management BIOS Service;C:\WINDOWS\system32\DRIVERS\SMBios.sys
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\system32\DRIVERS\smb.sys
S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys
S3 KCIRDA;%KCIRDA.ServiceDesc%;C:\WINDOWS\system32\DRIVERS\KCIrNet.sys
S3 MAFWBOOT;Bootloader Service for M-Audio FW Driver (WDM);C:\WINDOWS\system32\DRIVERS\mafwboot.sys
S3 MidiSyn;MidiSyn;C:\WINDOWS\system32\drivers\MidiSyn.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\SF-620.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys
S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys
S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys
S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys
S3 W700bus;Sony Ericsson W700 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\W700bus.sys
S3 W700mdfl;Sony Ericsson W700 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\W700mdfl.sys
S3 W700mdm;Sony Ericsson W700 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\W700mdm.sys
S3 W700mgmt;Sony Ericsson W700 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\W700mgmt.sys
S3 W700obex;Sony Ericsson W700 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\W700obex.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3593a116-38f6-11dc-9c08-0008a166949e}]
1\Command- J:\.\recycled\info.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b8b85a8-0a78-11dc-9adc-0008a166949e}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7eb47cd4-7baf-11db-98e6-0008a166949e}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52d0e18-24d2-11dc-9b7d-0008a166949e}]
Auto\command- J:\sal.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe


Contents of the 'Scheduled Tasks' folder
2007-08-04 05:46:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-04 11:13:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000006f
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4160BB02-1171-62A5-1DC6-547CF16A3B58}]
"jaajfcdfgngckjgbapek"=hex:61,61,00,00
"kaajfcdfaplfoiknkjkdln"=hex:61,61,00,00
"faajfcdfpofc"=hex:66,61,63,6a,6b,66,69,68,6b,64,64,65,00,00

scanning hidden files ...

scan completed successfully
hidden files: 0

6stringevil
2007-08-05, 07:29
**************************************************************************

Completion time: 2007-08-04 11:16:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-04 11:16

--- E O F ---

And the quarantine list had this



2004-12-03 15:50 20544 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\sfsync02.sys.vir
2007-07-28 22:46 19968 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winhdn32.dll.vir
2007-07-29 22:59 69184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wwrpfoer.dll.vir
2007-08-04 11:09 1488 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_SFSYNC02.reg.cf
2007-08-04 11:09 2572 --a------ C:\Qoobox\Quarantine\Registry_backups\services_sfsync02.reg.cf
2007-08-04 11:09 860 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf


Folder PATH listing for volume Crypt
Volume serial number is 00080188 603E:2F3C
C:\QOOBOX
\---Quarantine
+---C
| \---WINDOWS
| \---system32
| | winhdn32.dll.vir
| | wwrpfoer.dll.vir
| |
| \---drivers
| sfsync02.sys.vir
|
\---Registry_backups
LEGACY_RUNTIME.reg.cf
LEGACY_SFSYNC02.reg.cf
services_sfsync02.reg.cf



and soon after i scanned using spybot no more virtumonde infections were there...
just now i used haxfix and this is what it says

HAXFIX logfile - by Marckie

version 4.48
Sun 08/05/2007 9:31:45.09

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
Aspi32
tmcomm

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


--- Catchme logfile - thank you Gmer ---

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 09:31:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Program Files\DAP\History\WYSIWYG\20070729.dat
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\01\10-{A605E699-349B-A4A5-CF73-C524BBA0E577}-v1-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\11\11-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v11-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1308 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\11\11-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v11-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 152 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\12\12-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v12-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1524 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\12\12-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v12-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 168 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\13\13-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v13-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1380 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\13\13-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v13-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 152 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\14\14-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v14-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1416 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\14\14-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v14-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 160 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\15\15-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v15-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1578 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\15\15-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v15-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 176 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\16\16-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v16-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1380 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\16\16-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v16-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 152 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\17\17-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v17-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1182 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\17\17-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v17-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 136 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\18\18-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v18-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1254 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\18\18-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v18-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 136 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\19\19-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v19-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1506 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\19\19-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v19-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 168 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\20\20-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v20-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v20-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1398 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\20\20-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v20-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v20-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 152 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\21\21-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v21-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1704 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\21\21-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v21-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 176 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\24\24-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v24-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 624 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\kris_goli@hotmail.com\DfsrPrivate\Staging\CS{A605E699-349B-A4A5-CF73-C524BBA0E577}\24\24-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v24-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 80 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\84.karthik@gmail.com\SharingMetadata\puneet_pr@hotmail.com\DFSR\Staging\CS{7E0380D6-A719-7062-A0BC-4FA0C876853B}\01\25-{7E0380D6-A719-7062-A0BC-4FA0C876853B}-v1-{0AC26F7D-0D18-4FCB-8B68-07FA31C77AA3}-v25-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\6stringevil\Local Settings\Application Data\Microsoft\Messenger\karthik.nanda@passport.com\SharingMetadata\puneet_pr@hotmail.com\DFSR\Staging\CS{E85A31E3-61D6-243B-A9D9-2BDD3745F338}\01\10-{E85A31E3-61D6-243B-A9D9-2BDD3745F338}-v1-{9DC81365-2D2C-4038-833F-599E81CD4302}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\WYSIWYG\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat
C:\Documents and Settings\WYSIWYG\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 30


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!

I guess my problem is solved!! What say?
If it is i would really thank you for making this happen. I almost thought of replacing my win xp copy.. but you saved me from trouble!!! i really appreciate it. I'll be getting a job in java software programming soon. I'll try my best to donate something !!! :)


P.s. I downloaded AVG rootkit thing 3 days back it never showed any infection? how come.. ?? and u said its a rootkit problem!! wud like to know this!!
Sorry for 3 posts, i read the rules and your quote thing.. but my post was wayyyyy too long.. i couldn't fit in one !!

pskelley
2007-08-05, 12:40
Thanks for returning the information I requested. I may well have asked for a combofix log during the cleanup, but I would appreciate it if you would post only what I request.

I am trying to make sure your computer is clean of malware, if you have decided this is the case and wish me to close this topic, please let me know, otherwise:

Post a new HJT log.


Thanks

6stringevil
2007-08-05, 21:35
Damn!! you were write :'(
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:56 AM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Documents and Settings\6stringevil\Start Menu\Programs\Startup\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox 2 Beta 2\firefox.exe
C:\HJT\scanner2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A4A2D56-931A-4733-9121-033A2D95A274} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6019A00E-60FC-43DA-994B-CD6AC344DD9D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9F9E1CDA-7B57-4D63-9D41-EABD48178B6F} - (no file)
O2 - BHO: (no name) - {ED0D5B46-2470-4A42-A6D6-652E5B1B47B1} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: TeaTimer.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\program files\microsoft office\office10\excel.exe/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145002959796
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92403600-8966-4CC7-A6A7-5D3DB193A536}: NameServer = 192.168.222.4,202.88.149.6
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10779 bytes

pskelley
2007-08-05, 22:45
Thanks for returning your information, let's start with this information:
http://www.greatis.com/appdata/u/d/dap.exe.htm
http://process.networktechs.com/DAP.EXE.php
http://www.castlecops.com/clsid-41.html
I suggest you uninstall DAP from your computer.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

2) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

3) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {5A4A2D56-931A-4733-9121-033A2D95A274} - (no file)
O2 - BHO: (no name) - {6019A00E-60FC-43DA-994B-CD6AC344DD9D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9F9E1CDA-7B57-4D63-9D41-EABD48178B6F} - (no file)
O2 - BHO: (no name) - {ED0D5B46-2470-4A42-A6D6-652E5B1B47B1} - (no file)
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the AVG Anti-Spyware scan report and a new HJT log. Let me know how the computer is running.

Thanks

6stringevil
2007-08-06, 17:04
Hi,
In normal Windows mode system hangs and shuts down all of sudden. i can't use my system in normal mode therefor i switched to safe mode and did in exact same manner as u prescribed.
I have ATI radeon 9200 is been updated with recent drivers but it acts very weird and shows pink trails whenever a window is dragged or mouse is dragged. After restart system fails to show display. Now i am using onboard Graphics board to post!! :P
the following is the report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:25 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Documents and Settings\6stringevil\Start Menu\Programs\Startup\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\scanner2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A4A2D56-931A-4733-9121-033A2D95A274} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6019A00E-60FC-43DA-994B-CD6AC344DD9D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9F9E1CDA-7B57-4D63-9D41-EABD48178B6F} - (no file)
O2 - BHO: (no name) - {ED0D5B46-2470-4A42-A6D6-652E5B1B47B1} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: TeaTimer.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\program files\microsoft office\office10\excel.exe/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145002959796
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92403600-8966-4CC7-A6A7-5D3DB193A536}: NameServer = 192.168.222.4,202.88.149.6
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10634 bytes


winhdn is still there :(

6stringevil
2007-08-06, 17:08
I tried uninstalling DAP but it kept asking for install.log which was not present. and i don't know how it got deleted. I tried manual deleting but it fails to delete History and Privacy package Folders when i try to open History>UserFolders inside it system says "Access Denied"
if i try to delete Privacy Packege folder it says
"Cannot Delete DAPCtxMenuShell.dll: Access Denied"

pskelley
2007-08-06, 17:46
All of the the junk I asked you to remove is still there, none of that stuff is malware, just leftover trash. If you do not Disable Windows Defender and ANG Anti-Spyware, HJT can't remove the stuff.

I have ATI radeon 9200 is been updated with recent drivers but it acts very weird and shows pink trails whenever a window is dragged or mouse is draggedSounds to me like you have bad driver, I suggest you go there for help:
http://ati.amd.com/products/radeon9200/radeon9200/index.html
http://forums.xgenstudios.com/showthread.php?p=1563165
http://www.google.com/search?hl=en&q=ATI+radeon+9200+forum&btnG=Search

Thanks

6stringevil
2007-08-06, 18:16
HEy!!
I followed the exact procedure 2 times. I tried removing those keys. It seemed to be removed on first sight but after restart it again cropped up. This time i ended all process of AVG and Defender. Then again fixed those keys.. to my surprise teatimer asked for change in registry values which it never did before. this is the log file..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:38 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Documents and Settings\6stringevil\Start Menu\Programs\Startup\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\HJT\scanner2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: TeaTimer.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\program files\microsoft office\office10\excel.exe/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145002959796
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92403600-8966-4CC7-A6A7-5D3DB193A536}: NameServer = 192.168.222.4,202.88.149.6
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9627 bytes

What should i do about download accelerator? I am not able to delete it from system the folders problem which i mentioned earlier!! its still there!!

pskelley
2007-08-06, 18:28
Sorry, TeaTimer is running from here: O4 - Startup: TeaTimer.exe I never see it running there?
TeaTimer will block all changes, often we have to uninstall Spybot to make changes because of TeaTimer.

Is DAP running from Add Remove Programs? Post your uninstall list so I can look:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

Were you able to get AVG Anti-Spyware to update and run?


5) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

Thanks

6stringevil
2007-08-06, 19:48
I am sorry i forgot to paste AVG spyware Log earlier i had saved it that time:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:05:54 PM 8/6/2007

+ Scan result:



E:\System Volume Information\_restore{056F1D90-2A2A-459C-8FED-48E4DE9ADE2F}\RP589\A0578568.exe -> Logger.Banker : No action taken.


::Report end



Actually i saved the list before deleting this entry. This entry is no longer present.

The uninstall list is as follows:
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.0
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe® Photoshop® Album Starter Edition 3.2
Ambush Pack 1.00 for Pocket Tanks Deluxe
Apache Tomcat 4.0 (remove only)
Ares 1.8.9
ASIO4ALL
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 7.5
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
Bink and Smacker
BlueJ 2.1.3
Caesar IV
CDisplay 1.8
Chaos Pack 1.00 for Pocket Tanks Deluxe
Cool Edit Pro 2.0
CorelDRAW Graphics Suite X3
Cyberoam Client for 24Online
DelinvFile - 2.03
Easy Icon Maker
EN
Firewire Family
Fireworks Pack v1.0 for Pocket Tanks Deluxe
Flamethrower Pack 1.00a for Pocket Tanks Deluxe
FLV Player 1.3.3
FontNav
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Video Player
Gravity Pack v1.0 for Pocket Tanks Deluxe
GT Manager
GTK+ Runtime 2.6.9 rev a (remove only)
Guitar Pro 4
Guitar Pro 5.0
HijackThis 2.0.2
Hitman Blood Money
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Photo and Imaging 2.1 - Scanjet 2400 Series
ImageShack QuickLoad
Intel(R) Active Monitor
Intel(R) Extreme Graphics Driver
iPod Reset Utility
Java Platform, Enterprise Edition 5 SDK
Java Servlet Development Kit 2.0
Java(TM) 6 Update 2
Java(TM) SE Development Kit 6
jv16 PowerTools 2007
K-Lite Codec Pack 2.80 Basic
Last.fm 1.3.1.1
LimeWire PRO 4.13.0
LogMeIn
Macromedia Dreamweaver 8
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash MX
Megaupload Toolbar
Meteor Pack 1.00 for Pocket Tanks Deluxe
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Mobile Media Converter
Mozilla Firefox (2.0.0.4)
Mozilla Firefox (2.0.0.6)
Mozilla Thunderbird (1.5)
MPEG Encoder 3
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MySQL Connector/ODBC 3.51
Native Instruments Guitar Combos DXi RTAS VST v1.0.0.009
Native Instruments GuitarRig2 RTAS VSTi DXi
Need for Speed™ Carbon
Nero 6 Ultra Edition
NetBeans IDE 4.1
Nokia Connectivity Adapter Cable DKU-5
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
Nuke Pack 1.00 for Pocket Tanks Deluxe
Opera 9
PDF Settings
Pocket Tanks Deluxe 1.00a
Power Pack 1.00 for Pocket Tanks Deluxe
PowerDVD
Prince of Persia Warrior Within
QuickTime Alternative 1.69
Real Alternative 1.48
RealPlayer
Reason
Recolored 1.0.1
R-STUDIO network edition v2.0
SmartFTP Client
Sony Ericsson Themes Creator 2.31
Sony USB Driver
SoundMAX
Spybot - Search & Destroy 1.4
Steinberg Nuendo v3.0.2.623
Super Pack v1.1 for Pocket Tanks Deluxe
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
System Requirements Lab
Transport Tycoon Deluxe
TRS2006
TTDAlter
Ulead DVD MovieFactory 5 TBYB
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update Manager
Winamp (remove only)
Windows Defender
Windows Defender Signatures
Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar

No DAP!!

pskelley
2007-08-06, 20:54
Actually i saved the list before deleting this entry. This entry is no longer present.
That item is in your System Restore files, they are protected Windows files and no program can delete them. The only way to clean them I will post below in a moment.


See this: http://www.castlecops.com/clsid-30914.html
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

Remove from your computer all programs you downloaded for the cleanup. You may keep ATF-Cleaner if you like but delete all other, including any backups or quarantines.

I suggest you do this:
turn off TeaTimer, Windows Defender and AVG Anti-Spyware.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

6stringevil
2007-08-08, 07:57
Thanx a lot man.. i really really appreciate that
The winhdn32 registry kept coming up even after removing it through HJT. The HJT never showed it after deleting but after restart it did.
Anyways the a Blank BHO (no file) list is still there even after 4-5 times deleting it.. but no more infections i guess..
this is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:02 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Documents and Settings\6stringevil\Start Menu\Programs\Startup\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox 2 Beta 2\firefox.exe
c:\hjt\scanner2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: TeaTimer.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\program files\microsoft office\office10\excel.exe/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145002959796
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92403600-8966-4CC7-A6A7-5D3DB193A536}: NameServer = 192.168.222.4,202.88.149.6
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9433 bytes


If you think the problem is no more there You can lock this thread. I Spyware scan from Spybot and AVG nothing was found!! Apart frm cookies!!
From bottom of my heart i would like to say
THANKS!! No one takes much pain to solve an unknown entities Problem these days...
I am thanking a teacher here !! :laugh:

pskelley
2007-08-08, 12:20
You have a few lines that ARE NOT malware, just trash. You can remove them if you wish:
First one is because of the way your browser Start Page is set in IE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

just dead lines
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

Remember you can't remove them with HJT with TeaTimer running.

The rest of the HJT log looks fine.

Thanks

pskelley
2007-08-18, 03:35
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.