View Full Version : WinantivirusPro2007
SeeTheSound
2007-08-13, 19:33
Hi,
I got this winantiviruspro2007 pop ups, and I have not installed it. I'he run Avast, Adaware and Super AntiSpyWare, but pop ups keep coming back.
I have disconnected from internet and network
Here is HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:09:56 PM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\GbPlugin\GbpSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Ronaldo\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seethesound.com.br/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.aflashcounter.com (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111186} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119985754869
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C30FD2-8DA6-427E-BE54-360E76B72468}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{60BF2146-686F-48A6-A2A3-D6745041FD2E}: NameServer = 85.255.116.171,85.255.112.228
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\tuvusqn.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing)
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I appreciate any help.
Ronaldo
I forgot to mention,
Avast moved to Chest these files from C:\WINDOWS\system32 :
kernel32.dll
winsock.dll
wsock32.dll
Hello,
Welcome to Safer Networking.
Please reply to this post only by clicking on Post Reply and not start a New Topic.
Please read this before you post.
http://forums.spybot.info/showthread.php?t=288
I forgot to mention,
Avast moved to Chest these files from C:\WINDOWS\system32 :
kernel32.dll
winsock.dll
wsock32.dll Not sure why they went to the chest as they are legit files.
You have a few issues going on, lets take it step by step. This will find and remove most of Winantivirus but you are still infected by wareout , we will work on that one next.
Please download ComboFix by sUBs from either of these two locations
BleepingComputerComboFix (http://download.bleepingcomputer.com/sUBs/combofix.exe)
TechSupportForumComboFix (http://www.techsupportforum.com/sectools/combofix.exe)
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with a new HJT log please.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Post the Combofix log and a new HJT log please.
SeeTheSound
2007-08-16, 04:50
Hi ken545,
I thank you so much for your reply, and I apologize for not replying yesterday. I am out of town on a job, and I will be back home, where infected computer is, this week-end, and I will do ComboFix by Sunday - and reply accordinly.
Thanks again
SeeTheSound
2007-08-20, 05:45
Hi ken545,
I read
http://forums.spybot.info/showthread.php?t=288
And downloaded and ran Spybot.
I also ran SuperAntiSpyware.
Then, ran ComboFix, and here's the log
ComboFix 07-08-09.3 - "Ronaldo" 2007-08-19 23:17:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.719 [GMT -3:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Ronaldo\APPLIC~1\tmp11.tmp.exe
C:\DOCUME~1\Ronaldo\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\Ronaldo\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\Ronaldo\APPLIC~1\tmpE.tmp.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINDOWS\bywwuv.dll
C:\WINDOWS\qrrrtv.ini
C:\WINDOWS\system32\dn5838eb1f.dat
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\vtrrrq.dll
C:\WINDOWS\vuwwyb.ini
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))
2007-08-19 23:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 12:47 26,176 --a------ C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-13 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-06 20:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-06 20:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 20:36 <DIR> d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\SUPERAntiSpyware.com
2007-08-06 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 15:52 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-29 15:52 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-29 15:52 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-29 15:52 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-29 15:52 394,240 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-29 15:52 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-29 15:52 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-29 15:52 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-29 15:51 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-07-29 15:51 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-07-29 15:51 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-29 15:47 <DIR> d-------- C:\Program Files\Riva
2007-07-29 15:47 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-07-20 20:08 <DIR> d-------- C:\Program Files\Joost
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-10 23:01 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Skype
2007-07-27 19:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 19:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 19:02 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 19:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 18:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 18:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 18:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-22 18:18 --------- d-------- C:\Program Files\GbPlugin
2007-07-17 19:06 --------- d-------- C:\Program Files\Windows Desktop Search
2007-07-17 17:50 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\MSN6
2007-07-08 20:18 --------- d-------- C:\Program Files\Sony
2007-07-08 19:53 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Sony Setup
2007-07-08 19:43 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-07-08 19:41 --------- d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-07-08 19:40 --------- d-------- C:\Program Files\Sony Ericsson
2007-07-07 21:50 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Teleca
2007-07-07 21:32 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Sony Ericsson
2007-07-07 20:48 --------- d-------- C:\Program Files\Sony Setup
2007-07-05 21:22 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-03 14:00 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\AdobeUM
2007-06-24 07:18 2180 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-06-21 18:35 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Pamela
2007-06-08 11:32 8704 --a------ C:\WINDOWS\kbdsystil.dll
2007-06-08 11:32 24064 --a------ C:\WINDOWS\dskquota32.dll
2007-06-08 10:39 9728 --a------ C:\WINDOWS\ncscolib.dll
2006-08-29 19:40 93784 --a--c--- C:\DOCUME~1\Ronaldo\APPLIC~1\GDIPFONTCACHEV1.DAT
2001-11-23 01:08 712704 --a--c--- C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2006-03-09 16:14:44 56 --sh--r C:\WINDOWS\system32\49232207F4.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 17:15]
"PCTVOICE"="pctspk.exe" [2003-10-30 07:12 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 16:50]
"nwiz"="nwiz.exe" [2004-10-29 16:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 16:50]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 19:03]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Program Files\Scpad\scpLIB.dll [2007-05-31 15:50 128512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-07-05 17:18 222376]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2007-02-22 15:00 228392]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll [2007-05-31 15:50 128512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\tuvusqn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ronaldo^Start Menu^Programs^Startup^SAM.lnk]
backup=C:\WINDOWS\pss\SAM.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmkzh.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmyhz.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Audio Studio V2.0]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Keyboard Enhance V2.0]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Plus V7.1]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNInstall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Svcsys Registry Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\bywwuv.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXP-98 ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AvgServ"=2 (0x2)
"DNS Client"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ewido security suite control"=2 (0x2)
"ServiceLayer"=3 (0x3)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"GbpSv"=2 (0x2)
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 GbpSv;Gbp Service;C:\Program Files\GbPlugin\GbpSv.exe
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys
S3 mgau;mgau;C:\WINDOWS\system32\DRIVERS\mgaum.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S3 sermouse;Serial Mouse Driver;C:\WINDOWS\system32\DRIVERS\sermouse.sys
S3 umpusbxp;UPort 1 on Nokia Adapter;C:\WINDOWS\system32\DRIVERS\umpusbxp.sys
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys
S4 DNS Client;Domain Client Services;C:\lo-1290668208.exe
Contents of the 'Scheduled Tasks' folder
2007-08-17 03:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 12:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 13:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-17 14:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 15:00:00 C:\WINDOWS\Tasks\At13.job
2007-08-19 16:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-19 17:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-19 18:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-19 19:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-19 20:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-19 21:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 04:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-19 22:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-19 23:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 00:00:00 C:\WINDOWS\Tasks\At22.job
2007-08-20 01:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-20 01:59:59 C:\WINDOWS\Tasks\At24.job
2007-08-17 03:01:02 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 04:01:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 05:01:00 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 06:01:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 07:01:01 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 05:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 08:01:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 09:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 10:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 11:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 12:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 13:00:00 C:\WINDOWS\Tasks\At35.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 14:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 15:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-19 16:00:00 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-19 17:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 06:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-19 18:00:00 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-19 19:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-19 20:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-19 21:00:00 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-19 22:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-19 23:00:00 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 00:00:00 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 01:00:00 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 02:00:00 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 07:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 08:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 09:00:01 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 10:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 11:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\l03h2nqP.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 23:25:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-19 23:28:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 23:27
--- E O F ---
SeeTheSound
2007-08-20, 06:01
Here's HJT log,
Logfile of HijackThis v1.99.1
Scan saved at 11:29:45 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Ronaldo\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seethesound.com.br/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.aflashcounter.com (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111186} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119985754869
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C30FD2-8DA6-427E-BE54-360E76B72468}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{60BF2146-686F-48A6-A2A3-D6745041FD2E}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\tuvusqn.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I advance my thank you very much for all your help.
You still have a bit of a mess on this computer. This is what I need you do do.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
You need to boot to Safemode to delete these files
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Look for and delete this file.
C:\windows\system32\tuvusqn.dll
Now go here C:\WINDOWS\Tasks\At1.joband delete anything with AT1.job
Reboot into normal windows.
Remove this entry with HJT.
O20 - AppInit_DLLs: c:\windows\system32\tuvusqn.dll
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\tuvusqn.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmkzh.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmyhz.exe]
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes
Pleaser rerun Combofix and post the log and a new HJT log please.
SeeTheSound
2007-08-21, 20:13
Step 1
Unchecked both hidden files
Step 2
Re booted in Safe Mode
Did not find
C:\windows\system32\tuvusqn.dll
Please see a print screen I up loaded on YouSendIt
http://download.yousendit.com/A0A348732733889C
Deleted
C:\WINDOWS\Tasks\At1
I found At10, At11, At12, At13, At14, At15, At16, At17, At18, At19 - should I delete these as well?
Step 3
Re booted Normal Windows
Removed entry with HJT.
O20 - AppInit_DLLs: c:\windows\system32\tuvusqn.dll
Important - when I cliced "Fix checked", a message appeared "An unexpected error.....", and I cliced OK and HJT did not close, and continued fine.
Please see a print screen I up loaded on YouSendIt
http://download.yousendit.com/5FF6498F7EEFDE4F
Step 4
Did as you asked
"Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes"
Step 5
RE ran ComboFix
Step 6
Re ran HJT
Please see below ComboFix log
ComboFix 07-08-09.3 - "Ronaldo" 2007-08-21 13:32:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.701 [GMT -3:00]
((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))
2007-08-19 23:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 12:47 26,176 --a------ C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-13 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-06 20:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-06 20:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 20:36 <DIR> d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\SUPERAntiSpyware.com
2007-08-06 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 15:52 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-29 15:52 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-29 15:52 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-29 15:52 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-29 15:52 394,240 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-29 15:52 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-29 15:52 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-29 15:52 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-29 15:51 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-07-29 15:51 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-07-29 15:51 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-29 15:47 <DIR> d-------- C:\Program Files\Riva
2007-07-29 15:47 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-10 23:01 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Skype
2007-07-31 23:44 --------- d-------- C:\Program Files\Joost
2007-07-27 19:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 19:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 19:02 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 19:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 18:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 18:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 18:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-22 18:18 --------- d-------- C:\Program Files\GbPlugin
2007-07-17 19:06 --------- d-------- C:\Program Files\Windows Desktop Search
2007-07-17 17:50 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\MSN6
2007-07-08 20:18 --------- d-------- C:\Program Files\Sony
2007-07-08 19:53 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Sony Setup
2007-07-08 19:43 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-07-08 19:41 --------- d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-07-08 19:40 --------- d-------- C:\Program Files\Sony Ericsson
2007-07-07 21:50 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Teleca
2007-07-07 21:32 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Sony Ericsson
2007-07-07 20:48 --------- d-------- C:\Program Files\Sony Setup
2007-07-05 21:22 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-03 14:00 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\AdobeUM
2007-06-24 07:18 2180 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-06-21 18:35 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Pamela
2007-06-08 11:32 8704 --a------ C:\WINDOWS\kbdsystil.dll
2007-06-08 11:32 24064 --a------ C:\WINDOWS\dskquota32.dll
2007-06-08 10:39 9728 --a------ C:\WINDOWS\ncscolib.dll
2006-08-29 19:40 93784 --a--c--- C:\DOCUME~1\Ronaldo\APPLIC~1\GDIPFONTCACHEV1.DAT
2001-11-23 01:08 712704 --a--c--- C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2006-03-09 16:14:44 56 --sh--r C:\WINDOWS\system32\49232207F4.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 17:15]
"PCTVOICE"="pctspk.exe" [2003-10-30 07:12 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 16:50]
"nwiz"="nwiz.exe" [2004-10-29 16:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 16:50]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 19:03]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Program Files\Scpad\scpLIB.dll [2007-05-31 15:50 128512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-07-05 17:18 222376]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2007-02-22 15:00 228392]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll [2007-05-31 15:50 128512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ronaldo^Start Menu^Programs^Startup^SAM.lnk]
backup=C:\WINDOWS\pss\SAM.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Audio Studio V2.0]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Keyboard Enhance V2.0]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Plus V7.1]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNInstall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Svcsys Registry Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\bywwuv.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXP-98 ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AvgServ"=2 (0x2)
"DNS Client"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ewido security suite control"=2 (0x2)
"ServiceLayer"=3 (0x3)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"GbpSv"=2 (0x2)
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 GbpSv;Gbp Service;C:\Program Files\GbPlugin\GbpSv.exe
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys
S3 mgau;mgau;C:\WINDOWS\system32\DRIVERS\mgaum.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S3 sermouse;Serial Mouse Driver;C:\WINDOWS\system32\DRIVERS\sermouse.sys
S3 umpusbxp;UPort 1 on Nokia Adapter;C:\WINDOWS\system32\DRIVERS\umpusbxp.sys
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys
S4 DNS Client;Domain Client Services;C:\lo-1290668208.exe
Contents of the 'Scheduled Tasks' folder
2007-08-17 12:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 13:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-17 14:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-21 15:00:00 C:\WINDOWS\Tasks\At13.job
2007-08-20 16:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 17:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 18:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 19:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 20:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 21:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 04:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 22:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 23:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-21 00:00:00 C:\WINDOWS\Tasks\At22.job
2007-08-20 01:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-20 01:59:59 C:\WINDOWS\Tasks\At24.job
2007-08-20 03:00:00 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 04:01:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 05:01:00 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 06:01:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 07:01:01 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 05:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 08:01:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 09:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 10:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 11:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 12:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 13:00:00 C:\WINDOWS\Tasks\At35.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 14:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-21 15:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 16:00:00 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 17:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 06:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 18:00:00 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 19:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 20:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 21:00:00 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 22:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 23:00:00 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-21 00:00:00 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 01:00:00 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 02:00:00 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 07:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 08:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 09:00:01 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 10:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 11:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\l03h2nqP.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 13:36:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-21 13:37:54
C:\ComboFix-quarantined-files.txt ... 2007-08-21 13:36
C:\ComboFix2.txt ... 2007-08-19 23:28
--- E O F ---
SeeTheSound
2007-08-21, 20:14
Step 1
Unchecked both hidden files
Step 2
Re booted in Safe Mode
Did not find
C:\windows\system32\tuvusqn.dll
Please see a print screen I up loaded on YouSendIt
http://download.yousendit.com/A0A348732733889C
Deleted
C:\WINDOWS\Tasks\At1
I found At10, At11, At12, At13, At14, At15, At16, At17, At18, At19 - should I delete these as well?
Step 3
Re booted Normal Windows
Removed entry with HJT.
O20 - AppInit_DLLs: c:\windows\system32\tuvusqn.dll
Important - when I cliced "Fix checked", a message appeared "An unexpected error.....", and I cliced OK and HJT did not close, and continued fine, removing entry.
Please see a print screen I up loaded on YouSendIt
http://download.yousendit.com/5FF6498F7EEFDE4F
Step 4
Did as you asked
"Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes"
Step 5
RE ran ComboFix
Step 6
Re ran HJT
Please see below ComboFix log
ComboFix 07-08-09.3 - "Ronaldo" 2007-08-21 13:32:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.701 [GMT -3:00]
((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))
2007-08-19 23:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 12:47 26,176 --a------ C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-13 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-06 20:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-06 20:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 20:36 <DIR> d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\SUPERAntiSpyware.com
2007-08-06 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 15:52 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-29 15:52 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-29 15:52 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-29 15:52 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-29 15:52 394,240 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-29 15:52 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-29 15:52 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-29 15:52 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-29 15:51 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-07-29 15:51 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-07-29 15:51 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-29 15:47 <DIR> d-------- C:\Program Files\Riva
2007-07-29 15:47 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-10 23:01 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Skype
2007-07-31 23:44 --------- d-------- C:\Program Files\Joost
2007-07-27 19:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 19:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 19:02 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 19:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 18:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 18:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 18:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-22 18:18 --------- d-------- C:\Program Files\GbPlugin
2007-07-17 19:06 --------- d-------- C:\Program Files\Windows Desktop Search
2007-07-17 17:50 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\MSN6
2007-07-08 20:18 --------- d-------- C:\Program Files\Sony
2007-07-08 19:53 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Sony Setup
2007-07-08 19:43 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-07-08 19:41 --------- d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-07-08 19:40 --------- d-------- C:\Program Files\Sony Ericsson
2007-07-07 21:50 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Teleca
2007-07-07 21:32 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Sony Ericsson
2007-07-07 20:48 --------- d-------- C:\Program Files\Sony Setup
2007-07-05 21:22 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-03 14:00 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\AdobeUM
2007-06-24 07:18 2180 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-06-21 18:35 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Pamela
2007-06-08 11:32 8704 --a------ C:\WINDOWS\kbdsystil.dll
2007-06-08 11:32 24064 --a------ C:\WINDOWS\dskquota32.dll
2007-06-08 10:39 9728 --a------ C:\WINDOWS\ncscolib.dll
2006-08-29 19:40 93784 --a--c--- C:\DOCUME~1\Ronaldo\APPLIC~1\GDIPFONTCACHEV1.DAT
2001-11-23 01:08 712704 --a--c--- C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2006-03-09 16:14:44 56 --sh--r C:\WINDOWS\system32\49232207F4.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 17:15]
"PCTVOICE"="pctspk.exe" [2003-10-30 07:12 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 16:50]
"nwiz"="nwiz.exe" [2004-10-29 16:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 16:50]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 19:03]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Program Files\Scpad\scpLIB.dll [2007-05-31 15:50 128512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-07-05 17:18 222376]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2007-02-22 15:00 228392]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll [2007-05-31 15:50 128512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ronaldo^Start Menu^Programs^Startup^SAM.lnk]
backup=C:\WINDOWS\pss\SAM.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Audio Studio V2.0]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Keyboard Enhance V2.0]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Plus V7.1]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNInstall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Svcsys Registry Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\bywwuv.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXP-98 ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AvgServ"=2 (0x2)
"DNS Client"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ewido security suite control"=2 (0x2)
"ServiceLayer"=3 (0x3)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"GbpSv"=2 (0x2)
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 GbpSv;Gbp Service;C:\Program Files\GbPlugin\GbpSv.exe
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys
S3 mgau;mgau;C:\WINDOWS\system32\DRIVERS\mgaum.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S3 sermouse;Serial Mouse Driver;C:\WINDOWS\system32\DRIVERS\sermouse.sys
S3 umpusbxp;UPort 1 on Nokia Adapter;C:\WINDOWS\system32\DRIVERS\umpusbxp.sys
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys
S4 DNS Client;Domain Client Services;C:\lo-1290668208.exe
Contents of the 'Scheduled Tasks' folder
2007-08-17 12:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 13:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-17 14:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-21 15:00:00 C:\WINDOWS\Tasks\At13.job
2007-08-20 16:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 17:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 18:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 19:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 20:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 21:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 04:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 22:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 23:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-21 00:00:00 C:\WINDOWS\Tasks\At22.job
2007-08-20 01:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-20 01:59:59 C:\WINDOWS\Tasks\At24.job
2007-08-20 03:00:00 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 04:01:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 05:01:00 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 06:01:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 07:01:01 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 05:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 08:01:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 09:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 10:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 11:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 12:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 13:00:00 C:\WINDOWS\Tasks\At35.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 14:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-21 15:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 16:00:00 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 17:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 06:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-20 18:00:00 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 19:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 20:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 21:00:00 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 22:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 23:00:00 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-21 00:00:00 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 01:00:00 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-20 02:00:00 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-17 07:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 08:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 09:00:01 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 10:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\l03h2nqP.exe
2007-08-17 11:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\l03h2nqP.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 13:36:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-21 13:37:54
C:\ComboFix-quarantined-files.txt ... 2007-08-21 13:36
C:\ComboFix2.txt ... 2007-08-19 23:28
--- E O F ---
SeeTheSound
2007-08-21, 20:18
Sorry about double Posting above, as it took me a while so type exact instrutions, and system asked me to log in (again), and I guess it generated both posts.
Please see below HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:40:09 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ronaldo\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seethesound.com.br/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.aflashcounter.com (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111186} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119985754869
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C30FD2-8DA6-427E-BE54-360E76B72468}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{60BF2146-686F-48A6-A2A3-D6745041FD2E}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Tasks\At7.job Yes, remove them all AT ( any number ) .job
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O15 - Trusted Zone: http://*.aflashcounter.com (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111186} -
C:\Program Files\Scpad <-- Do you know what this is????
After you remove all those AT.job entries, run Combofix again and post a new log along with a new HJT log.
Ken
SeeTheSound
2007-08-22, 00:52
Hi Ken,
1) Removed all C:\WINDOWS\Tasks\At.job - all numbers
2) Fixed on HJT
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O15 - Trusted Zone: http://*.aflashcounter.com (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111186} -
3) C:\Program Files\Scpad - I don't know what it is, but here is a print screen of what is inside that folder
http://download.yousendit.com/97E75BA67BA5B4F2
4) Re ran ComboFix and HJT
Here is ComboFix log
ComboFix 07-08-09.3 - "Ronaldo" 2007-08-21 18:34:15.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.696 [GMT -3:00]
((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))
2007-08-19 23:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 12:47 26,176 --a------ C:\WINDOWS\system32\1Kuh5H6Y.exe
2007-08-13 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-06 20:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-06 20:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 20:36 <DIR> d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\SUPERAntiSpyware.com
2007-08-06 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 15:52 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-29 15:52 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-29 15:52 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-07-29 15:52 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-07-29 15:52 394,240 --a------ C:\WINDOWS\system32\Smab.dll
2007-07-29 15:52 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-07-29 15:52 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-07-29 15:52 217,073 --a------ C:\WINDOWS\meta4.exe
2007-07-29 15:51 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-07-29 15:51 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-07-29 15:51 <DIR> d-------- C:\Program Files\eRightSoft
2007-07-29 15:47 <DIR> d-------- C:\Program Files\Riva
2007-07-29 15:47 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-10 23:01 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Skype
2007-07-31 23:44 --------- d-------- C:\Program Files\Joost
2007-07-27 19:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 19:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 19:02 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 19:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 18:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 18:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 18:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-22 18:18 --------- d-------- C:\Program Files\GbPlugin
2007-07-17 19:06 --------- d-------- C:\Program Files\Windows Desktop Search
2007-07-17 17:50 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\MSN6
2007-07-08 20:18 --------- d-------- C:\Program Files\Sony
2007-07-08 19:53 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Sony Setup
2007-07-08 19:43 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-07-08 19:41 --------- d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-07-08 19:40 --------- d-------- C:\Program Files\Sony Ericsson
2007-07-07 21:50 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Teleca
2007-07-07 21:32 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Sony Ericsson
2007-07-07 20:48 --------- d-------- C:\Program Files\Sony Setup
2007-07-05 21:22 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-03 14:00 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\AdobeUM
2007-06-24 07:18 2180 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-06-21 18:35 --------- d-------- C:\DOCUME~1\Ronaldo\APPLIC~1\Pamela
2007-06-08 11:32 8704 --a------ C:\WINDOWS\kbdsystil.dll
2007-06-08 11:32 24064 --a------ C:\WINDOWS\dskquota32.dll
2007-06-08 10:39 9728 --a------ C:\WINDOWS\ncscolib.dll
2006-08-29 19:40 93784 --a--c--- C:\DOCUME~1\Ronaldo\APPLIC~1\GDIPFONTCACHEV1.DAT
2001-11-23 01:08 712704 --a--c--- C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2006-03-09 16:14:44 56 --sh--r C:\WINDOWS\system32\49232207F4.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 17:15]
"PCTVOICE"="pctspk.exe" [2003-10-30 07:12 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 16:50]
"nwiz"="nwiz.exe" [2004-10-29 16:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 16:50]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 19:03]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Program Files\Scpad\scpLIB.dll [2007-05-31 15:50 128512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-07-05 17:18 222376]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2007-02-22 15:00 228392]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll [2007-05-31 15:50 128512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ronaldo^Start Menu^Programs^Startup^SAM.lnk]
backup=C:\WINDOWS\pss\SAM.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Audio Studio V2.0]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Keyboard Enhance V2.0]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Plus V7.1]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNInstall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Svcsys Registry Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\bywwuv.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXP-98 ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AvgServ"=2 (0x2)
"DNS Client"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ewido security suite control"=2 (0x2)
"ServiceLayer"=3 (0x3)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"GbpSv"=2 (0x2)
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 GbpSv;Gbp Service;C:\Program Files\GbPlugin\GbpSv.exe
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys
S3 mgau;mgau;C:\WINDOWS\system32\DRIVERS\mgaum.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S3 sermouse;Serial Mouse Driver;C:\WINDOWS\system32\DRIVERS\sermouse.sys
S3 umpusbxp;UPort 1 on Nokia Adapter;C:\WINDOWS\system32\DRIVERS\umpusbxp.sys
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys
S4 DNS Client;Domain Client Services;C:\lo-1290668208.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 18:38:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-21 18:40:27
C:\ComboFix-quarantined-files.txt ... 2007-08-21 18:39
C:\ComboFix2.txt ... 2007-08-21 13:37
C:\ComboFix3.txt ... 2007-08-19 23:28
--- E O F ---
SeeTheSound
2007-08-22, 00:53
And here is HJT log
Logfile of HijackThis v1.99.1
Scan saved at 6:45:52 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ronaldo\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seethesound.com.br/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119985754869
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C30FD2-8DA6-427E-BE54-360E76B72468}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{60BF2146-686F-48A6-A2A3-D6745041FD2E}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Scpad <-- Why don't you open this up and see what it is.
Open Hijackthis
Go to Misc Tools> Open Uninstall Manager.
Click on Save List.
The list will open in Notepad.
Copy and Paste the List into this thread
SeeTheSound
2007-08-22, 18:56
Hi Ken,
C:\Program Files\Scpad - I opened folder, and there is no executable program as far as I can see, but here is a print screen of all files inside Scpad folder
http://download.yousendit.com/97E75BA67BA5B4F2
Below is HJT Uninstall log
3GP Video Converter 3
Ad-Aware SE Personal
Adobe Acrobat 6.0 Professional
Adobe Encore DVD 1.5
Adobe Help Center 2.0
Adobe Illustrator 9.0
Adobe MPEG Encoder 1.2
Adobe Photoshop 7.0
Adobe Photoshop Elements 4.0
Adobe Premiere 6.5
Adobe SVG Viewer
Advanced RealMedia Export Plug-in for Premiere 6.0
ArKaos VJ 3.0 FC2
avast! Antivirus
AviSynth 2.5
CCleaner (remove only)
CleanUp!
C-Media Audio
Disc2Phone
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DivxToDVD 0.5.2
DVD Audio Ripper 4
DVD Decrypter (Remove Only)
DVD Ripper 4
DVD Ripper Platinum 4
DVD Shrink 3.2
DVD to 3GP Converter 4
DVDit! PE
FaxTools
FLV Player 1.3.3
Google Video Player
Google Video Uploader
HijackThis 1.99.1
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HSP56 Modem Drivers
JavaScript Menu Builder GOLD 1.0 Trial Version
Joost (tm) 0.10.9
Macromedia Dreamweaver 4
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Shockwave Player
Matrox Software Codec
MaxBlast 4
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (Portuguese (Brazil)) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Portuguese (Brazil)) 2007
Microsoft Office Groove MUI (Portuguese (Brazil)) 2007
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2007
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2007
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Portuguese (Brazil)) 2007
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2007
Microsoft Office Shared MUI (Portuguese (Brazil)) 2007
Microsoft Office Word MUI (Portuguese (Brazil)) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSN Messenger 7.5
MSN Music Assistant
Nokia Connectivity Adapter Cable DKU-5
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
NVIDIA Drivers
Pamela Basic 3.5
PictureGear 4.1Lite
Pimaco
PowerDVD
QuickTime
Riva FLV Encoder 2.0
Roxio Easy Media Creator 7
ScenalyzerLive (remove)
SimpleDivX
SiS 900 PCI Fast Ethernet Adapter Driver
Skype™ 3.2
Sonic Update Manager
Sony Ericsson Device Data
Sony Ericsson Drivers
Sony Ericsson PC Suite
Sony Ericsson PC Suite
Spybot - Search & Destroy 1.4
SUPER © Version 2007.bld.23 (July 4, 2007)
SUPERAntiSpyware Free Edition
TC Native Essentials 2.02
Ulead COOL 3D Studio
Update for Windows XP (KB898461)
Video Converter 3
Winamp (remove only)
Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows XP Creativity Fun Packs - Windows Movie Maker 2
Windows XP Service Pack 2
WinRAR archiver
XviD MPEG4 Video Codec (remove only)
I am at work and the software here is blocking your screenshot so I will have to look at it this evening. As long as you don't see an .exe file than you may be ok. I see nothing malicious in your Add-Remove , you do have a ton of programs related to video and TV and such and that may be part of it. But when something won't google it kind of raised a flag.
It may be related to this which appears to be somewhat ok.
http://www.spywaredata.com/spyware/malware/sshib.dll.php
I would say at this point that your ok, if I see anything bad with that screenshot I will post back.
How is your system running now??
SeeTheSound
2007-08-22, 19:49
Ken,
Understood, in the mean time, I will list files names, and all info that shows with "Tiles" view option:
scpIBCfg.bin
AVG Update File
45 KB
scpLIB.dll
1.0.4.5
scpIBLoad Module
scpMIB.dll
1.0.9.0
acpMIB Module
scpsssh2.dll
9.0.2.0
scpsssh2 Module
sshib.dll
1.0.3.0
sshib
System is running perfect now, thank you so much.
I work with videos, and this computer is not my editing one - just the internet and downloaded software trials.
I keep my Editing station off line at all times, and only physically plug network cable when I need to transfer files, so I am sure I stay away from problems like these...
Please check
www.seethesound.com.br
Thanx again,
Ronaldo
http://www.greatis.com/appdata/a/s/scpsssh2.dll.htm
Are you familiar with this, this is what one of your files are that you just sent
SeeTheSound
2007-08-22, 20:14
I wasn't aware, but I visited
http://www.scopus.com.br/index_frame.htm
And it seems to be a legit Brazilian Bank security software maker, and since I work with 2 Brazilian banks.....
So, I guess case closed....will let you know if anything goes wrong.
Thank you so much,
Ronaldo
Ronaldo,
Glad things are well and I was able to help you :bigthumb:
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Ad-Aware SE Personal 1.06 (http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button)
Check for Updates and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give you the option to deny the change.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places 1000s of web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Nice Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Safe Surfin
Ken
SeeTheSound
2007-08-22, 23:16
Ken,
Thanks for all tips on free programs, will install them.
This machine is only an AMD Athlon XP 1700+, with 1 GB RAM.
Do you think with all these security softwares installed it will run OK?
I got infected because a friend need a file, and told me to use a file share. I Googled, and as it was up loading, problems started - unfortunately all hell broke loose as I was in the middle of axz
It was a 220 mb file, so most services want you to pay, so I paid to YouSendIt
SeeTheSound
2007-08-22, 23:25
sorry I hit Submit Reply without finishing....
Ken,
Thanks for all tips on free programs, I will install them.
This machine is only an AMD Athlon XP 1700+, with 1 GB RAM.
Do you think with all these security softwares installed it will run OK?
I got infected because a friend need a file, and told me to use a file share. I Googled, and as it was up loading, problems started - unfortunately all hell broke loose as I was in the middle of a lot of work, and do not remember which site it was.
It was a 220 mb file, so I paid to YouSendIt.
I normaly don't surf the net, so I guess I am not too exposed - but all it takes is one problem, that sets us back days.....and hours of work.
So we learn a little more each day...thanks for your lessons.
Ronaldo
Hello Ronaldo
I got infected because a friend need a file, and told me to use a file share This is not a recommend thing to do....think about it, do you want to give access to your computer to someone halfway around the world.. NOT ME
You can install the programs I listed with no problems, just remember that you only need one Anti Virus program and only one Firewall, with the programs that I suggested you really do not need anymore.
You have a nice website, now I will know where to go if I ever get to Brazil. :bigthumb:
It was a pleasure to help you, you followed the directions quite well:bigthumb::bigthumb:
Later,
Ken:)