View Full Version : Trojan.Win32.Agent.bck
diakpoofaman
2007-10-05, 20:48
It starts my internet explorer redirecting me to a "bestseller antivirus" site, and it's crashing random apps like WinRar, an IRC client etc to a close or debug window.
I'm running Windows Xp with all updates to date. My Kaspersky 7 picks it up every time I boot but won't/can't delete it. I've ran VundoFix 6.5.9, it says it deleted the files, I rebbot and it finds new ones. Ran Avg 7.5, it detects it but can't delete it. I couldn't get spybotsd15.exe to launch, I click it, and hourglass appears and than nothing happens (no process stars nothing) I've also ran an older Fixvundo tool from Symantec, says it killed the process + deleted the files but again after reboot it's the same thing.
Did that online Kaspersky scan, but after 3 hours it was stuck at 9%.
When I wanted to boot in safe mode to run some more scans everything works well untill than window about the system restore or safe mode pops up. By clicking yes safe mode should continue, my desktop is loaded and than that window pops up again. And again..
Renamed hijackthis and made a system scan:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:47:21 PM, on 10/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Fraps\FRAPS.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\jroyhqfn.exe
C:\Program Files\RivaTuner\RivaTuner.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Bebe\Desktop\VundoFix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Bebe\Desktop\234.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Andu\Desktop\BITCOM~1\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\PROGRA~1\gspec\gspec.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6A72BF59-BC06-4A06-8BF7-229A36AF4341} - C:\WINDOWS\system32\geede.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\sbdslkab.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\PROGRA~1\gspec\gspec.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dylkthwl.dll",sitypnow
O4 - HKCU\..\Run: [Fraps] C:\Program Files\Fraps\FRAPS.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\games\steamgames\steam.exe" -silent
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner\RivaTuner.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Documents and Settings\Andu\Desktop\BITCOM~1\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {93B52CD5-EDFF-4405-8975-754100710FD5} (GameLauncher Control) - http://www.linkmania.ro/activex/installx/gamelauncher.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: fccdcbx - C:\WINDOWS\SYSTEM32\fccdcbx.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jroyhqfn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 10559 bytes
Please excuse me if I broke some forum rules by posting but I'm really out of any ideas.
diakpoofaman
2007-10-05, 21:19
Vundofix log:
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Scan started at 4:21:21 PM 10/5/2007
Listing files found while scanning....
C:\WINDOWS\system32\axumrhpy.dll
C:\WINDOWS\system32\ffygarsv.dll
C:\WINDOWS\system32\yphrmuxa.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\axumrhpy.dll
C:\WINDOWS\system32\axumrhpy.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ffygarsv.dll
C:\WINDOWS\system32\ffygarsv.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\yphrmuxa.ini
C:\WINDOWS\system32\yphrmuxa.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\axumrhpy.dll
C:\WINDOWS\system32\axumrhpy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ffygarsv.dll
C:\WINDOWS\system32\ffygarsv.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Scan started at 4:35:49 PM 10/5/2007
Listing files found while scanning....
C:\WINDOWS\system32\uevjfxbd.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\uevjfxbd.dll
C:\WINDOWS\system32\uevjfxbd.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Scan started at 4:44:23 PM 10/5/2007
Listing files found while scanning....
C:\WINDOWS\system32\cnqlkjbk.ini
C:\WINDOWS\system32\kbjklqnc.dll
C:\windows\system32\MSIMTF.dll
C:\WINDOWS\system32\uekxdcal.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cnqlkjbk.ini
C:\WINDOWS\system32\cnqlkjbk.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\kbjklqnc.dll
C:\WINDOWS\system32\kbjklqnc.dll Has been deleted!
Attempting to delete C:\windows\system32\MSIMTF.dll
C:\windows\system32\MSIMTF.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uekxdcal.dll
C:\WINDOWS\system32\uekxdcal.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Scan started at 8:31:24 PM 10/5/2007
Listing files found while scanning....
C:\WINDOWS\system32\sbdslkab.dll
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Scan started at 9:02:44 PM 10/5/2007
Listing files found while scanning....
C:\WINDOWS\system32\dylkthwl.dll
C:\WINDOWS\system32\lwhtklyd.ini
C:\WINDOWS\system32\sbdslkab.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dylkthwl.dll
C:\WINDOWS\system32\dylkthwl.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\lwhtklyd.ini
C:\WINDOWS\system32\lwhtklyd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\sbdslkab.dll
C:\WINDOWS\system32\sbdslkab.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dylkthwl.dll
C:\WINDOWS\system32\dylkthwl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sbdslkab.dll
C:\WINDOWS\system32\sbdslkab.dll Has been deleted!
Performing Repairs to the registry.
Done!
Hijackthis log after last vundofix atempt:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:19:08 PM, on 10/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Fraps\FRAPS.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\jroyhqfn.exe
C:\Program Files\RivaTuner\RivaTuner.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bebe\Desktop\mata.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07351B08-617D-49CB-9CA8-D7A1F430D7EE} - C:\WINDOWS\system32\geede.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Andu\Desktop\BITCOM~1\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\PROGRA~1\gspec\gspec.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\qqyrbtsp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\PROGRA~1\gspec\gspec.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dmgqnnva.dll",sitypnow
O4 - HKCU\..\Run: [Fraps] C:\Program Files\Fraps\FRAPS.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\games\steamgames\steam.exe" -silent
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner\RivaTuner.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Documents and Settings\Andu\Desktop\BITCOM~1\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {93B52CD5-EDFF-4405-8975-754100710FD5} (GameLauncher Control) - http://www.linkmania.ro/activex/installx/gamelauncher.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: fccdcbx - C:\WINDOWS\SYSTEM32\fccdcbx.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jroyhqfn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 10093 bytes
diakpoofaman
2007-10-06, 17:11
ComboFix 07-10-06.3 - Bebe 2007-10-06 16:55:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.40.1033.18.217 [GMT 3:00]
Running from: C:\Documents and Settings\Bebe\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.
2007-10-06 16:29 75,328 --a------ C:\WINDOWS\system32\ivuisoba.exe
2007-10-06 16:07 75,328 --a------ C:\WINDOWS\system32\flospwol.exe
2007-10-06 16:01 75,328 --a------ C:\WINDOWS\system32\fhbvkoqx.exe
2007-10-06 15:38 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-10-06 00:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-05 21:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 21:27 2,204 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-05 21:26 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-05 21:26 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-05 21:26 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-05 21:26 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-05 21:26 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 16:58 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-05 13:27 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-05 13:27 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-05 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-10-05 12:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-05 00:39 6,537 ---hs---- C:\WINDOWS\system32\edeeg.ini2
2007-10-04 23:19 6,537 ---hs---- C:\WINDOWS\system32\edeeg.bak2
2007-10-04 22:53 <DIR> d-------- C:\Program Files\uTorrent
2007-10-04 22:52 <DIR> d-------- C:\Documents and Settings\Bebe\Application Data\uTorrent
2007-10-04 20:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-04 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-04 20:16 <DIR> d-------- C:\Documents and Settings\Bebe\Application Data\Vso
2007-10-04 20:12 <DIR> d-------- C:\Documents and Settings\Bebe\Application Data\Uniblue
2007-10-04 10:31 <DIR> d-------- C:\Program Files\ATITool
2007-10-04 10:28 <DIR> d-------- C:\Program Files\DirectX 9 Realtime High Dynamic Range Image-Based Lighting
2007-10-04 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-03 14:39 307,808 --------- C:\WINDOWS\system32\geede.dll
2007-10-03 14:34 36,352 --a------ C:\WINDOWS\system32\fccdcbx.dll
2007-10-03 14:29 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-10-03 14:29 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-10-03 14:29 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-09-30 22:18 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2007-09-30 21:08 <DIR> d-------- C:\Program Files\mIRC
2007-09-30 21:08 <DIR> d-------- C:\Documents and Settings\Bebe\Application Data\mIRC
2007-09-29 01:00 <DIR> d-------- C:\Program Files\PowerISO
2007-09-29 00:53 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-27 02:31 <DIR> d-------- C:\Documents and Settings\Bebe\Application Data\Codemasters
2007-09-27 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-09-26 14:02 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-09-26 14:02 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-09-26 14:02 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-09-17 21:23 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 21:23 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 21:22 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 21:22 739,840 --a------ C:\WINDOWS\system32\DivX.dll
2007-09-15 15:11 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-15 15:09 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-15 15:08 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-15 15:08 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-12 02:14 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-10 00:54 <DIR> d-------- C:\Documents and Settings\Bebe\Application Data\Publish Providers
2007-09-10 00:50 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2007-09-10 00:50 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2007-09-10 00:48 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-09-10 00:47 <DIR> d-------- C:\Documents and Settings\Bebe\Application Data\Sony
2007-09-10 00:44 <DIR> d-------- C:\Program Files\Sony
2007-09-10 00:43 <DIR> d-------- C:\Program Files\Sony Setup
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 17:05 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-06 17:05 --------- d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-06 17:02 8250400 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-06 17:02 4472 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-06 17:02 30284 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-06 17:02 26400 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-06 14:19 --------- d-------- C:\Program Files\ffdshow
2007-10-06 04:07 --------- d-------- C:\Program Files\DLH98
2007-10-06 03:53 --------- d-------- C:\Program Files\DScaler
2007-10-06 00:42 --------- d-------- C:\Program Files\Google
2007-10-05 17:09 --------- d-------- C:\Program Files\Spyware Nuker
2007-10-05 13:25 --------- d-------- C:\Program Files\Kaspersky Lab
2007-10-05 12:54 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-10-04 23:01 --------- d-------- C:\Program Files\URUSoft
2007-10-04 20:19 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-04 20:17 --------- d-------- C:\Program Files\Cheatbook Database 2005
2007-10-04 20:16 --------- d-------- C:\Program Files\Anti-Blaxx
2007-10-04 10:19 --------- d-------- C:\Documents and Settings\Andu\Application Data\Yahoo!
2007-10-03 23:08 --------- d-------- C:\Program Files\HLSW
2007-10-03 22:04 --------- d-------- C:\Program Files\Fraps
2007-10-03 17:08 --------- d-------- C:\Program Files\Yahoo!
2007-10-03 14:33 --------- d-------- C:\Program Files\Webteh
2007-10-03 14:31 --------- d-------- C:\Documents and Settings\Bebe\Application Data\DivX
2007-10-03 14:29 --------- d-------- C:\Program Files\DivX
2007-10-03 13:58 --------- d-------- C:\Program Files\BenchemAll
2007-10-03 13:50 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-10-03 13:41 --------- d-------- C:\Documents and Settings\Bebe\Application Data\BSplayer Pro
2007-10-03 01:01 --------- d-------- C:\Program Files\QuickTime
2007-09-30 22:18 --------- d-------- C:\Documents and Settings\Bebe\Application Data\InstallShield
2007-09-29 00:11 --------- d-------- C:\Program Files\DC++Bebe
2007-09-26 14:12 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-09-20 13:14 --------- d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-09-17 02:10 356352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 02:10 356352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-09-17 01:07 8491008 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-09-17 01:07 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-09-17 01:07 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-09-17 01:07 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-09-17 01:07 6853088 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-17 01:07 6746112 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 01:07 6344704 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-09-17 01:07 5783040 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 01:07 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-09-17 01:07 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 01:07 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-09-17 01:07 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-09-17 01:07 36864 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-09-17 01:07 36864 --a------ C:\WINDOWS\system32\nvcod.dll
2007-09-17 01:07 364544 --a------ C:\WINDOWS\system32\nvapi.dll
2007-09-17 01:07 3551232 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 01:07 3334144 --a------ C:\WINDOWS\system32\nvgames.dll
2007-09-17 01:07 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 01:07 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 01:07 2371584 --a------ C:\WINDOWS\system32\nvwss.dll
2007-09-17 01:07 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-09-17 01:07 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-09-17 01:07 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 01:07 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-09-17 01:07 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 01:07 1478656 --a------ C:\WINDOWS\system32\nview.dll
2007-09-17 01:07 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-09-17 01:07 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 01:07 1150976 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-09-17 01:07 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-09-11 23:44 --------- d-------- C:\Program Files\WinImage
2007-09-06 15:45 --------- d-------- C:\Documents and Settings\Andu\Application Data\Free Download Manager
2007-08-26 14:16 --------- d-------- C:\Documents and Settings\Mami\Application Data\gspec
2007-08-23 19:36 --------- d-------- C:\Program Files\PeerGuardian2
2007-08-21 03:26 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-08-21 03:26 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-08-20 22:25 --------- d-------- C:\Program Files\WinUHA
2007-08-18 21:50 --------- d-------- C:\Program Files\Yahoo Message Archive Decoder
2007-08-18 18:50 --------- d-------- C:\Program Files\WolFBox
2007-08-16 10:15 860160 --a------ C:\WINDOWS\system32\webview.dll
2007-08-16 01:33 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-08-16 01:33 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-08-16 01:33 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-16 01:33 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-08-16 01:33 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-08-16 01:33 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-08-16 01:33 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-08-16 01:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-08-16 01:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-08-16 01:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-08-16 01:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-08-16 01:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-08-16 01:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-08-16 01:30 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-09 22:36 --------- d-------- C:\Program Files\Winamp
2007-08-09 21:12 --------- d-------- C:\Program Files\Video Wonder Pro III
2007-08-09 21:01 602112 --a------ C:\WINDOWS\uninstal.exe
2007-08-09 11:51 --------- d-------- C:\Documents and Settings\Andu\Application Data\BSplayer PRO
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-07 03:15 33052 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2007-08-06 21:04 --------- d-------- C:\Documents and Settings\Andu\Application Data\Media Player Classic
2007-08-06 19:12 --------- d-------- C:\Program Files\IsoBuster
2007-08-06 18:31 --------- d-------- C:\Program Files\CureROM
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2006-05-03 10:06:54 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92A075CB-F6E8-493B-A868-3CDDC5771ED2}]
2007-10-03 14:39 307808 --------- C:\WINDOWS\system32\geede.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="C:\Program Files\Fraps\FRAPS.EXE" [2006-12-19 16:02]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-25 16:44]
"Steam"="d:\games\steamgames\steam.exe" [2007-10-05 12:11]
C:\Documents and Settings\Bebe\Start Menu\Programs\Startup\
RivaTuner.lnk - C:\Program Files\RivaTuner\RivaTuner.exe [2006-12-24 22:15:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E908A6A7-026C-4FBE-93A9-96020BEEAD53}"= C:\WINDOWS\system32\fccdcbx.dll [2007-10-03 14:34 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdcbx]
fccdcbx.dll 2007-10-03 14:34 36352 C:\WINDOWS\system32\fccdcbx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geede.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecSche]
"C:\Program Files\Genius TVR\RecSche.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"PowerManager"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"SandraDataSrv"=3 (0x3)
"O&O Defrag"=3 (0x3)
"niSvcLoc"=2 (0x2)
"NIDomainService"=2 (0x2)
"lkTimeSync"=2 (0x2)
"lkClassAds"=2 (0x2)
"LkCitadelServer"=2 (0x2)
"LvHidSvc"=2 (0x2)
"InCDsrv"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"StyleXPService"=2 (0x2)
"NVSvc"=2 (0x2)
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R1 nltdi;nltdi;\??\C:\WINDOWS\system32\drivers\nltdi.sys
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\PStrip.sys
R3 actser;actser;C:\WINDOWS\system32\drivers\actser.sys
R3 Cap7134;Video Wonder Pro III WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
R3 Maplom;Maplom;C:\WINDOWS\system32\drivers\Maplom.sys
R3 PhTVTune;Video Wonder Pro III WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
R3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner\RivaTuner32.sys
R3 WFsys;WinFox Control I/O Driver;C:\WINDOWS\system32\DRIVERS\wfsys.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S2 713xTVCard;SAA7134 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys
S3 DSDrv4;DSDrv4;\??\C:\PROGRA~1\DScaler\DSDrv4.sys
S3 huadio1;huadio1;\??\c:\huadio.tmp
S3 LVCap138;Video Wonder Pro III Driver;C:\WINDOWS\system32\DRIVERS\tvcap.sys
S3 LVHybrid;LVHybrid service;C:\WINDOWS\system32\DRIVERS\LVHybrid.sys
S3 mapmem1;mapmem1;\??\c:\mapmem.tmp
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys
S3 RivaTunerEx;RivaTunerEx;\??\C:\Program Files\RivaTuner\RivaTunerEx.sys
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE27bus.sys
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE27mdm.sys
S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys
S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS);C:\WINDOWS\system32\DRIVERS\se27nd5.sys
S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE27obex.sys
S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM);C:\WINDOWS\system32\DRIVERS\se27unic.sys
S3 siusbmod;siusbmod;C:\WINDOWS\system32\DRIVERS\siusbmod.sys
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys
S3 urusba;NEC 228 Command Port Driver;C:\WINDOWS\system32\DRIVERS\urusba.sys
S3 urusbc;NEC 228 CONTROL Driver;C:\WINDOWS\system32\DRIVERS\urusbc.sys
S3 urusbe;NEC 228 ENUMERATION Driver;C:\WINDOWS\system32\DRIVERS\urusbe.sys
S3 urusbm;NEC 228 Modem Driver;C:\WINDOWS\system32\DRIVERS\urusbm.sys
S3 urusbo;NEC 228 OBEX Port Driver;C:\WINDOWS\system32\DRIVERS\urusbo.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 vsbus;Virtual Serial Bus Enumerator;C:\WINDOWS\system32\DRIVERS\vsb.sys
S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINDOWS\system32\DRIVERS\vserial.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e3dc258-5b6c-11da-a04d-0040f48452de}]
AutoRun\command- G:\Autorun\UbiAutorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f595521-8454-11db-aab4-0004e2f4be8c}]
AutoRun\command- F:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:41:44 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-04 17:12:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 17:05:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-06 17:09:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-06 17:08
.
--- E O F ---
diakpoofaman
2007-10-06, 17:12
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:12:21 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Fraps\FRAPS.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RivaTuner\RivaTuner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bebe\Desktop\clean up shit\Copy of hthis.exe
O2 - BHO: (no name) - {92A075CB-F6E8-493B-A868-3CDDC5771ED2} - C:\WINDOWS\system32\geede.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Fraps] C:\Program Files\Fraps\FRAPS.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\games\steamgames\steam.exe" -silent
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner\RivaTuner.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Documents and Settings\Andu\Desktop\BITCOM~1\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: fccdcbx - C:\WINDOWS\SYSTEM32\fccdcbx.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 6670 bytes