PDA

View Full Version : Help Remove core.cahce and powered by ZEDO



paiva
2008-02-24, 02:12
Hi,
I just moved to finland 2 weeks ago and when I turned the computer on, all of the sudden I got this pop ups started,

I have read through all the things about how to delete this core.cache BUT IT IS NOT DELETING and when I try in safe mode It dont appear to be there,
I have tried all malware and adware programe but it is not deleting.

CAN ANY ONE HELP? MY OS IS VISTA BASIC PREMIUM

Kitos

Rosty
2008-02-24, 09:10
Hi,

please post a HijackThis log first, because we need to see whats more going one on your PC.

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HijackThis.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
After the final dialogue box it will launch HijackThis.

Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post me it in your next reply.

Regards,

Rosty.

paiva
2008-02-24, 12:53
Thank you very much, here is the log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:05 PM, on 2/24/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA5012] command /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3073] cmd /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5274] command /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3522] cmd /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O20 - AppInit_DLLs: ,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9072 bytes

paiva
2008-02-24, 12:57
ONE THING, before I posted this POST and this LOG now, I have tried the COMBOFIX and it was Unable to Delete core.cache.dsk file and then I did spybot and it said it deleted 3 virus including this core.cache.dsk but then on my next reboot, I started getting this popup ads,
THAT's why I posted this to help me,
I just thought it might help to mention it here.
Thank You very much in advance...

Rosty
2008-02-25, 18:10
Hi thanks for the new log.

Please disable Teatimer as it may interfere with the fix.
First:

Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident
Second:

Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Next,

please open HijackThis, click do a scan only and place a check next to the following entries:

O4 - HKLM\..\RunOnce: [SpybotDeletingA5012] command /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3073] cmd /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"

Close all other windows and browsers, except HijackThis, and click Fix Checked. Close HijackThis.

Now, please remove Combofix from your system , because ComboFix is updated daily!!

Redownload ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Regards,

Rosty.

paiva
2008-02-25, 20:13
Well there is nothing like

O4 - HKLM\..\RunOnce: [SpybotDeletingA5012] command /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3073] cmd /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"

Only thing with RunOnce is
04 - HKLM\..\RunOnce:[Launcher] %WINDIR%SMINST\launcher.exe

I have attached the screen shot of the scan, I did not do the LOG as you requested.

So I was stuck at this stage. here is the screen shot (I am not sure about posting outside links or anything)
http://aycu15.webshots.com/image/45454/2002389046182023619_rs.jpg

Rosty
2008-02-25, 20:23
Can you just do the Combofix scan and post that log and an new HijackThis log.
Its possible that those 2 lines are gone already with disabling Spybot S&D.

paiva
2008-02-25, 20:38
sure let me do it and i will post the log in few min.

paiva
2008-02-25, 21:14
Here is my combo Fix Log

ComboFix 08-02-25.3 - Aina 2008-02-25 20:42:49.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1209 [GMT 2:00]
Running from: C:\Users\Aina\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 20:46 . 2008-02-25 20:59 86,144 --a------ C:\WINDOWS\System32\drivers\nulll.sys.vir
2008-02-25 20:46 . 2008-02-25 20:59 86,144 --a------ C:\WINDOWS\System32\drivers\lsisscsii.sys.vir
2008-02-24 12:51 . 2008-02-24 12:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 03:13 . 2008-02-24 03:13 101 --a------ C:\WINDOWS\wininit.ini
2008-02-24 02:50 . 2008-02-24 02:53 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-24 02:50 . 2008-02-24 02:53 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-24 02:50 . 2008-02-24 02:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-24 02:08 . 2008-02-24 02:08 2,020 --a------ C:\WINDOWS\System32\ikhcore.cfg
2008-02-23 14:16 . 2008-02-23 15:30 <DIR> d-------- C:\Program Files\WMR11
2008-02-23 11:46 . 2008-02-23 11:46 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-02-18 15:44 . 2008-02-18 15:53 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2008-02-18 15:43 . 2008-02-18 15:53 <DIR> d-------- C:\WINDOWS\uninstall
2008-02-18 15:20 . 2008-02-18 15:30 <DIR> d-------- C:\Program Files\Super Internet TV
2008-02-18 14:31 . 2008-02-18 15:26 <DIR> d-------- C:\Program Files\ChrisTV PVR
2008-02-18 14:31 . 2007-02-07 11:01 22 --a------ C:\WINDOWS\System32\dx25mpg.ax
2008-02-16 22:28 . 2008-02-16 22:39 91,700 --a------ C:\WINDOWS\System32\drivers\klin.dat
2008-02-16 22:28 . 2008-02-16 22:39 85,860 --a------ C:\WINDOWS\System32\drivers\klick.dat
2008-02-16 22:26 . 2008-02-25 19:59 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-02-16 22:26 . 2008-02-25 19:59 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-02-16 22:26 . 2008-02-16 22:26 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-16 22:25 . 2008-02-25 21:01 11,486,752 --ahs---- C:\WINDOWS\System32\drivers\fidbox.dat
2008-02-16 22:25 . 2008-02-25 20:59 155,960 --ahs---- C:\WINDOWS\System32\drivers\fidbox.idx
2008-02-16 22:24 . 2008-02-16 22:24 <DIR> d-------- C:\Users\All Users\Kaspersky Lab Setup Files
2008-02-16 22:24 . 2008-02-16 22:24 <DIR> d-------- C:\ProgramData\Kaspersky Lab Setup Files
2008-02-16 22:05 . 2008-02-16 22:05 <DIR> d-------- C:\kav
2008-02-16 20:48 . 2008-02-16 20:48 167,545 --a------ C:\WINDOWS\System32\drivers\core.cache.dsk
2008-02-16 20:30 . 2008-02-16 22:33 <DIR> d-------- C:\Program Files\Unlocker
2008-02-16 20:22 . 2008-02-16 20:22 <DIR> d-------- C:\Users\Aina\AppData\Roaming\AVG7
2008-02-16 20:20 . 2008-02-16 20:20 86,144 --a------ C:\WINDOWS\System32\drivers\nulll.sys
2008-02-16 20:19 . 2008-02-16 20:19 41,168,824 --a------ C:\WINDOWS\System32\avg75avwt_516a1225.exe
2008-02-16 20:01 . 2008-02-16 20:29 <DIR> d-------- C:\Program Files\Ad Muncher
2008-02-15 20:39 . 2008-02-15 20:39 <DIR> d-------- C:\WINDOWS\Sun
2008-02-13 13:22 . 2008-02-13 13:22 194,560 --a------ C:\WINDOWS\System32\WebClnt.dll
2008-02-13 13:22 . 2008-02-13 13:22 110,080 --a------ C:\WINDOWS\System32\drivers\mrxdav.sys
2008-02-13 13:17 . 2008-02-13 13:17 3,504,696 --a------ C:\WINDOWS\System32\ntkrnlpa.exe
2008-02-13 13:17 . 2008-02-13 13:17 3,470,392 --a------ C:\WINDOWS\System32\ntoskrnl.exe
2008-02-13 13:17 . 2008-02-13 13:17 154,624 --a------ C:\WINDOWS\System32\drivers\nwifi.sys
2008-02-13 13:17 . 2008-02-13 13:17 109,624 --a------ C:\WINDOWS\System32\drivers\ataport.sys
2008-02-13 13:17 . 2008-02-13 13:17 45,112 --a------ C:\WINDOWS\System32\drivers\pciidex.sys
2008-02-13 13:17 . 2008-02-13 13:17 21,560 --a------ C:\WINDOWS\System32\drivers\atapi.sys
2008-02-13 13:17 . 2008-02-13 13:17 15,928 --a------ C:\WINDOWS\System32\drivers\pciide.sys
2008-02-13 13:15 . 2008-02-13 13:15 24,064 --a------ C:\WINDOWS\System32\netcfg.exe
2008-02-13 13:14 . 2008-02-13 13:14 4,247,552 --a------ C:\WINDOWS\System32\GameUXLegacyGDFs.dll
2008-02-13 13:14 . 2008-02-13 13:14 1,686,528 --a------ C:\WINDOWS\System32\gameux.dll
2008-02-13 13:14 . 2008-02-13 13:14 803,328 --a------ C:\WINDOWS\System32\drivers\tcpip.sys
2008-02-13 13:14 . 2008-02-13 13:14 216,632 --a------ C:\WINDOWS\System32\drivers\netio.sys
2008-02-13 13:14 . 2008-02-13 13:14 167,424 --a------ C:\WINDOWS\System32\tcpipcfg.dll
2008-02-13 13:14 . 2008-02-13 13:14 22,016 --a------ C:\WINDOWS\System32\netiougc.exe
2008-02-13 13:10 . 2008-02-13 13:10 1,244,672 --a------ C:\WINDOWS\System32\mcmde.dll
2008-02-13 13:05 . 2008-02-13 13:31 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-02-13 13:05 . 2008-02-13 13:31 <DIR> d-------- C:\ProgramData\Lavasoft
2008-02-11 20:48 . 2008-02-16 20:07 <DIR> d-------- C:\Users\Aina\AppData\Roaming\CallingID
2008-02-11 20:47 . 2008-02-16 20:49 <DIR> d-------- C:\Users\All Users\CA
2008-02-11 20:47 . 2008-02-16 20:49 <DIR> d-------- C:\ProgramData\CA
2008-02-11 20:00 . 2008-02-16 20:27 <DIR> d-------- C:\Users\All Users\Avg7
2008-02-11 20:00 . 2008-02-16 20:27 <DIR> d-------- C:\ProgramData\Avg7
2008-02-11 19:29 . 2008-02-11 19:29 86,144 --a------ C:\WINDOWS\System32\drivers\lsisscsii.sys
2008-02-09 18:35 . 2008-02-09 18:35 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-02-09 18:35 . 2008-02-09 18:35 <DIR> d-------- C:\ProgramData\NVIDIA
2008-02-06 21:48 . 2008-02-06 21:48 <DIR> d-------- C:\Users\All Users\Transparent
2008-02-06 21:48 . 2008-02-06 21:48 <DIR> d-------- C:\ProgramData\Transparent
2008-02-06 21:48 . 2008-02-11 20:00 <DIR> d-------- C:\Program Files\Transparent
2008-02-06 20:45 . 2008-02-06 20:46 <DIR> d-------- C:\Users\Aina\AppData\Roaming\EuroTalk
2008-02-05 20:50 . 2008-02-05 20:50 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-05 20:49 . 2008-02-05 20:50 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-03 11:12 . 2008-02-03 11:12 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-29 19:08 . 2008-01-29 19:08 <DIR> d-------- C:\Users\Aina\AppData\Roaming\App Launcher Gadget

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 17:59 12,978 ----a-w C:\Users\Aina\AppData\Roaming\nvModes.dat
2008-02-24 15:25 --------- d-----w C:\Users\Aina\AppData\Roaming\OpenOffice.org2
2008-02-24 00:55 --------- d---a-w C:\ProgramData\TEMP
2008-02-24 00:30 --------- d-----w C:\Users\Aina\AppData\Roaming\Azureus
2008-02-17 01:58 --------- d-----w C:\ProgramData\Ulead Systems
2008-02-16 02:17 --------- d-----w C:\Program Files\Java
2008-02-14 17:25 --------- d-----w C:\Program Files\Google
2008-02-13 11:16 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-13 11:14 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 11:14 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 11:14 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 11:14 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 11:12 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 11:12 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 11:12 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 11:12 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-12 16:47 --------- d-----w C:\Users\Aina\AppData\Roaming\Roxio
2008-02-12 10:27 --------- d-----w C:\Program Files\Glary Utilities
2008-02-11 20:40 --------- d-----w C:\Users\Aina\AppData\Roaming\GlarySoft
2008-02-06 19:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 18:49 --------- d-----w C:\Program Files\Real
2008-02-01 11:30 --------- d-----w C:\Program Files\DivX
2008-01-23 14:18 --------- d-----w C:\Program Files\Flash&Backup
2008-01-23 14:12 --------- d-----w C:\Program Files\motorola tools
2008-01-16 12:39 --------- d-----w C:\Program Files\Windows Mail
2008-01-16 12:04 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-16 12:04 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-16 12:04 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-16 12:04 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-11 07:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-09 11:18 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-01-09 11:18 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-01-09 11:18 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-01-09 11:18 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-01-09 11:16 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-01-09 11:16 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-01-09 11:16 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-01-09 11:16 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-01-09 11:16 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-01-09 11:16 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-01-07 21:24 --------- d-----w C:\Program Files\uTorrent
2008-01-07 21:24 --------- d-----w C:\Program Files\AllToAVI
2008-01-07 21:23 --------- d-----w C:\Program Files\Cyberlink
2008-01-05 14:13 --------- d-----w C:\ProgramData\SmartSound Software Inc
2008-01-01 01:47 --------- d-----w C:\Users\Aina\AppData\Roaming\Pegasys Inc
2007-12-31 06:08 --------- d-----w C:\Users\Aina\AppData\Roaming\DivX
2007-12-31 05:26 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2007-12-15 00:48 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-15 00:47 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-15 00:47 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-11 19:44 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\Windows\System32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\Windows\System32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu10.dll
2007-12-11 19:44 156,992 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2007-12-11 12:59 174 --sha-w C:\Program Files\desktop.ini
2007-12-11 07:56 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-12-11 07:56 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-12-11 07:56 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-12-11 07:56 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-12-11 07:56 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-12-11 07:56 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-12-11 07:56 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-12-11 07:56 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-12-11 07:56 2,923,520 ----a-w C:\Windows\explorer.exe
2007-12-11 07:56 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-12-11 07:55 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-12-11 07:55 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-12-11 07:55 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-12-11 07:55 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-12-11 07:52 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2007-12-11 07:52 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2007-12-11 07:52 39,936 ----a-w C:\Windows\System32\slcinst.dll
2007-12-11 07:52 351,232 ----a-w C:\Windows\System32\SLUI.exe
2007-12-11 07:52 33,280 ----a-w C:\Windows\System32\slwmi.dll
2007-12-11 07:52 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2007-12-11 07:52 223,232 ----a-w C:\Windows\System32\SLC.dll
2007-12-11 07:52 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2007-12-11 07:52 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2007-12-02 17:32 81,920 ----a-w C:\Users\Aina\AppData\Roaming\ezpinst.exe
2007-12-02 17:32 47,360 ----a-w C:\Users\Aina\AppData\Roaming\pcouffin.sys
.

-----CONTINUED IN NEXT REPLY------

paiva
2008-02-25, 21:16
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 11:40 86960]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 09:50 1021224]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 08:11 49152]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 09:29 102400]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 22:52 240112]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 10:44 113136]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-14 08:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-14 08:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-14 08:40 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-15 01:32 132760]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 20:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-07 02:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-12-20 02:27 468264 C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 06:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-03-03 21:12 341488 C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"EarthLink2"= TCP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"EarthLink1"= UDP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"TCP Query User{A7AE1C4E-05C9-48EA-9B88-4A28E0750760}C:\program files\yahoo!\messenger\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger|Desc=Yahoo! Messenger
"UDP Query User{FFCD510F-3205-4017-A19A-412EE04052E0}C:\program files\yahoo!\messenger\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger|Desc=Yahoo! Messenger
"TCP Query User{A122A2F7-04FB-4B0E-99E6-B9BB85011DBC}C:\program files\azureus\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus|Desc=Azureus
"UDP Query User{664D0697-0F07-4515-8305-9952D2C461F7}C:\program files\azureus\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus|Desc=Azureus
"TCP Query User{517516E1-D547-4949-8092-5950A24EC6A0}C:\program files\yahoo!\messenger\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger|Desc=Yahoo! Messenger
"UDP Query User{FDF55615-0F20-4BE9-B736-737602F58BBB}C:\program files\yahoo!\messenger\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger|Desc=Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-12-20 02:28]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-12-20 02:28]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-07-10 13:27]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 10:50]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;"C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUpnpService10.exe" [2007-08-24 22:53]
S2 RoxLiveShare10;LiveShare P2P Server 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [2007-08-24 22:52]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-10-13 06:50]
S3 hcw85bda;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2006-12-02 00:41]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys [2007-06-18 22:19]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 02:33]
S3 MotDev;Motorola Inc. USB Device;C:\Windows\system32\DRIVERS\motodrv.sys [2007-05-07 22:11]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;"C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUPnPRenderer10.exe" [2007-08-24 22:53]
S3 RoxMediaDB10;RoxMediaDB10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe" [2007-08-24 22:52]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe" [2007-08-24 22:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f24dee1-c076-11dc-bd9d-001b24664553}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63dcdb19-9acb-11dc-9bb8-001b24664553}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 21:01:00
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\WLANExt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2008-02-25 21:06:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 19:06:36
ComboFix2.txt 2008-02-24 00:38:18
.
2008-02-22 10:00:17 --- E O F ---

------hijackthis log in NEXT reply------

paiva
2008-02-25, 21:19
While I tried to do Highjack scan and log, TWO pop up came (this 2 comes always frequently, ONE is with Blank IE window with no URL or any Adress and another one is thishttp://url.adtrgt.com/cpv.jsp?p=112194&ip=91.155.192.179&url=http%3A%2F%2Fwww.yahoo.com%2F&selectedKeyword=ron&selectedListingId=6364610


HERE IS HIGHJACK LOG
=========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:46 PM, on 2/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O20 - AppInit_DLLs: ,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8441 bytes

Rosty
2008-02-26, 19:43
Hi,
thanks for the logs.

1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:



File::
C:\Windows\system32\drivers\core.cache.dsk
C:\WINDOWS\System32\drivers\nulll.sys.vir
C:\WINDOWS\System32\drivers\nulll.sys
C:\WINDOWS\System32\drivers\lsisscsii.sys.vir
C:\WINDOWS\System32\drivers\lsisscsii.sys
C:\WINDOWS\System32\ikhcore.cfg




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.

paiva
2008-02-26, 22:27
ComboFix 08-02-25.3 - Aina 2008-02-26 22:11:14.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1161 [GMT 2:00]
Running from: C:\Users\Aina\Desktop\ComboFix.exe
Command switches used :: C:\Users\Aina\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\system32\drivers\core.cache.dsk
C:\WINDOWS\System32\drivers\lsisscsii.sys
C:\WINDOWS\System32\drivers\lsisscsii.sys.vir
C:\WINDOWS\System32\drivers\nulll.sys
C:\WINDOWS\System32\drivers\nulll.sys.vir
C:\WINDOWS\System32\ikhcore.cfg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk
C:\WINDOWS\System32\drivers\lsisscsii.sys
C:\WINDOWS\System32\drivers\lsisscsii.sys.vir
C:\WINDOWS\System32\drivers\nulll.sys
C:\WINDOWS\System32\drivers\nulll.sys.vir
C:\WINDOWS\System32\ikhcore.cfg

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-24 12:51 . 2008-02-24 12:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 03:13 . 2008-02-24 03:13 101 --a------ C:\WINDOWS\wininit.ini
2008-02-24 02:50 . 2008-02-24 02:53 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-24 02:50 . 2008-02-24 02:53 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-24 02:50 . 2008-02-24 02:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 14:16 . 2008-02-23 15:30 <DIR> d-------- C:\Program Files\WMR11
2008-02-23 11:46 . 2008-02-23 11:46 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-02-18 15:44 . 2008-02-18 15:53 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2008-02-18 15:43 . 2008-02-18 15:53 <DIR> d-------- C:\WINDOWS\uninstall
2008-02-18 15:20 . 2008-02-18 15:30 <DIR> d-------- C:\Program Files\Super Internet TV
2008-02-18 14:31 . 2008-02-18 15:26 <DIR> d-------- C:\Program Files\ChrisTV PVR
2008-02-18 14:31 . 2007-02-07 11:01 22 --a------ C:\WINDOWS\System32\dx25mpg.ax
2008-02-16 22:28 . 2008-02-16 22:39 91,700 --a------ C:\WINDOWS\System32\drivers\klin.dat
2008-02-16 22:28 . 2008-02-16 22:39 85,860 --a------ C:\WINDOWS\System32\drivers\klick.dat
2008-02-16 22:26 . 2008-02-26 12:46 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-02-16 22:26 . 2008-02-26 12:46 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-02-16 22:26 . 2008-02-16 22:26 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-16 22:25 . 2008-02-26 22:18 11,829,024 --ahs---- C:\WINDOWS\System32\drivers\fidbox.dat
2008-02-16 22:25 . 2008-02-26 22:16 160,544 --ahs---- C:\WINDOWS\System32\drivers\fidbox.idx
2008-02-16 22:24 . 2008-02-16 22:24 <DIR> d-------- C:\Users\All Users\Kaspersky Lab Setup Files
2008-02-16 22:24 . 2008-02-16 22:24 <DIR> d-------- C:\ProgramData\Kaspersky Lab Setup Files
2008-02-16 22:05 . 2008-02-16 22:05 <DIR> d-------- C:\kav
2008-02-16 20:30 . 2008-02-16 22:33 <DIR> d-------- C:\Program Files\Unlocker
2008-02-16 20:22 . 2008-02-16 20:22 <DIR> d-------- C:\Users\Aina\AppData\Roaming\AVG7
2008-02-16 20:19 . 2008-02-16 20:19 41,168,824 --a------ C:\WINDOWS\System32\avg75avwt_516a1225.exe
2008-02-16 20:01 . 2008-02-16 20:29 <DIR> d-------- C:\Program Files\Ad Muncher
2008-02-15 20:39 . 2008-02-15 20:39 <DIR> d-------- C:\WINDOWS\Sun
2008-02-13 13:22 . 2008-02-13 13:22 194,560 --a------ C:\WINDOWS\System32\WebClnt.dll
2008-02-13 13:22 . 2008-02-13 13:22 110,080 --a------ C:\WINDOWS\System32\drivers\mrxdav.sys
2008-02-13 13:17 . 2008-02-13 13:17 3,504,696 --a------ C:\WINDOWS\System32\ntkrnlpa.exe
2008-02-13 13:17 . 2008-02-13 13:17 3,470,392 --a------ C:\WINDOWS\System32\ntoskrnl.exe
2008-02-13 13:17 . 2008-02-13 13:17 154,624 --a------ C:\WINDOWS\System32\drivers\nwifi.sys
2008-02-13 13:17 . 2008-02-13 13:17 109,624 --a------ C:\WINDOWS\System32\drivers\ataport.sys
2008-02-13 13:17 . 2008-02-13 13:17 45,112 --a------ C:\WINDOWS\System32\drivers\pciidex.sys
2008-02-13 13:17 . 2008-02-13 13:17 21,560 --a------ C:\WINDOWS\System32\drivers\atapi.sys
2008-02-13 13:17 . 2008-02-13 13:17 15,928 --a------ C:\WINDOWS\System32\drivers\pciide.sys
2008-02-13 13:15 . 2008-02-13 13:15 24,064 --a------ C:\WINDOWS\System32\netcfg.exe
2008-02-13 13:14 . 2008-02-13 13:14 4,247,552 --a------ C:\WINDOWS\System32\GameUXLegacyGDFs.dll
2008-02-13 13:14 . 2008-02-13 13:14 1,686,528 --a------ C:\WINDOWS\System32\gameux.dll
2008-02-13 13:14 . 2008-02-13 13:14 803,328 --a------ C:\WINDOWS\System32\drivers\tcpip.sys
2008-02-13 13:14 . 2008-02-13 13:14 216,632 --a------ C:\WINDOWS\System32\drivers\netio.sys
2008-02-13 13:14 . 2008-02-13 13:14 167,424 --a------ C:\WINDOWS\System32\tcpipcfg.dll
2008-02-13 13:14 . 2008-02-13 13:14 22,016 --a------ C:\WINDOWS\System32\netiougc.exe
2008-02-13 13:10 . 2008-02-13 13:10 1,244,672 --a------ C:\WINDOWS\System32\mcmde.dll
2008-02-13 13:05 . 2008-02-13 13:31 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-02-13 13:05 . 2008-02-13 13:31 <DIR> d-------- C:\ProgramData\Lavasoft
2008-02-11 20:48 . 2008-02-16 20:07 <DIR> d-------- C:\Users\Aina\AppData\Roaming\CallingID
2008-02-11 20:47 . 2008-02-16 20:49 <DIR> d-------- C:\Users\All Users\CA
2008-02-11 20:47 . 2008-02-16 20:49 <DIR> d-------- C:\ProgramData\CA
2008-02-11 20:00 . 2008-02-16 20:27 <DIR> d-------- C:\Users\All Users\Avg7
2008-02-11 20:00 . 2008-02-16 20:27 <DIR> d-------- C:\ProgramData\Avg7
2008-02-09 18:35 . 2008-02-09 18:35 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-02-09 18:35 . 2008-02-09 18:35 <DIR> d-------- C:\ProgramData\NVIDIA
2008-02-06 21:48 . 2008-02-06 21:48 <DIR> d-------- C:\Users\All Users\Transparent
2008-02-06 21:48 . 2008-02-06 21:48 <DIR> d-------- C:\ProgramData\Transparent
2008-02-06 21:48 . 2008-02-11 20:00 <DIR> d-------- C:\Program Files\Transparent
2008-02-06 20:45 . 2008-02-06 20:46 <DIR> d-------- C:\Users\Aina\AppData\Roaming\EuroTalk
2008-02-05 20:50 . 2008-02-05 20:50 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-05 20:49 . 2008-02-05 20:50 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-03 11:12 . 2008-02-03 11:12 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-29 19:08 . 2008-01-29 19:08 <DIR> d-------- C:\Users\Aina\AppData\Roaming\App Launcher Gadget

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 19:08 12,978 ----a-w C:\Users\Aina\AppData\Roaming\nvModes.dat
2008-02-24 15:25 --------- d-----w C:\Users\Aina\AppData\Roaming\OpenOffice.org2
2008-02-24 00:55 --------- d---a-w C:\ProgramData\TEMP
2008-02-24 00:30 --------- d-----w C:\Users\Aina\AppData\Roaming\Azureus
2008-02-17 01:58 --------- d-----w C:\ProgramData\Ulead Systems
2008-02-16 02:17 --------- d-----w C:\Program Files\Java
2008-02-14 17:25 --------- d-----w C:\Program Files\Google
2008-02-13 11:21 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 11:21 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 11:21 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 11:21 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 11:21 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 11:21 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 11:21 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-02-13 11:16 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-13 11:14 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 11:14 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 11:14 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 11:14 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 11:12 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-12 16:47 --------- d-----w C:\Users\Aina\AppData\Roaming\Roxio
2008-02-12 10:27 --------- d-----w C:\Program Files\Glary Utilities
2008-02-11 20:40 --------- d-----w C:\Users\Aina\AppData\Roaming\GlarySoft
2008-02-06 19:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 18:49 --------- d-----w C:\Program Files\Real
2008-02-01 11:30 --------- d-----w C:\Program Files\DivX
2008-01-23 14:18 --------- d-----w C:\Program Files\Flash&Backup
2008-01-23 14:12 --------- d-----w C:\Program Files\motorola tools
2008-01-16 12:39 --------- d-----w C:\Program Files\Windows Mail
2008-01-16 12:04 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-16 12:04 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-16 12:04 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-11 07:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-07 21:24 --------- d-----w C:\Program Files\uTorrent
2008-01-07 21:24 --------- d-----w C:\Program Files\AllToAVI
2008-01-07 21:23 --------- d-----w C:\Program Files\Cyberlink
2008-01-05 14:13 --------- d-----w C:\ProgramData\SmartSound Software Inc
2008-01-01 01:47 --------- d-----w C:\Users\Aina\AppData\Roaming\Pegasys Inc
2007-12-31 06:08 --------- d-----w C:\Users\Aina\AppData\Roaming\DivX
2007-12-31 05:26 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2007-12-11 12:59 174 --sha-w C:\Program Files\desktop.ini
2007-12-11 07:56 2,923,520 ----a-w C:\Windows\explorer.exe
2007-12-02 17:32 81,920 ----a-w C:\Users\Aina\AppData\Roaming\ezpinst.exe
2007-12-02 17:32 47,360 ----a-w C:\Users\Aina\AppData\Roaming\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 11:40 86960]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 09:50 1021224]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 08:11 49152]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 09:29 102400]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 22:52 240112]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 10:44 113136]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-14 08:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-14 08:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-14 08:40 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-15 01:32 132760]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 20:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-07 02:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-12-20 02:27 468264 C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 06:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-03-03 21:12 341488 C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"EarthLink2"= TCP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"EarthLink1"= UDP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"TCP Query User{A7AE1C4E-05C9-48EA-9B88-4A28E0750760}C:\program files\yahoo!\messenger\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger|Desc=Yahoo! Messenger
"UDP Query User{FFCD510F-3205-4017-A19A-412EE04052E0}C:\program files\yahoo!\messenger\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger|Desc=Yahoo! Messenger
"TCP Query User{A122A2F7-04FB-4B0E-99E6-B9BB85011DBC}C:\program files\azureus\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus|Desc=Azureus
"UDP Query User{664D0697-0F07-4515-8305-9952D2C461F7}C:\program files\azureus\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus|Desc=Azureus
"TCP Query User{517516E1-D547-4949-8092-5950A24EC6A0}C:\program files\yahoo!\messenger\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger|Desc=Yahoo! Messenger
"UDP Query User{FDF55615-0F20-4BE9-B736-737602F58BBB}C:\program files\yahoo!\messenger\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger|Desc=Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-12-20 02:28]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-07-10 13:27]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 10:50]
S2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-12-20 02:28]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;"C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUpnpService10.exe" [2007-08-24 22:53]
S2 RoxLiveShare10;LiveShare P2P Server 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [2007-08-24 22:52]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-10-13 06:50]
S3 hcw85bda;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2006-12-02 00:41]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys [2007-06-18 22:19]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 02:33]
S3 MotDev;Motorola Inc. USB Device;C:\Windows\system32\DRIVERS\motodrv.sys [2007-05-07 22:11]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;"C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUPnPRenderer10.exe" [2007-08-24 22:53]
S3 RoxMediaDB10;RoxMediaDB10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe" [2007-08-24 22:52]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe" [2007-08-24 22:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f24dee1-c076-11dc-bd9d-001b24664553}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63dcdb19-9acb-11dc-9bb8-001b24664553}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 22:18:29
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\WLANExt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2008-02-26 22:24:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 20:24:45
ComboFix2.txt 2008-02-25 19:06:48
ComboFix3.txt 2008-02-24 00:38:18
.
2008-02-22 10:00:17 --- E O F ---

paiva
2008-02-26, 22:30
Here is Hijackthis Log. JUST one thing to mention, Do I suppose to disable to exit kaspersky before I do this combo fix or no? I am doing this with kasp. running just to let you know, I dont know if I am suppose to leave kasp. on or off
-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:47 PM, on 2/26/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Windows\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O20 - AppInit_DLLs: ,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD Basic v9\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8442 bytes

Rosty
2008-02-27, 17:43
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/english/kavwebscan.html)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:


Extended (if available otherwise Standard)


Scan Options:


Scan Archives Scan Mail Bases

Click OK
Now under select a target to scan:

Select My Computer

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop and post it in your next reply.

paiva
2008-02-27, 23:13
Thank you very much for helping me out, I do really appriciate it.
here is half report and another half is in new post.
----------------------------------------------------------

Wednesday, February 27, 2008 11:07:10 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/02/2008
Kaspersky Anti-Virus database records: 583972


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 197239
Number of viruses found 5
Number of infected objects 11
Number of suspicious objects 0
Duration of the scan process 04:03:31

Infected Object Name Virus Name Last Action
C:\ProgramData\CyberLink\TinyDB\EPGSignal Object is locked skipped

C:\ProgramData\CyberLink\TinyDB\Schedule Object is locked skipped

C:\ProgramData\Kaspersky Lab\AVP7\Report\021c_File_Monitoring_eventlog.rpt Object is locked skipped

C:\ProgramData\Kaspersky Lab\AVP7\Report\021e_Web_Monitoring_eventlog.rpt Object is locked skipped

C:\ProgramData\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped

C:\ProgramData\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped

C:\ProgramData\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped

C:\ProgramData\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped

C:\ProgramData\Kaspersky Lab\~PRCustomProps#7d.dat Object is locked skipped

C:\ProgramData\Kaspersky Lab\~PRObjects#7d.dat Object is locked skipped

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1d345b2c7821ec288af019ed0b55a18b_91c44803-860d-4a67-9672-159586af97ed Object is locked skipped

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1d53ad31a679f804e2a581f631d60fb9_91c44803-860d-4a67-9672-159586af97ed Object is locked skipped

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.103.Crwl Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.103.gthr Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.ci Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wsb Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010022.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010024.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010037.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\000100DC.wid Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy1405.gthr Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3D3E.tmp Object is locked skipped

C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3D4E.tmp Object is locked skipped

C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050241.log Object is locked skipped

C:\QooBox\Quarantine\catchme2008-02-26_221822.96.zip/lsisscsii.sys Infected: Rootkit.Win32.Agent.zl skipped

C:\QooBox\Quarantine\catchme2008-02-26_221822.96.zip/nulll.sys Infected: Rootkit.Win32.Agent.zl skipped

C:\QooBox\Quarantine\catchme2008-02-26_221822.96.zip ZIP: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\UsrClass.dat{5ab07627-90cf-11dc-8388-001b24664553}.TM.blf Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\UsrClass.dat{5ab07627-90cf-11dc-8388-001b24664553}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Aina\AppData\Local\Microsoft\Windows\UsrClass.dat{5ab07627-90cf-11dc-8388-001b24664553}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Users\Aina\AppData\Local\Temp\ehmsas.txt Object is locked skipped

C:\Users\Aina\AppData\Local\Temp\~DF21A4.tmp Object is locked skipped

C:\Users\Aina\AppData\Local\Temp\~DF21AB.tmp Object is locked skipped

C:\Users\Aina\AppData\Local\Temp\~ROMFN_000001A4 Object is locked skipped

C:\Users\Aina\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped

C:\Users\Aina\Documents\Azureus Downloads\Camstudio.2.5.(GPL).zip/Camstudio.2.5.(GPL)/install.exe Infected: not-virus:Hoax.Win32.Agent.p skipped

C:\Users\Aina\Documents\Azureus Downloads\Camstudio.2.5.(GPL).zip 7-Zip: infected - 1 skipped

C:\Users\Aina\Documents\Azureus Downloads\FLV.Recorder.v2.0.582.Incl.Keymaker-CORE\FLV.Recorder.v2.0.582.Incl.Keymaker-CORE.rar/FLV.Recorder.v2.0.582.Incl.Keymaker-CORE/FVL-Keygen.exe Infected: Backdoor.Win32.SdBot.cap skipped

C:\Users\Aina\Documents\Azureus Downloads\FLV.Recorder.v2.0.582.Incl.Keymaker-CORE\FLV.Recorder.v2.0.582.Incl.Keymaker-CORE.rar RAR: infected - 1 skipped

C:\Users\Aina\Documents\Azureus Downloads\quickscreenrecorder+serial.zip/quickscreenrecorder+serial/qsr.exe Infected: Trojan-Dropper.Win32.Agent.bif skipped

C:\Users\Aina\Documents\Azureus Downloads\quickscreenrecorder+serial.zip ZIP: infected - 1 skipped

C:\Users\Aina\Documents\Azureus Downloads\WM Recorder v10.1 Keygen & Patch.rar/WM Recorder v10.1 Keygen & Patch/WMRsetup.exe Infected: Backdoor.Win32.Delf.awa skipped

C:\Users\Aina\Documents\Azureus Downloads\WM Recorder v10.1 Keygen & Patch.rar RAR: infected - 1 skipped

C:\Users\Aina\ntuser.dat Object is locked skipped

C:\Users\Aina\ntuser.dat.LOG1 Object is locked skipped

C:\Users\Aina\ntuser.dat.LOG2 Object is locked skipped

C:\Users\Aina\NTUSER.DAT{aa851aff-acbe-11dc-bc4d-001b24664553}.TM.blf Object is locked skipped

C:\Users\Aina\NTUSER.DAT{aa851aff-acbe-11dc-bc4d-001b24664553}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Aina\NTUSER.DAT{aa851aff-acbe-11dc-bc4d-001b24664553}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Debug\sam.log Object is locked skipped

C:\WINDOWS\Debug\WIA\wiatrace.log Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\WINDOWS\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat Object is locked skipped

C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped

C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped

C:\WINDOWS\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\WINDOWS\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\WINDOWS\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

----------------------------------------------------------------------
Rest is Below Continued......

paiva
2008-02-27, 23:14
C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\WINDOWS\System32\catroot2\edb.log Object is locked skipped

C:\WINDOWS\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped

C:\WINDOWS\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped

C:\WINDOWS\System32\config\components Object is locked skipped

C:\WINDOWS\System32\config\COMPONENTS.LOG1 Object is locked skipped

C:\WINDOWS\System32\config\COMPONENTS.LOG2 Object is locked skipped

C:\WINDOWS\System32\config\default Object is locked skipped

C:\WINDOWS\System32\config\DEFAULT.LOG1 Object is locked skipped

C:\WINDOWS\System32\config\DEFAULT.LOG2 Object is locked skipped

C:\WINDOWS\System32\config\RegBack\COMPONENTS Object is locked skipped

C:\WINDOWS\System32\config\RegBack\DEFAULT Object is locked skipped

C:\WINDOWS\System32\config\RegBack\SAM Object is locked skipped

C:\WINDOWS\System32\config\RegBack\SECURITY Object is locked skipped

C:\WINDOWS\System32\config\RegBack\SOFTWARE Object is locked skipped

C:\WINDOWS\System32\config\RegBack\SYSTEM Object is locked skipped

C:\WINDOWS\System32\config\sam Object is locked skipped

C:\WINDOWS\System32\config\SAM.LOG1 Object is locked skipped

C:\WINDOWS\System32\config\SAM.LOG2 Object is locked skipped

C:\WINDOWS\System32\config\security Object is locked skipped

C:\WINDOWS\System32\config\SECURITY.LOG1 Object is locked skipped

C:\WINDOWS\System32\config\SECURITY.LOG2 Object is locked skipped

C:\WINDOWS\System32\config\software Object is locked skipped

C:\WINDOWS\System32\config\SOFTWARE.LOG1 Object is locked skipped

C:\WINDOWS\System32\config\SOFTWARE.LOG2 Object is locked skipped

C:\WINDOWS\System32\config\system Object is locked skipped

C:\WINDOWS\System32\config\SYSTEM.LOG1 Object is locked skipped

C:\WINDOWS\System32\config\SYSTEM.LOG2 Object is locked skipped

C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped

C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped

C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped

C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped

C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped

C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\WINDOWS\System32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\System32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\System32\LogFiles\Scm\SCM.EVM Object is locked skipped

C:\WINDOWS\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\System32\Msdtc\KtmRmTm.blf Object is locked skipped

C:\WINDOWS\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped

C:\WINDOWS\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped

C:\WINDOWS\System32\spool\SpoolerETW.etl Object is locked skipped

C:\WINDOWS\System32\wbem\Logs\WMITracing.log Object is locked skipped

C:\WINDOWS\System32\wbem\repository\INDEX.BTR Object is locked skipped

C:\WINDOWS\System32\wbem\repository\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\System32\wbem\repository\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\System32\wbem\repository\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped

C:\WINDOWS\System32\wfp\wfpdiag.etl Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Application.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Media Center.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\ODiag.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\OSession.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\Security.evtx Object is locked skipped

C:\WINDOWS\System32\winevt\Logs\System.evtx Object is locked skipped

C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\Desktop.ini Object is locked skipped

D:\System Volume Information\Folder.htt Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\Protect.ed Object is locked skipped

Scan process completed.

Rosty
2008-03-02, 20:55
Hi again,

we have to do some clean up here!!


Please delete these folder using Windows Explorer(if present):

C:\Users\Aina\Documents\Azureus Downloads <-- folder

Please do another scan with Kaspersky online scanner and post that log for me.
Let me know how things are running.

paiva
2008-03-04, 15:25
Hey,
every thing is working really good, no popups or anything, I did the scan after deleting the aexurus download folder, and there was showing some infection but it never let me finish the whole scan, twice my computer ended up with blue screen :( and the both times the scan was running for about 2 hours or so before it crashed twice. I am sure that I still have some infection but I am not getting any pop ups. by the way those 2 things cam record and comp screen recorder I tried to download AFTER I got infected (when I saw you were showing how to move the note pad tax to combofix) so I got curious and wanted to know how you can show your computer cursor in that jpg or flash file.
Anyways things are running fine, but still have some doubts about my machine being cleaned or infected.