PDA

View Full Version : Browser won't load certain websites



berryhalley
2008-05-04, 18:40
Hi, this issue is somewhat related to this particular post that I've read earlier in this forum: http://forums.spybot.info/showthread.php?t=13358

I'm having a problem connecting to certain websites using either IE or Opera (haven't tried with Firefox yet). Examples of these websites are friendster and yahoo, I can open google but I cannot search through it. I don't get any error messages, it just tries to connect but it's getting nowhere.

The weird thing now is that I tried to use the explorer window and it did went through! I was able to quickly access the sites.

I'm also wondering why the system restore function won't work now, it wouldn't allow me to select a restore point.

I have already scanned and removed the spywares using Spyware Doctor, tried running HijackThis and this is what I got:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:10 PM, on 5/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\OLYMPUS Master.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ph.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINDOWS\System32\geBssspO.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMc70aa9ae] Rundll32.exe "C:\WINDOWS\System32\jogtbelu.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O20 - Winlogon Notify: geBssspO - geBssspO.dll (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


Please help, thanks! :)

Blade81
2008-05-04, 21:09
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

berryhalley
2008-05-05, 17:21
Thanks so much for your reply Blade81, here are the logs:

COMBOFIX LOG:

ComboFix 08-05-01.3 - Admin 2008-05-05 22:09:26.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.56 [GMT 8:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dqeqlumr.ini
C:\WINDOWS\system32\fccbbYRJ.dll
C:\WINDOWS\system32\fcccayYo.dll
C:\WINDOWS\system32\geBrsTmK.dll
C:\WINDOWS\system32\jogtbelu.dll
C:\WINDOWS\system32\JRYbbccf.ini
C:\WINDOWS\system32\JRYbbccf.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rmulqeqd.dll
C:\WINDOWS\system32\rqRLcAPh.dll
C:\WINDOWS\system32\wbadlplb.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-05 22:09 . 2008-05-05 22:09 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-05 15:36 . 2008-05-05 15:36 <DIR> d--hs---- C:\FOUND.000
2008-05-04 22:43 . 2008-05-04 22:43 <DIR> d-------- C:\hijackthis
2008-05-04 15:40 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-04 15:40 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-04 15:40 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-04 15:40 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-04 15:39 . 2008-05-04 15:39 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-04 15:39 . 2008-05-04 15:39 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PC Tools
2008-05-04 14:52 . 2008-05-04 14:52 <DIR> d-------- C:\Program Files\Opera
2008-05-04 14:15 . 2008-05-04 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 14:15 . 2008-05-04 14:15 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-05-04 13:21 . 2008-05-04 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 12:43 . 2008-05-04 12:43 <DIR> d-------- C:\Program Files\ESET
2008-05-04 12:24 . 2008-05-04 12:24 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\F-Secure
2008-05-04 12:16 . 2008-05-04 12:16 <DIR> d-------- C:\Program Files\F-Secure Internet Security
2008-05-04 12:16 . 2008-05-04 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-05-04 12:15 . 2008-05-04 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-05-04 11:59 . 2008-05-04 11:59 <DIR> d--hs---- C:\FOUND.014
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\webmark
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\videoplus
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\audioplus
2008-05-04 07:12 . 2008-05-04 07:12 <DIR> d--hs---- C:\FOUND.013
2008-05-04 06:08 . 2008-05-05 17:17 109,747 --a------ C:\WINDOWS\BMc70aa9ae.xml
2008-05-03 23:07 . 2008-05-03 23:07 <DIR> d-------- C:\Program Files\Ulead Systems
2008-05-03 22:20 . 2008-05-03 22:20 <DIR> d--hs---- C:\FOUND.012
2008-05-03 21:52 . 2008-05-03 21:52 <DIR> d-------- C:\Program Files\OLYMPUS
2008-05-03 21:50 . 2008-05-03 21:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-03 19:33 . 2002-09-10 23:10 495,616 --a------ C:\WINDOWS\system32\xvid.dll
2008-05-03 19:33 . 2002-09-10 23:10 331,776 --a------ C:\WINDOWS\system32\xvid.ax
2008-05-03 19:31 . 2008-05-03 19:31 <DIR> d-------- C:\Program Files\SuperAVConverter
2008-05-03 18:03 . 2008-05-03 18:03 <DIR> d-------- C:\DVDVideoSoft
2008-05-03 18:02 . 2008-05-03 18:02 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-03 18:01 . 2008-05-03 18:01 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-02 21:37 . 2008-05-02 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-02 21:37 . 2008-05-02 21:37 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ulead Systems
2008-05-01 23:20 . 2008-05-01 23:20 <DIR> d-------- C:\Program Files\Imikimi
2008-04-30 16:19 . 2008-04-30 16:19 <DIR> d--hs---- C:\FOUND.011
2008-04-30 12:38 . 2008-04-30 12:38 <DIR> d--hs---- C:\FOUND.010
2008-04-30 09:16 . 2008-04-30 09:16 <DIR> d-------- C:\Program Files\GizmoPlugin
2008-04-30 09:16 . 2008-04-30 09:16 86,016 --a------ C:\WINDOWS\system32\GizmoPluginCPL.cpl
2008-04-30 00:15 . 2008-04-30 00:15 39 --a------ C:\WINDOWS\VMorpher.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\VDVD.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\Cover.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\avvcnvrt.INI
2008-04-30 00:05 . 2008-04-30 00:26 29 --a------ C:\WINDOWS\AVFTP.INI
2008-04-29 23:30 . 2008-04-29 23:33 1,212 --a------ C:\WINDOWS\winamp.ini
2008-04-29 22:33 . 2008-04-29 22:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DivX
2008-04-29 22:31 . 2008-04-29 22:31 <DIR> d-------- C:\Program Files\DivX
2008-04-27 12:42 . 2008-04-27 12:42 <DIR> d-------- C:\TLC
2008-04-26 22:30 . 2008-04-26 22:30 <DIR> d-------- C:\Program Files\mIRC
2008-04-25 21:51 . 2008-04-25 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-04-25 18:30 . 2008-04-25 18:30 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Nokia Multimedia Player
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Documents and Settings\Admin\Phone Browser
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DataLayer
2008-04-25 15:06 . 2008-04-25 15:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Nokia
2008-04-25 14:57 . 2008-04-25 14:57 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-25 14:57 . 2008-04-25 14:57 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PC Suite
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Nokia
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-25 14:45 . 2008-04-25 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 13:29 . 2008-04-22 13:29 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BearShare
2008-04-22 13:29 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-04-22 13:28 . 2008-04-22 13:29 <DIR> d-------- C:\Program Files\BearShare Applications
2008-04-22 11:28 . 2008-04-22 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-21 23:06 . 2008-04-21 23:06 <DIR> d-------- C:\Program Files\Aimersoft
2008-04-21 22:41 . 2008-04-21 22:41 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-04-21 22:24 . 2008-04-21 22:24 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-21 22:16 . 2008-04-21 22:16 <DIR> d-------- C:\Program Files\Google
2008-04-21 21:09 . 2008-04-17 22:14 104,168 --------- C:\WINDOWS\hpoins04.dat.temp
2008-04-21 21:09 . 2004-06-22 05:11 17,176 --------- C:\WINDOWS\hpomdl04.dat.temp
2008-04-21 13:53 . 2004-09-17 14:05 84,512 -ra------ C:\WINDOWS\system32\drivers\ss_mdm.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,080 -ra------ C:\WINDOWS\system32\drivers\ss_cmnt.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,080 -ra------ C:\WINDOWS\system32\drivers\ss_cm.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,064 -ra------ C:\WINDOWS\system32\drivers\ss_mdfl.sys
2008-04-21 13:38 . 2004-09-17 14:04 52,384 -ra------ C:\WINDOWS\system32\drivers\ss_bus.sys
2008-04-21 13:38 . 2004-09-17 14:04 5,744 -ra------ C:\WINDOWS\system32\drivers\ss_whnt.sys
2008-04-21 13:38 . 2004-09-17 14:04 5,744 -ra------ C:\WINDOWS\system32\drivers\ss_wh.sys
2008-04-21 12:06 . 2008-04-21 12:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ahead
2008-04-21 11:05 . 2008-05-05 12:03 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-21 11:01 . 2008-04-21 11:01 16,760 --a------ C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 10:29 . 2008-04-21 10:29 <DIR> d-------- C:\Program Files\uTorrent
2008-04-21 10:11 . 2008-04-21 10:11 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\uTorrent
2008-04-20 19:01 . 2008-04-20 19:01 <DIR> d-------- C:\Program Files\Trickshot
2008-04-20 03:55 . 2008-04-20 03:55 <DIR> d-------- C:\Program Files\iTunes
2008-04-20 03:55 . 2008-04-20 03:55 <DIR> d-------- C:\Program Files\iPod
2008-04-20 02:51 . 2002-08-29 01:32 21,760 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-20 02:50 . 2008-04-20 02:50 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-20 02:50 . 2008-04-20 02:50 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Apple Computer
2008-04-20 02:48 . 2008-04-20 02:48 <DIR> d-------- C:\Program Files\QuickTime
2008-04-20 02:44 . 2008-04-20 02:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-20 02:41 . 2008-04-20 02:41 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-19 06:22 . 2008-04-19 06:22 <DIR> d--h----- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2008-04-18 23:36 . 2008-04-18 23:36 <DIR> d-------- C:\Program Files\Samsung
2008-04-18 23:35 . 2008-04-18 23:35 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-18 14:22 . 2005-09-01 09:49 16,384 --a------ C:\WINDOWS\system32\linkinfo.dll
2008-04-18 09:05 . 2005-06-29 09:54 68,608 --a------ C:\WINDOWS\system32\mscms.dll
2008-04-18 08:56 . 2005-01-11 09:20 118,272 --a------ C:\WINDOWS\system32\dllcache\dhtmled.ocx
2008-04-18 08:56 . 2005-04-22 13:20 51,712 --a------ C:\WINDOWS\system32\dllcache\agentdpv.dll
2008-04-18 08:54 . 2006-08-25 17:14 595,968 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-04-18 05:04 . 2006-09-13 13:09 1,110,528 --a------ C:\WINDOWS\system32\msxml3.dll
2008-04-18 05:03 . 2004-10-28 09:29 681,984 --a------ C:\WINDOWS\system32\dllcache\lsasrv.dll
2008-04-18 05:03 . 2004-10-28 09:29 116,736 --a------ C:\WINDOWS\system32\dllcache\shsvcs.dll
2008-04-18 05:03 . 2004-10-28 09:29 92,160 --a------ C:\WINDOWS\system32\dllcache\cscdll.dll
2008-04-18 05:03 . 2004-10-28 09:29 92,160 --a------ C:\WINDOWS\system32\cscdll.dll
2008-04-18 05:01 . 2005-04-26 09:58 173,312 --a------ C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-04-18 05:01 . 2006-01-04 11:37 64,000 --a------ C:\WINDOWS\system32\webclnt.dll
2008-04-18 05:01 . 2006-01-04 11:37 64,000 --a------ C:\WINDOWS\system32\dllcache\webclnt.dll
2008-04-18 05:00 . 2005-07-09 00:09 238,592 --a------ C:\WINDOWS\system32\tapisrv.dll
2008-04-18 05:00 . 2005-06-11 07:55 53,248 --a------ C:\WINDOWS\system32\spoolsv.exe
2008-04-18 04:58 . 2005-10-21 06:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-04-18 04:52 . 2006-03-17 08:49 25,600 --------- C:\WINDOWS\system32\verclsid.exe
2008-04-18 04:50 . 2006-03-02 03:44 83,456 --a------ C:\WINDOWS\system32\mtxoci.dll
2008-04-18 04:50 . 2006-03-02 03:44 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2008-04-18 04:43 . 2008-04-18 04:43 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-18 04:40 . 2008-04-18 04:40 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-18 04:40 . 2006-02-17 14:04 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-17 22:38 . 2005-04-20 19:32 2,916,352 --------- C:\WINDOWS\UNNMP.exe
2008-04-17 22:38 . 2005-10-07 22:22 49,883 --------- C:\WINDOWS\UNNMP.cfg
2008-04-17 22:38 . 2008-04-17 22:38 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-04-17 22:37 . 2008-04-17 22:37 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-04-17 22:35 . 2008-04-17 22:35 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-17 22:35 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-17 22:23 . 2008-04-17 22:23 <DIR> d-------- C:\Program Files\Common Files\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 04:21 930,304 ----a-w C:\Documents and Settings\Admin\Application Data\kernel33.dll
2008-04-17 03:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 22:13 394680 --a------ C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]
C:\WINDOWS\System32\geBssspO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-04-21 10:29 219952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Ulead Photo Express 4.0 SE Calendar Checker .lnk - C:\Documents and Settings\Admin\Desktop\ulead\CalCheck.exe [2008-05-05 13:06:13 69632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"= C:\WINDOWS\System32\geBssspO.dll [ ]
"{F7F6584C-864B-411D-A410-BB2DE0D33CA1}"= C:\WINDOWS\System32\geBrsTmK.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrsTmK]
geBrsTmK.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBssspO]
geBssspO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
-ra------ 2004-06-09 15:37 40960 C:\WINDOWS\VM_STI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc70aa9ae]
C:\WINDOWS\System32\jogtbelu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4399a32]
C:\WINDOWS\System32\uvfecpqs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2007-12-21 08:21 1443072 C:\Program Files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 15:18 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 13:38 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-02-01 12:55 1103240 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-09-12 01:58 229952 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
--a------ 2007-05-28 16:59 95800 C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-11-30 16:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-03-01 16:22 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2008-04-21 10:29 219952 C:\Program Files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 2005-11-01 04:15 163840 C:\WINDOWS\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R2 dvdmmg;dvdmmg;C:\WINDOWS\System32\drivers\dvdmmg.sys [2007-09-06 19:15]
R2 Gizmo Plugin;Gizmo VoIP Service;"C:\Program Files\GizmoPlugin\GizmoPlugin.exe" [2008-04-30 09:16]
R3 ZSMC302;VIMICRO USB PC Camera;C:\WINDOWS\System32\Drivers\usbVM31b.sys [2004-08-17 11:44]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys [2004-09-17 14:04]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys [2004-09-17 14:05]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys [2004-09-17 14:05]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 22:13:03
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ESET\ESET SMART SECURITY\EKRN.EXE
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-05 22:14:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-05 14:14:04

Pre-Run: 10,434,068,480 bytes free
Post-Run: 10,945,249,280 bytes free

264 --- E O F --- 2008-04-18 22:31:14


HIKACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 10:15:01 PM, on 5/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Admin\Desktop\ulead\CalCheck.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ph.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINDOWS\System32\geBssspO.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Documents and Settings\Admin\Desktop\ulead\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O20 - Winlogon Notify: geBrsTmK - geBrsTmK.dll (file missing)
O20 - Winlogon Notify: geBssspO - geBssspO.dll (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

:)

Blade81
2008-05-05, 18:13
Hi

Do you recognize following files? If not upload them to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\VMorpher.INI
C:\WINDOWS\VDVD.INI
C:\WINDOWS\Cover.INI
C:\WINDOWS\avvcnvrt.INI



Start hjt, do a system scan, check:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\BMc70aa9ae.xml

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"=-
"{F7F6584C-864B-411D-A410-BB2DE0D33CA1}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrsTmK]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBssspO]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc70aa9ae]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4399a32]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too (don't forget to post above meantioned ComboFix resultant log!)


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

berryhalley
2008-05-07, 05:56
Hello! I've already followed your instructions but I haven't completed the Kaspersky scan yet, will do and post the results maybe later. Meanwhile, here is the log for combofix and the scan result of the files you've specified previously:

vMorpher.INI = OK
VDVD.INI = The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
Cover.INI = The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
avvcnvrt.INI = The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

COMBOFIX LOG:

ComboFix 08-05-01.3 - Admin 2008-05-06 8:17:02.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.52 [GMT 8:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BMc70aa9ae.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMc70aa9ae.xml

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-05 22:09 . 2008-05-05 22:09 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-05 15:36 . 2008-05-05 15:36 <DIR> d--hs---- C:\FOUND.000
2008-05-04 22:43 . 2008-05-04 22:43 <DIR> d-------- C:\hijackthis
2008-05-04 15:40 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-04 15:40 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-04 15:40 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-04 15:40 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-04 15:39 . 2008-05-04 15:39 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-04 15:39 . 2008-05-04 15:39 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PC Tools
2008-05-04 14:52 . 2008-05-04 14:52 <DIR> d-------- C:\Program Files\Opera
2008-05-04 14:15 . 2008-05-04 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 14:15 . 2008-05-04 14:15 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-05-04 13:21 . 2008-05-04 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 12:43 . 2008-05-04 12:43 <DIR> d-------- C:\Program Files\ESET
2008-05-04 12:24 . 2008-05-04 12:24 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\F-Secure
2008-05-04 12:16 . 2008-05-04 12:16 <DIR> d-------- C:\Program Files\F-Secure Internet Security
2008-05-04 12:16 . 2008-05-04 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-05-04 12:15 . 2008-05-04 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-05-04 11:59 . 2008-05-04 11:59 <DIR> d--hs---- C:\FOUND.014
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\webmark
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\videoplus
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\audioplus
2008-05-04 07:12 . 2008-05-04 07:12 <DIR> d--hs---- C:\FOUND.013
2008-05-03 23:07 . 2008-05-03 23:07 <DIR> d-------- C:\Program Files\Ulead Systems
2008-05-03 22:20 . 2008-05-03 22:20 <DIR> d--hs---- C:\FOUND.012
2008-05-03 21:52 . 2008-05-03 21:52 <DIR> d-------- C:\Program Files\OLYMPUS
2008-05-03 21:50 . 2008-05-03 21:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-03 19:33 . 2002-09-10 23:10 495,616 --a------ C:\WINDOWS\system32\xvid.dll
2008-05-03 19:33 . 2002-09-10 23:10 331,776 --a------ C:\WINDOWS\system32\xvid.ax
2008-05-03 19:31 . 2008-05-03 19:31 <DIR> d-------- C:\Program Files\SuperAVConverter
2008-05-03 18:03 . 2008-05-03 18:03 <DIR> d-------- C:\DVDVideoSoft
2008-05-03 18:02 . 2008-05-03 18:02 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-03 18:01 . 2008-05-03 18:01 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-02 21:37 . 2008-05-02 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-02 21:37 . 2008-05-02 21:37 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ulead Systems
2008-05-01 23:20 . 2008-05-01 23:20 <DIR> d-------- C:\Program Files\Imikimi
2008-04-30 16:19 . 2008-04-30 16:19 <DIR> d--hs---- C:\FOUND.011
2008-04-30 12:38 . 2008-04-30 12:38 <DIR> d--hs---- C:\FOUND.010
2008-04-30 09:16 . 2008-04-30 09:16 <DIR> d-------- C:\Program Files\GizmoPlugin
2008-04-30 09:16 . 2008-04-30 09:16 86,016 --a------ C:\WINDOWS\system32\GizmoPluginCPL.cpl
2008-04-30 00:15 . 2008-04-30 00:15 39 --a------ C:\WINDOWS\VMorpher.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\VDVD.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\Cover.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\avvcnvrt.INI
2008-04-30 00:05 . 2008-04-30 00:26 29 --a------ C:\WINDOWS\AVFTP.INI
2008-04-29 23:30 . 2008-04-29 23:33 1,212 --a------ C:\WINDOWS\winamp.ini
2008-04-29 22:33 . 2008-04-29 22:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DivX
2008-04-29 22:31 . 2008-04-29 22:31 <DIR> d-------- C:\Program Files\DivX
2008-04-27 12:42 . 2008-04-27 12:42 <DIR> d-------- C:\TLC
2008-04-26 22:30 . 2008-04-26 22:30 <DIR> d-------- C:\Program Files\mIRC
2008-04-25 21:51 . 2008-04-25 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-04-25 18:30 . 2008-04-25 18:30 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Nokia Multimedia Player
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Documents and Settings\Admin\Phone Browser
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DataLayer
2008-04-25 15:06 . 2008-04-25 15:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Nokia
2008-04-25 14:57 . 2008-04-25 14:57 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-25 14:57 . 2008-04-25 14:57 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PC Suite
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Nokia
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-25 14:45 . 2008-04-25 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 13:29 . 2008-04-22 13:29 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BearShare
2008-04-22 13:29 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-04-22 13:28 . 2008-04-22 13:29 <DIR> d-------- C:\Program Files\BearShare Applications
2008-04-22 11:28 . 2008-04-22 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-21 23:06 . 2008-04-21 23:06 <DIR> d-------- C:\Program Files\Aimersoft
2008-04-21 22:41 . 2008-04-21 22:41 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-04-21 22:24 . 2008-04-21 22:24 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-21 22:16 . 2008-04-21 22:16 <DIR> d-------- C:\Program Files\Google
2008-04-21 21:09 . 2008-04-17 22:14 104,168 --------- C:\WINDOWS\hpoins04.dat.temp
2008-04-21 21:09 . 2004-06-22 05:11 17,176 --------- C:\WINDOWS\hpomdl04.dat.temp
2008-04-21 13:53 . 2004-09-17 14:05 84,512 -ra------ C:\WINDOWS\system32\drivers\ss_mdm.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,080 -ra------ C:\WINDOWS\system32\drivers\ss_cmnt.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,080 -ra------ C:\WINDOWS\system32\drivers\ss_cm.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,064 -ra------ C:\WINDOWS\system32\drivers\ss_mdfl.sys
2008-04-21 13:38 . 2004-09-17 14:04 52,384 -ra------ C:\WINDOWS\system32\drivers\ss_bus.sys
2008-04-21 13:38 . 2004-09-17 14:04 5,744 -ra------ C:\WINDOWS\system32\drivers\ss_whnt.sys
2008-04-21 13:38 . 2004-09-17 14:04 5,744 -ra------ C:\WINDOWS\system32\drivers\ss_wh.sys
2008-04-21 12:06 . 2008-04-21 12:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ahead
2008-04-21 11:05 . 2008-05-05 12:03 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-21 11:01 . 2008-04-21 11:01 16,760 --a------ C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 10:29 . 2008-04-21 10:29 <DIR> d-------- C:\Program Files\uTorrent
2008-04-21 10:11 . 2008-04-21 10:11 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\uTorrent
2008-04-20 19:01 . 2008-04-20 19:01 <DIR> d-------- C:\Program Files\Trickshot
2008-04-20 03:55 . 2008-04-20 03:55 <DIR> d-------- C:\Program Files\iTunes
2008-04-20 03:55 . 2008-04-20 03:55 <DIR> d-------- C:\Program Files\iPod
2008-04-20 02:51 . 2002-08-29 01:32 21,760 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-20 02:50 . 2008-04-20 02:50 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-20 02:50 . 2008-04-20 02:50 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Apple Computer
2008-04-20 02:48 . 2008-04-20 02:48 <DIR> d-------- C:\Program Files\QuickTime
2008-04-20 02:44 . 2008-04-20 02:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-20 02:41 . 2008-04-20 02:41 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-19 06:22 . 2008-04-19 06:22 <DIR> d--h----- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2008-04-18 23:36 . 2008-04-18 23:36 <DIR> d-------- C:\Program Files\Samsung
2008-04-18 23:35 . 2008-04-18 23:35 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-18 14:22 . 2005-09-01 09:49 16,384 --a------ C:\WINDOWS\system32\linkinfo.dll
2008-04-18 09:05 . 2005-06-29 09:54 68,608 --a------ C:\WINDOWS\system32\mscms.dll
2008-04-18 08:56 . 2005-01-11 09:20 118,272 --a------ C:\WINDOWS\system32\dllcache\dhtmled.ocx
2008-04-18 08:56 . 2005-04-22 13:20 51,712 --a------ C:\WINDOWS\system32\dllcache\agentdpv.dll
2008-04-18 08:54 . 2006-08-25 17:14 595,968 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-04-18 05:04 . 2006-09-13 13:09 1,110,528 --a------ C:\WINDOWS\system32\msxml3.dll
2008-04-18 05:03 . 2004-10-28 09:29 681,984 --a------ C:\WINDOWS\system32\dllcache\lsasrv.dll
2008-04-18 05:03 . 2004-10-28 09:29 116,736 --a------ C:\WINDOWS\system32\dllcache\shsvcs.dll
2008-04-18 05:03 . 2004-10-28 09:29 92,160 --a------ C:\WINDOWS\system32\dllcache\cscdll.dll
2008-04-18 05:03 . 2004-10-28 09:29 92,160 --a------ C:\WINDOWS\system32\cscdll.dll
2008-04-18 05:01 . 2005-04-26 09:58 173,312 --a------ C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-04-18 05:01 . 2006-01-04 11:37 64,000 --a------ C:\WINDOWS\system32\webclnt.dll
2008-04-18 05:01 . 2006-01-04 11:37 64,000 --a------ C:\WINDOWS\system32\dllcache\webclnt.dll
2008-04-18 05:00 . 2005-07-09 00:09 238,592 --a------ C:\WINDOWS\system32\tapisrv.dll
2008-04-18 05:00 . 2005-06-11 07:55 53,248 --a------ C:\WINDOWS\system32\spoolsv.exe
2008-04-18 04:58 . 2005-10-21 06:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-04-18 04:52 . 2006-03-17 08:49 25,600 --------- C:\WINDOWS\system32\verclsid.exe
2008-04-18 04:50 . 2006-03-02 03:44 83,456 --a------ C:\WINDOWS\system32\mtxoci.dll
2008-04-18 04:50 . 2006-03-02 03:44 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2008-04-18 04:43 . 2008-04-18 04:43 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-18 04:40 . 2008-04-18 04:40 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-18 04:40 . 2006-02-17 14:04 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-17 22:38 . 2005-04-20 19:32 2,916,352 --------- C:\WINDOWS\UNNMP.exe
2008-04-17 22:38 . 2005-10-07 22:22 49,883 --------- C:\WINDOWS\UNNMP.cfg
2008-04-17 22:38 . 2008-04-17 22:38 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-04-17 22:37 . 2008-04-17 22:37 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-04-17 22:35 . 2008-04-17 22:35 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-17 22:35 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-17 22:23 . 2008-04-17 22:23 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-17 22:23 . 2008-04-17 22:23 <DIR> d-------- C:\Program Files\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 04:21 930,304 ----a-w C:\Documents and Settings\Admin\Application Data\kernel33.dll
2008-04-17 03:57 558,142 ----a-w C:\WINDOWS\java\Packages\JXF3LNZ9.ZIP
2008-04-17 03:57 155,995 ----a-w C:\WINDOWS\java\Packages\1NX7TB3F.ZIP
2008-04-17 03:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-05_22.13.49.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 14:12:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-05 20:04:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-04 04:49:36 54,182 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-05 14:14:28 54,182 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-04 04:49:36 383,296 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-05 14:14:28 383,296 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 22:13 394680 --a------ C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-04-21 10:29 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Ulead Photo Express 4.0 SE Calendar Checker .lnk - C:\Documents and Settings\Admin\Desktop\ulead\CalCheck.exe [2008-05-05 13:06:13 69632]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
-ra------ 2004-06-09 15:37 40960 C:\WINDOWS\VM_STI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2007-12-21 08:21 1443072 C:\Program Files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 15:18 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 13:38 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-02-01 12:55 1103240 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-09-12 01:58 229952 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
--a------ 2007-05-28 16:59 95800 C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-11-30 16:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-03-01 16:22 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2008-04-21 10:29 219952 C:\Program Files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 2005-11-01 04:15 163840 C:\WINDOWS\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R2 dvdmmg;dvdmmg;C:\WINDOWS\System32\drivers\dvdmmg.sys [2007-09-06 19:15]
R2 Gizmo Plugin;Gizmo VoIP Service;"C:\Program Files\GizmoPlugin\GizmoPlugin.exe" [2008-04-30 09:16]
R3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys [2004-09-17 14:04]
R3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys [2004-09-17 14:05]
R3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys [2004-09-17 14:05]
R3 ZSMC302;VIMICRO USB PC Camera;C:\WINDOWS\System32\Drivers\usbVM31b.sys [2004-08-17 11:44]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 08:18:38
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-06 8:19:04
ComboFix-quarantined-files.txt 2008-05-06 00:19:02
ComboFix2.txt 2008-05-05 14:14:12

Pre-Run: 10,796,417,024 bytes free
Post-Run: 10,905,157,632 bytes free

246 --- E O F --- 2008-04-18 22:31:14



My browsers are already working perfectly by the way, thanks a lot! :angel:

Blade81
2008-05-07, 08:05
Hi

Ok. I'll get back to this when you've got Kaspersky report and a fresh hjt log ready :)

berryhalley
2008-05-08, 17:44
Hi! The scan is finally done! Here are the logs:

KASPERSKY

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-08 10:32
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/05/2008
Kaspersky Anti-Virus database records: 746579
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 56212
Number of viruses found: 10
Number of infected objects: 82
Number of suspicious objects: 0
Duration of the scan process: 01:17:08

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\epfwlog.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008050820080509\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\Admin\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\Admin\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050506.EXE Infected: Trojan-Downloader.Win32.Agent.oht skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050507.EXE Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050508.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050509.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050510.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050511.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050512.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050513.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050514.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050515.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050516.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050517.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050518.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050519.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050520.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050521.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050522.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\A0050523.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\change.log Object is locked skipped
C:\FOUND.004\FILE0005.CHK Infected: Trojan.Win32.Monder.gen skipped
C:\FOUND.009\FILE0013.CHK Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fccbbYRJ.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fcccayYo.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geBrsTmK.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jogtbelu.dll.vir Infected: Trojan.Win32.Monder.cy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rmulqeqd.dll.vir Infected: Trojan.Win32.Monder.db skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRLcAPh.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wbadlplb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\byXqQJdC.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\exvelphj.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGVOIxw.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\khfGawXp.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kwtagtqh.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nurvwctf.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\olkqkqnr.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnnlLCr.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnljJYR.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlkJAs.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnOHaW.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qoMCSMDU.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUnMGwx.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUkICvt.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyayXqq.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\winself.exe.vir Infected: Trojan-Downloader.Win32.Agent.oht skipped
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\QooBox\Quarantine\catchme2008-05-08_190606.18.zip/byXRkiIB.dll Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-05-08_190606.18.zip ZIP: infected - 1 skipped
D:\backup\installers\mirc62.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\backup\installers\mirc62.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\backup\installers\mirc62.exe NSIS: infected - 2 skipped
D:\System Volume Information\_restore{7ECBEEC8-EB4C-438F-A011-006C7E27B5FE}\RP63\A0038575.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
D:\System Volume Information\_restore{7ECBEEC8-EB4C-438F-A011-006C7E27B5FE}\RP63\A0038654.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.281 skipped
D:\System Volume Information\_restore{7ECBEEC8-EB4C-438F-A011-006C7E27B5FE}\RP63\A0038654.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
D:\System Volume Information\_restore{7ECBEEC8-EB4C-438F-A011-006C7E27B5FE}\RP63\A0038654.exe WiseSFX: infected - 2 skipped
D:\System Volume Information\_restore{7ECBEEC8-EB4C-438F-A011-006C7E27B5FE}\RP73\change.log.24 Object is locked skipped
D:\System Volume Information\_restore{10C93957-199F-4E92-961D-D1373A72527A}\RP106\change.log Object is locked skipped
D:\Installers\mirc62.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\Installers\mirc62.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\Installers\mirc62.exe NSIS: infected - 2 skipped
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover).rar/Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover)/aaw2007.exe/data0000.cab/is201956.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover).rar/Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover)/aaw2007.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover).rar/Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover)/aaw2007.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover).rar RAR: infected - 3 skipped
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover)\aaw2007.exe/data0000.cab/is201956.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover)\aaw2007.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover)\aaw2007.exe Rsrc-Package: infected - 2 skipped
F:\Torrent Downloads\Installers\Free Youtube Downloader & MP3 Converter -DLLOZ\FreeYouTubeDownload.EXE/data0000.cab/is152000.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\Free Youtube Downloader & MP3 Converter -DLLOZ\FreeYouTubeDownload.EXE/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\Free Youtube Downloader & MP3 Converter -DLLOZ\FreeYouTubeDownload.EXE Rsrc-Package: infected - 2 skipped
F:\Torrent Downloads\Installers\Free Youtube Downloader & MP3 Converter -DLLOZ.rar/Free Youtube Downloader & MP3 Converter -DLLOZ/FreeYouTubeDownload.EXE/data0000.cab/is152000.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\Free Youtube Downloader & MP3 Converter -DLLOZ.rar/Free Youtube Downloader & MP3 Converter -DLLOZ/FreeYouTubeDownload.EXE/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\Free Youtube Downloader & MP3 Converter -DLLOZ.rar/Free Youtube Downloader & MP3 Converter -DLLOZ/FreeYouTubeDownload.EXE Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\Free Youtube Downloader & MP3 Converter -DLLOZ.rar RAR: infected - 3 skipped
F:\Torrent Downloads\Installers\DVD Shrink 3.2.0.15.rar/DVD Shrink 3.2.0.15/dvdshrink32setup.exe/data0000.cab/is202295.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\DVD Shrink 3.2.0.15.rar/DVD Shrink 3.2.0.15/dvdshrink32setup.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\DVD Shrink 3.2.0.15.rar/DVD Shrink 3.2.0.15/dvdshrink32setup.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\DVD Shrink 3.2.0.15.rar RAR: infected - 3 skipped
F:\Torrent Downloads\Installers\IsoBuster Pro v2.3.0.1 FINAL\isobuster_all_lang.exe/is202326.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\IsoBuster Pro v2.3.0.1 FINAL\isobuster_all_lang.exe CAB: infected - 1 skipped
F:\Torrent Downloads\Installers\IsoBuster Pro v2.3.0.1 FINAL\Keygen.exe/is202326.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\IsoBuster Pro v2.3.0.1 FINAL\Keygen.exe CAB: infected - 1 skipped
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\Setup.exe/is153458.exe Infected: Trojan.Win32.Monder.gen skipped
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\Setup.exe CAB: infected - 1 skipped

Scan process completed.


HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 10:39, on 2008-05-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro/MAIN.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detoate.home.ro/MAIN.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://detoate.home.ro
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3AE7959A-D488-41FC-B9B1-A7BD4E254A37} - C:\WINDOWS\System32\byXRkiIB.dll
O2 - BHO: (no name) - {F6725EDC-93FF-479B-A98B-C5B9E3C44864} - C:\WINDOWS\system32\qoMCSMDU.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF895.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C744E23-5877-4770-B357-8015CFF392B3}: NameServer = 202.84.96.1,202.84.96.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{9C744E23-5877-4770-B357-8015CFF392B3}: NameServer = 202.84.96.1,202.84.96.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{9C744E23-5877-4770-B357-8015CFF392B3}: NameServer = 202.84.96.1,202.84.96.2
O20 - Winlogon Notify: qoMCSMDU - qoMCSMDU.dll (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

:FF:

Blade81
2008-05-08, 18:59
Hi


Open notepad and copy/paste the text in the quotebox below into it:



File::
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover).rar
F:\Torrent Downloads\Installers\IsoBuster Pro v2.3.0.1 FINAL\Keygen.exe
C:\WINDOWS\System32\byXRkiIB.dll
C:\WINDOWS\system32\qoMCSMDU.dll

Folder::
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover)
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AE7959A-D488-41FC-B9B1-A7BD4E254A37}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6725EDC-93FF-479B-A98B-C5B9E3C44864}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMCSMDU]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


PS. What antivirus product you're currently using? I see there's ESET Smart Security services visible but not the program running since it's (egui) disabled thru msconfig. Please re-enable it.

berryhalley
2008-05-09, 18:38
Yes, I'm using ESS for my antivirus. What free product do you recommend to protect my PC from these viruses and spywares? Coz just recently, I'm getting some pop up alerts again saying that my PC has some spywares / malicious contents on it. Maybe this is because of the torrent downloads.. :)

COMBOFIX

ComboFix 08-05-01.3 - Admin 2008-05-08 11:16:09.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.51 [GMT 8:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\byXRkiIB.dll
C:\WINDOWS\system32\qoMCSMDU.dll
F:\Torrent Downloads\Installers\antivirusi 2008\Ad-Aware 2007 Professional (FULL) Edition 7.0.2.7 (Your #1 Spyware Remover).rar
F:\Torrent Downloads\Installers\IsoBuster Pro v2.3.0.1 FINAL\Keygen.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\System32\byXRkiIB.dll
C:\WINDOWS\system32\jxdfxfro.ini
C:\WINDOWS\system32\lgfbhvym.ini
C:\WINDOWS\system32\nnnmkLEX.dll
C:\WINDOWS\system32\nshdavuu.ini
C:\WINDOWS\system32\PrYycMoq.ini
C:\WINDOWS\system32\PrYycMoq.ini2
C:\WINDOWS\system32\qoMcyYrP.dll
F:\Torrent Downloads\Installers\IsoBuster Pro v2.3.0.1 FINAL\Keygen.exe
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\additionmay05.txt
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\Declaration of Use!!!.txt
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\HeartBug.nfo
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\How to Install!!.txt
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\Serial\Serial.txt
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\Setup.exe
F:\Torrent Downloads\Installers\Xilisoft Video Converter v3.1.52.Build.0201b+Serial_may6t\Specs.txt
.
---- Previous Run -------
.
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system\update.exe
C:\WINDOWS\system32\BIikRXyb.ini
C:\WINDOWS\system32\BIikRXyb.ini2
C:\WINDOWS\system32\byXqQJdC.dll
C:\WINDOWS\system32\exvelphj.dll
C:\WINDOWS\system32\hgGVOIxw.dll
C:\WINDOWS\system32\hqtgatwk.ini
C:\WINDOWS\system32\khfGawXp.dll
C:\WINDOWS\system32\kwtagtqh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nurvwctf.dll
C:\WINDOWS\system32\olkqkqnr.dll
C:\WINDOWS\system32\opnnlLCr.dll
C:\WINDOWS\system32\pmnljJYR.dll
C:\WINDOWS\system32\pmnlkJAs.dll
C:\WINDOWS\system32\pmnnOHaW.dll
C:\WINDOWS\system32\qoMCSMDU.dll
C:\WINDOWS\system32\rnqkqklo.ini
C:\WINDOWS\system32\vtUnMGwx.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\wvUkICvt.dll
C:\WINDOWS\system32\xxyayXqq.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\winself.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-08 22:41 . 2008-05-08 22:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-08 22:41 . 2008-05-08 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-08 22:39 . 2008-05-08 22:39 2,112 --a------ C:\WINDOWS\system32\dopigrqg.exe
2008-05-08 22:32 . 2008-05-08 22:32 <DIR> d-------- C:\Program Files\CCleaner
2008-05-08 22:31 . 2008-05-08 22:31 <DIR> d-------- C:\Program Files\PCNetSoftware
2008-05-08 22:31 . 2008-05-08 22:31 93 --a------ C:\WINDOWS\winin.ini
2008-05-08 19:08 . 2008-05-08 19:08 <DIR> d--hs---- C:\FOUND.009
2008-05-08 12:39 . 2008-05-08 12:39 2,112 --a------ C:\WINDOWS\system32\vovnkekd.exe
2008-05-08 12:05 . 2008-05-08 12:05 <DIR> d--hs---- C:\FOUND.008
2008-05-08 10:52 . 2008-05-08 10:52 2,112 --a------ C:\WINDOWS\system32\miaesxlt.exe
2008-05-08 10:27 . 2008-05-08 10:27 95 --a------ C:\WINDOWS\wininit.ini
2008-05-08 08:56 . 2008-05-08 08:22 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-08 08:56 . 2008-05-08 08:56 2,539 --a------ C:\WINDOWS\unins000.dat
2008-05-08 06:37 . 2008-05-08 06:37 <DIR> d--hs---- C:\FOUND.007
2008-05-08 05:16 . 2008-05-08 05:16 <DIR> d--hs---- C:\FOUND.015
2008-05-08 01:19 . 2008-05-08 01:19 2,112 --a------ C:\WINDOWS\system32\iedjbrhg.exe
2008-05-07 23:06 . 2008-05-07 23:06 <DIR> d--hs---- C:\FOUND.006
2008-05-07 22:40 . 2008-05-07 22:40 <DIR> d-------- C:\Program Files\Xilisoft
2008-05-07 21:20 . 2008-05-07 21:20 <DIR> d-------- C:\Program Files\123 AVI to GIF Converter
2008-05-07 16:01 . 2008-05-07 16:01 <DIR> d-------- C:\WINDOWS\WinAVI Video Converter 9.0
2008-05-07 16:00 . 2008-05-07 16:01 <DIR> d-------- C:\Program Files\WinAVI Video Converter 9.0
2008-05-07 14:49 . 2008-05-07 14:49 <DIR> d-------- C:\AVOneExport
2008-05-07 14:45 . 2008-05-07 14:45 <DIR> d-------- C:\Program Files\AVOne
2008-05-07 14:45 . 2005-11-07 09:42 3,624,960 --a------ C:\WINDOWS\system32\mkgpmp.exe
2008-05-07 14:45 . 2005-07-03 09:30 1,295,582 --a------ C:\WINDOWS\system32\cygwin1.dll
2008-05-07 14:45 . 2003-06-05 17:30 316,640 --a------ C:\WINDOWS\system32\WMSysPr9.prx
2008-05-07 14:45 . 2003-05-22 00:50 156,910 --a------ C:\WINDOWS\system32\WMSysPr8.prx
2008-05-07 14:45 . 2005-07-09 11:27 61,440 --a------ C:\WINDOWS\system32\cygz.dll
2008-05-07 14:43 . 2008-05-07 14:49 83 --a------ C:\WINDOWS\system32\buyurl0501.dat
2008-05-07 12:57 . 2008-05-07 12:57 <DIR> d--hs---- C:\FOUND.005
2008-05-07 12:32 . 2008-05-07 12:32 <DIR> d--hs---- C:\FOUND.004
2008-05-07 12:29 . 2008-05-08 22:39 109,807 --a------ C:\WINDOWS\BMc70aa9ae.xml
2008-05-07 12:29 . 2008-05-07 12:29 2,112 --a------ C:\WINDOWS\system32\ogxodngq.exe
2008-05-07 10:23 . 2008-05-07 10:23 <DIR> d--hs---- C:\FOUND.003
2008-05-06 18:23 . 2008-05-06 18:23 <DIR> d--hs---- C:\FOUND.002
2008-05-06 11:33 . 2008-05-06 11:33 <DIR> d-------- C:\Program Files\Super_DVD_Creator_9.5
2008-05-06 10:01 . 2008-05-06 10:01 <DIR> d--hs---- C:\FOUND.001
2008-05-06 08:25 . 2008-05-06 08:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 08:25 . 2008-05-06 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 22:09 . 2008-05-05 22:09 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-05 15:36 . 2008-05-05 15:36 <DIR> d--hs---- C:\FOUND.000
2008-05-04 22:43 . 2008-05-04 22:43 <DIR> d-------- C:\hijackthis
2008-05-04 14:52 . 2008-05-04 14:52 <DIR> d-------- C:\Program Files\Opera
2008-05-04 14:15 . 2008-05-04 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 14:15 . 2008-05-04 14:15 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-05-04 13:21 . 2008-05-04 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 12:43 . 2008-05-04 12:43 <DIR> d-------- C:\Program Files\ESET
2008-05-04 12:24 . 2008-05-04 12:24 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\F-Secure
2008-05-04 12:16 . 2008-05-04 12:16 <DIR> d-------- C:\Program Files\F-Secure Internet Security
2008-05-04 12:16 . 2008-05-04 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-05-04 12:15 . 2008-05-04 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-05-04 11:59 . 2008-05-04 11:59 <DIR> d--hs---- C:\FOUND.014
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\webmark
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\videoplus
2008-05-04 07:38 . 2008-05-04 07:38 <DIR> d-------- C:\WINDOWS\audioplus
2008-05-04 07:12 . 2008-05-04 07:12 <DIR> d--hs---- C:\FOUND.013
2008-05-03 23:07 . 2008-05-03 23:07 <DIR> d-------- C:\Program Files\Ulead Systems
2008-05-03 22:20 . 2008-05-03 22:20 <DIR> d--hs---- C:\FOUND.012
2008-05-03 21:52 . 2008-05-03 21:52 <DIR> d-------- C:\Program Files\OLYMPUS
2008-05-03 21:50 . 2008-05-03 21:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-03 19:33 . 2002-09-10 23:10 495,616 --a------ C:\WINDOWS\system32\xvid.dll
2008-05-03 19:33 . 2002-09-10 23:10 331,776 --a------ C:\WINDOWS\system32\xvid.ax
2008-05-03 19:31 . 2008-05-03 19:31 <DIR> d-------- C:\Program Files\SuperAVConverter
2008-05-03 18:03 . 2008-05-03 18:03 <DIR> d-------- C:\DVDVideoSoft
2008-05-03 18:02 . 2008-05-03 18:02 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-03 18:01 . 2008-05-03 18:01 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-02 21:37 . 2008-05-02 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-02 21:37 . 2008-05-02 21:37 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ulead Systems
2008-05-01 23:20 . 2008-05-01 23:20 <DIR> d-------- C:\Program Files\Imikimi
2008-04-30 16:19 . 2008-04-30 16:19 <DIR> d--hs---- C:\FOUND.011
2008-04-30 12:38 . 2008-04-30 12:38 <DIR> d--hs---- C:\FOUND.010
2008-04-30 09:16 . 2008-04-30 09:16 86,016 --a------ C:\WINDOWS\system32\GizmoPluginCPL.cpl
2008-04-30 00:15 . 2008-04-30 00:15 39 --a------ C:\WINDOWS\VMorpher.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\VDVD.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\Cover.INI
2008-04-30 00:15 . 2008-04-30 00:15 0 --a------ C:\WINDOWS\avvcnvrt.INI
2008-04-30 00:05 . 2008-04-30 00:26 29 --a------ C:\WINDOWS\AVFTP.INI
2008-04-29 23:30 . 2008-04-29 23:33 1,212 --a------ C:\WINDOWS\winamp.ini
2008-04-29 22:33 . 2008-04-29 22:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DivX
2008-04-29 22:31 . 2008-04-29 22:31 <DIR> d-------- C:\Program Files\DivX
2008-04-27 12:42 . 2008-04-27 12:42 <DIR> d-------- C:\TLC
2008-04-26 22:30 . 2008-04-26 22:30 <DIR> d-------- C:\Program Files\mIRC
2008-04-25 21:51 . 2008-04-25 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-04-25 18:30 . 2008-04-25 18:30 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Nokia Multimedia Player
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Documents and Settings\Admin\Phone Browser
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DataLayer
2008-04-25 15:06 . 2008-04-25 15:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Nokia
2008-04-25 14:57 . 2008-04-25 14:57 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-25 14:57 . 2008-04-25 14:57 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PC Suite
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Nokia
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 14:55 . 2008-04-25 14:55 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-25 14:45 . 2008-04-25 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 13:29 . 2008-04-22 13:29 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BearShare
2008-04-22 13:29 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-04-22 13:28 . 2008-04-22 13:29 <DIR> d-------- C:\Program Files\BearShare Applications
2008-04-22 11:28 . 2008-04-22 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-21 23:06 . 2008-04-21 23:06 <DIR> d-------- C:\Program Files\Aimersoft
2008-04-21 22:41 . 2008-04-21 22:41 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-04-21 22:24 . 2008-04-21 22:24 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-21 22:16 . 2008-04-21 22:16 <DIR> d-------- C:\Program Files\Google
2008-04-21 21:09 . 2008-04-17 22:14 104,168 --------- C:\WINDOWS\hpoins04.dat.temp
2008-04-21 21:09 . 2004-06-22 05:11 17,176 --------- C:\WINDOWS\hpomdl04.dat.temp
2008-04-21 13:53 . 2004-09-17 14:05 84,512 -ra------ C:\WINDOWS\system32\drivers\ss_mdm.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,080 -ra------ C:\WINDOWS\system32\drivers\ss_cmnt.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,080 -ra------ C:\WINDOWS\system32\drivers\ss_cm.sys
2008-04-21 13:53 . 2004-09-17 14:05 6,064 -ra------ C:\WINDOWS\system32\drivers\ss_mdfl.sys
2008-04-21 13:38 . 2004-09-17 14:04 52,384 -ra------ C:\WINDOWS\system32\drivers\ss_bus.sys
2008-04-21 13:38 . 2004-09-17 14:04 5,744 -ra------ C:\WINDOWS\system32\drivers\ss_whnt.sys
2008-04-21 13:38 . 2004-09-17 14:04 5,744 -ra------ C:\WINDOWS\system32\drivers\ss_wh.sys
2008-04-21 12:06 . 2008-04-21 12:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ahead
2008-04-21 11:05 . 2008-05-08 12:05 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-21 11:01 . 2008-04-21 11:01 16,760 --a------ C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 10:29 . 2008-04-21 10:29 <DIR> d-------- C:\Program Files\uTorrent
2008-04-21 10:11 . 2008-04-21 10:11 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\uTorrent
2008-04-20 19:01 . 2008-04-20 19:01 <DIR> d-------- C:\Program Files\Trickshot
2008-04-20 03:55 . 2008-04-20 03:55 <DIR> d-------- C:\Program Files\iTunes
2008-04-20 03:55 . 2008-04-20 03:55 <DIR> d-------- C:\Program Files\iPod
2008-04-20 02:51 . 2002-08-29 01:32 21,760 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-20 02:50 . 2008-04-20 02:50 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-20 02:50 . 2008-04-20 02:50 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Apple Computer
2008-04-20 02:48 . 2008-04-20 02:48 <DIR> d-------- C:\Program Files\QuickTime
2008-04-20 02:44 . 2008-04-20 02:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-20 02:41 . 2008-04-20 02:41 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-19 06:22 . 2008-04-19 06:22 <DIR> d--h----- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 04:21 930,304 ----a-w C:\Documents and Settings\Admin\Application Data\kernel33.dll
2008-04-17 03:57 558,142 ----a-w C:\WINDOWS\java\Packages\JXF3LNZ9.ZIP
2008-04-17 03:57 155,995 ----a-w C:\WINDOWS\java\Packages\1NX7TB3F.ZIP
2008-04-17 03:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-04-21 10:29 219952]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c4399a32"="C:\WINDOWS\System32\orfxfdxj.dll" [ ]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2002-08-29 16:41 145408]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Ulead Photo Express 4.0 SE Calendar Checker .lnk - C:\Documents and Settings\Admin\Desktop\ulead\CalCheck.exe [2008-05-08 12:03:45 69632]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
-ra------ 2004-06-09 15:37 40960 C:\WINDOWS\VM_STI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc70aa9ae]
C:\WINDOWS\System32\nurvwctf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4399a32]
C:\WINDOWS\System32\kwtagtqh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 15:18 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 13:38 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-09-12 01:58 229952 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
--a------ 2007-05-28 16:59 95800 C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-11-30 16:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-03-01 16:22 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2008-04-21 10:29 219952 C:\Program Files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 2005-11-01 04:15 163840 C:\WINDOWS\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows*Updates]
c:\windows\system\Update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

R2 dvdmmg;dvdmmg;C:\WINDOWS\System32\drivers\dvdmmg.sys [2007-09-06 19:15]
R3 ZSMC302;VIMICRO USB PC Camera;C:\WINDOWS\System32\Drivers\usbVM31b.sys [2004-08-17 11:44]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys [2004-09-17 14:04]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys [2004-09-17 14:05]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys [2004-09-17 14:05]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 11:20:37
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ESET\ESET SMART SECURITY\EKRN.EXE
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-08 11:22:24 - machine was rebooted [Admin]
ComboFix-quarantined-files.txt 2008-05-08 03:22:22
ComboFix3.txt 2008-05-05 14:14:12
ComboFix2.txt 2008-05-06 00:19:06

Pre-Run: 7,788,560,384 bytes free
Post-Run: 8,305,180,672 bytes free

346 --- E O F --- 2008-04-18 22:31:14



HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:27:02 AM, on 5/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Admin\Desktop\ulead\CalCheck.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro/MAIN.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detoate.home.ro/MAIN.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://detoate.home.ro
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [c4399a32] rundll32.exe "C:\WINDOWS\System32\orfxfdxj.dll",b
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Documents and Settings\Admin\Desktop\ulead\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C744E23-5877-4770-B357-8015CFF392B3}: NameServer = 202.84.96.1,202.84.96.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{9C744E23-5877-4770-B357-8015CFF392B3}: NameServer = 202.84.96.1,202.84.96.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{9C744E23-5877-4770-B357-8015CFF392B3}: NameServer = 202.84.96.1,202.84.96.2
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Blade81
2008-05-09, 21:07
Hi

I'll give you a list of free options to choose from when we've finished. Torrents got from dubious places are more than likely infection source. You should avoid those if you want to keep your system usable. Also, don't use your connection for anything else than required tool downloads during this cleaning process! If you keep downloading dubious things I see no reason to continue with cleaning since we won't make any progress then.


Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer



Upload following files to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\system32\mkgpmp.exe
C:\WINDOWS\system32\buyurl0501.dat

Do you know what program is this folder related: C:\Program Files\PCNetSoftware?


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\dopigrqg.exe
C:\WINDOWS\system32\vovnkekd.exe
C:\WINDOWS\system32\miaesxlt.exe
C:\WINDOWS\system32\iedjbrhg.exe
C:\WINDOWS\winin.ini
C:\WINDOWS\BMc70aa9ae.xml
C:\WINDOWS\system32\ogxodngq.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c4399a32"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc70aa9ae]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4399a32]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows*Updates]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


I see you've got Malwarebytes' Anti-malware installed or at least there's its folders (C:\Documents and Settings\All Users\Application Data\Malwarebytes & C:\Documents and Settings\Admin\Application Data\Malwarebytes ) on your hard drive.

Start Malwarebytes' Anti-malware. Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file, a fresh hjt log and above meantioned ComboFix resultant log in your next reply.

Blade81
2008-05-15, 21:29
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.