View Full Version : Application error and blurred display
ndipebot
2008-06-05, 22:57
Sometimes when I am on the internet or when I leave my PC idle for a while, some icons disappear and display becomes blurred, and labels(like browser headings, icons and folder names) become black. I have done a complete scan with my Kaspersky Internet Security 7.0(updated) several times but no virus or malware has been found. I usually resolve this problem by rebooting my pc.
PS: Please I need help.
Hi
This isn't necessarily malware problem. Let's do some logging with DSS.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
ndipebot
2008-06-07, 00:17
here are the contents of the files
<-- main.txt -->
Deckard's System Scanner v20071014.68
Run by Ndip on 2008-06-05 07:02:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
17: 2008-06-05 14:02:27 UTC - RP303 - Deckard's System Scanner Restore Point
16: 2008-06-05 11:55:07 UTC - RP302 - System Checkpoint
15: 2008-06-05 02:16:57 UTC - RP301 - System Checkpoint
14: 2008-06-02 12:22:45 UTC - RP300 - System Checkpoint
13: 2008-06-03 01:54:33 UTC - RP299 - System Checkpoint
-- First Restore Point --
1: 2008-05-11 08:13:55 UTC - RP287 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 383 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-05 07:04:33
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\bin\Apache2\bin\Apache.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\bin\Apache2\bin\Apache.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\LClock\LClock.exe
F:\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ffpext\ffpsrv.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\bin\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Program Files\HPQ\Shared\HpqToaster.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\Ndip\My Documents\Downloads\Programs\dss.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - (no file)
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ffpsrv] c:\windows\ffpext\ffpsrv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Vista Eyes] C:\Program Files\Zamaan's Software\Vista Eyes 2.0\VistaEyes.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BizJotter] C:\WINDOWS\system32\MsiExec.exe
O4 - HKUS\S-1-5-18\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\bin\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Add to &Teleport - C:\DOCUME~1\Ndippp\LOCALS~1\Temp\Rar$EX00.875\(ADULT) XXX DVD SITE RIPPER v1.40 -CRACKED\teleport.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{410C8327-BF6E-4CF8-BD32-863B7A8B0C22}: NameServer = 192.168.1.1,192.168.1.0
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: garcea - {eb9f614b-ea44-40d0-8829-542e4f254739} - (no file)
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain\Abel.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\bin\Apache2\bin\Apache.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 9915 bytes
-- File Associations -----------------------------------------------------------
.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2
.js - JSFile - shell\open\command - unable to read value
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 FDCDNT - c:\windows\system32\drivers\fdcdnt.sys
S3 AR5211 (Atheros Wireless Network Adapter Service) - c:\windows\system32\drivers\ar5211.sys <Not Verified; Ekahau Inc.; Ekahau (Atheros based) Wireless Network Adapter>
S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys (file missing)
S3 Ser2pl (Prolific2 Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 UfasoftSnifDriver4 (Ufasoft Snif Driver v4) - c:\program files\ufasoft\icqsnif\usft_sn4.sys (file missing)
S3 usbsermptxp (Motorola USB Modem Driver for MPT XP) - c:\windows\system32\drivers\usbsermptxp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys (file missing)
S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys (file missing)
S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys (file missing)
S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys (file missing)
S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Apache2 - "c:\bin\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
S2 Abel - c:\program files\cain\abel.exe (file missing)
S2 MySQL - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql (file missing)
S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)
S3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe (file missing)
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Files created between 2008-05-05 and 2008-06-05 -----------------------------
2008-06-05 05:40:49 262144 --a------ C:\ntuser.dat
2008-06-05 05:12:16 0 d--hs---- C:\FOUND.045
2008-06-04 19:20:32 0 d--hs---- C:\FOUND.044
2008-06-01 08:12:42 0 d--hs---- C:\FOUND.043
2008-05-19 13:00:20 0 d--hs---- C:\FOUND.042
2008-05-18 13:10:47 0 d-------- C:\Documents and Settings\Ndip\Application Data\SlySoft
2008-05-06 20:28:42 0 d-------- C:\Program Files\Zamaan's Software
-- Find3M Report ---------------------------------------------------------------
2008-04-22 05:24:48 23969 --a------ C:\Documents and Settings\Ndip\Application Data\phpdesigner2008.xml
2008-04-13 11:27:48 0 d-------- C:\Documents and Settings\Ndip\Application Data\Real
2008-04-10 22:21:56 0 d-------- C:\Program Files\mobile PhoneTools
2008-04-10 02:22:08 0 d-------- C:\Program Files\iPod
2008-04-10 02:21:52 0 d-------- C:\Program Files\iTunes
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [09/20/2004 01:27 AM]
"NWEReboot"="" []
"SunJavaUpdateSched"="F:\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/07/2005 10:57 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [04/13/2006 11:09 AM]
"ffpsrv"="c:\windows\ffpext\ffpsrv.exe" [02/03/2007 01:17 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [12/13/2005 04:45 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [06/28/2007 12:51 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [07/13/2005 09:05 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 09:18 AM]
"Vista Eyes"="C:\Program Files\Zamaan's Software\Vista Eyes 2.0\VistaEyes.exe" [01/01/2005 03:33 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [05/03/2007 05:32 PM]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [05/29/2007 12:10 PM]
"SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [07/07/2006 09:45 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [05/16/2007 09:27 AM]
"BizJotter"="C:\WINDOWS\system32\MsiExec.exe" [05/04/2005 02:45 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ares"="C:\Program Files\Ares\Ares.exe" -h
C:\Documents and Settings\Ndip\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [3/18/2007 3:05:02 PM]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [5/21/2006 12:43:08 AM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - C:\bin\Apache2\bin\ApacheMonitor.exe [1/17/2008 10:59:58 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00487fd8-5b12-11dc-ba0c-00026f42dae0}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NTDETECT.exe i:
²¥·Å\command- NTDETECT.exe i:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0de9fb0b-f54b-11dc-bb59-00026f42dae0}]
Auto\command- G:\printer.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL printer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f2921d3-1946-11dc-b97f-0016361f63ff}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1943e025-8ea0-11dc-ba83-e79b0b5d03ea}]
AutoRun\command- G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1943e026-8ea0-11dc-ba83-e79b0b5d03ea}]
Auto\command- H:\auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c042b27-cdad-11dc-bb88-00026f42dae0}]
Auto\command- auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
explore\Command- ino6.com
open\Command- ino6.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2f4a9-1217-11dc-b96b-0016361f63ff}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ef7143a-a6a5-11dc-baae-00026f42dae0}]
Auto\command- auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37eaf819-7b72-11dc-ba74-00026f42dae0}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40698b76-1c87-11dc-b98a-e39925050897}]
AutoRun\command- G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c255802-fb8c-11dc-bb61-00026f42dae0}]
AutoRun\command- G:\semo2x.exe
explore\Command- G:\semo2x.exe
open\Command- G:\semo2x.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78adcc9f-c3ed-11dc-baeb-00026f42dae0}]
Auto\command- AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f722dbe-0135-11dd-bb68-00026f42dae0}]
Auto\command- auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
Open\command- scvhost.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac9491b8-b98c-11dc-badd-00026f42dae0}]
AutoRun\command- G:\x6.bat
explore\Command- G:\x6.bat
open\Command- G:\x6.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afb4aefc-049f-11dc-b912-0016361f63ff}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0bd022a-0b1d-11dc-b950-0016361f63ff}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c451c698-58d1-11dc-ba09-00026f42dae0}]
Auto\command- G:\OSO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c80ca0e8-0ca0-11dc-b95a-0016361f63ff}]
AutoRun\command- G:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c80ca0ea-0ca0-11dc-b95a-0016361f63ff}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8fee092-d4da-11dc-bb0e-00026f42dae0}]
Auto\command- G:\auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
explore\Command- G:\ntde1ect.com
open\Command- G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df8d734e-2e1e-11dd-bbaf-00026f42dae0}]
Auto\command- wscript "esta ig.vbs"
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "esta ig.vbs"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3d163c0-473d-11dc-b9ec-0016361f63ff}]
Auto\command- OSO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f93b7c4c-35ed-11dc-b9cc-0016361f63ff}]
Auto\command- auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
-- End of Deckard's System Scanner: finished at 2008-06-05 07:06:58 ------------
<--end-->
<--extra.txt-->
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Mobile AMD Sempron(tm) Processor 3000+
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 382.48 MiB / 77.71 MiB
Pagefile Memory (total/avail): 1344.43 MiB / 953.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.43 MiB
C: is Fixed (FAT32) - 19.52 GiB total, 4.41 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 19.53 GiB total, 4.51 GiB free.
F: is Fixed (NTFS) - 16.6 GiB total, 3.88 GiB free.
\\.\PHYSICALDRIVE0 - ST960812A - 55.89 GiB - 3 partitions
\PARTITION0 (bootable) - Unknown - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 36.35 GiB - E: - F:
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
AntivirusOverride is set.
FW: Kaspersky Internet Security v7.0.0.125 (Kaspersky Lab)
AV: Kaspersky Internet Security v7.0.0.125 (Kaspersky Lab) Outdated
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Java\\jdk1.6.0_01\\bin\\rmiregistry.exe"="C:\\Program Files\\Java\\jdk1.6.0_01\\bin\\rmiregistry.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\Java\\jdk1.6.0_01\\bin\\tnameserv.exe"="C:\\Program Files\\Java\\jdk1.6.0_01\\bin\\tnameserv.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\Java\\jdk1.6.0_01\\bin\\orbd.exe"="C:\\Program Files\\Java\\jdk1.6.0_01\\bin\\orbd.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"F:\\phpdev\\mysql\\bin\\mysqld-nt.exe"="F:\\phpdev\\mysql\\bin\\mysqld-nt.exe:*:Enabled:mysqld-nt"
"F:\\phpdev\\Apache\\Apache.exe"="F:\\phpdev\\Apache\\Apache.exe:*:Enabled:Apache"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\apachefriends\\XAMPP\\mysql\\bin\\mysqld.exe"="C:\\apachefriends\\XAMPP\\mysql\\bin\\mysqld.exe:*:Enabled:mysqld"
"C:\\apachefriends\\XAMPP\\apache\\bin\\Apache.exe"="C:\\apachefriends\\XAMPP\\apache\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\RapidLeecher Ultimate 2007\\RapidLeecher.exe"="C:\\Program Files\\RapidLeecher Ultimate 2007\\RapidLeecher.exe:*:Enabled:RapidLeecher Ultimate 2007"
"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe:*:Enabled:AnyDVD"
"C:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"="C:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe:*:Enabled:phpDesigner2008"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\phpdev\\Apache\\Apache.exe"="C:\\phpdev\\Apache\\Apache.exe:*:Enabled:Apache"
"C:\\phpdev\\mysql\\bin\\mysqld-nt.exe"="C:\\phpdev\\mysql\\bin\\mysqld-nt.exe:*:Enabled:mysqld-nt"
"C:\\Program Files\\LispBox\\CLISP\\clisp-2.33\\full\\lisp.exe"="C:\\Program Files\\LispBox\\CLISP\\clisp-2.33\\full\\lisp.exe:*:Enabled:lisp"
"F:\\eclipse\\eclipse.exe"="F:\\eclipse\\eclipse.exe:*:Enabled:eclipse"
"C:\\bin\\Apache2\\bin\\Apache.exe"="C:\\bin\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\LispWorks Personal\\lispworks-personal-5-0-1-x86-win32.exe"="C:\\Program Files\\LispWorks Personal\\lispworks-personal-5-0-1-x86-win32.exe:*:Enabled:lispworks-personal-5-0-1-x86-win32"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ndip\Application Data
CC_ROOT=C:\PROGRA~1\Stardock\OBJECT~1\bin\
CLASSPATH=.;F:\Java\jre1.6.0_01\lib\ext\QTJava.zip;C:\php
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=EBOT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ndip
LANG=en_GB
LOGONSERVER=\\EBOT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Common Files\Teleca Shared;C:\php;;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Ahead\Lib\;C:\Program Files\Common Files\Ahead\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=F:\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ndip\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ndip\LOCALS~1\Temp
USERDOMAIN=EBOT
USERNAME=Ndip
USERPROFILE=C:\Documents and Settings\Ndip
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI
-- User Profiles ---------------------------------------------------------------
[I](admin)
(admin)
Ndip (admin)
Guest (guest)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Apache HTTP Server 2.0.63 --> MsiExec.exe /I{3A862C7D-0504-48BC-AEF8-7F7479C7C158}
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Broadcom 802.11 Wireless LAN Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
File and Folder Protector v2.8 --> C:\PROGRAM FILES\FILE AND FOLDER PROTECTOR\FFP.EXE /U
Hide IP Platinum 3.42 --> "C:\Program Files\Hide IP Platinum\unins000.exe"
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\Setup.exe" -l0x9 -removeonly
HP Wireless Assistant 2.00 C1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\Setup.exe" -l0x9 hpquninst
Internet Download Manager --> C:\Program Files\Internet Download Manager\Uninstall.exe
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
Java(TM) SE Development Kit 6 Update 1 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160010}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Join ME --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72FD5F2E-1F7A-4E9B-8838-29E842E178CD}\Setup.exe" -l0x9 -removeonly
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
LispWorks Personal Edition 5.0.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCBB08DB-971C-4474-9823-D873FAF319C6}\setup.exe" -l0x9 -removeonly
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E583ED6F-BD99-4066-A420-C815BF692B69}\Setup.exe" -l0x9 UNINSTALL
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mobile PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
My Global Search Bar --> rundll32 C:\PROGRA~1\MYGLOB~1\bar\1.bin\mgsBar.dll,O
Nero 7 --> MsiExec.exe /X{A20A58C4-6784-4B4B-86CC-94E2E3671033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Notepad2 1.0.12 --> "C:\Program Files\Notepad2\unins000.exe"
Pack Vista Inspirat 2 1.0 --> C:\WINDOWS\BricoPacks\Vista Inspirat 2\Remove.exe
phpDesigner 2008 version 6.0.1.2 --> "C:\Program Files\phpDesigner 2008\unins000.exe"
PL-2303 USB-to-Serial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{822F64F5-5DA6-4E68-A24A-719A55B6CF0E}\Setup.exe" -l0x9 Installed
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
SuperCopier2 --> "C:\Program Files\SuperCopier2\SC2Uninst.exe"
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FF6F491D-BC82-4DCC-A72F-1824957C6466} /l1033
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Vista Eyes 2.0 --> "C:\Program Files\Zamaan's Software\Vista Eyes 2.0\unins000.exe"
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPINST.EXE /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_6FE44FCD212D4A086C7BC0C98B9A619782073FB7\amdk8.inf
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WordWeb --> C:\Program Files\WordWeb\uninst.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
-- Application Event Log -------------------------------------------------------
Event Record #/Type5465 / Error
Event Submitted/Written: 06/04/2008 09:59:31 AM / 06/04/2008 09:59:37 AM
Event ID/Source: 473 / ESENT
Event Description:
Catalog Database (1764) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb was partially detached. Error -1032 encountered updating database headers.
Event Record #/Type5464 / Error
Event Submitted/Written: 06/04/2008 09:58:55 AM
Event ID/Source: 439 / ESENT
Event Description:
Catalog Database (1764) Unable to write a shadowed header for file C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb. Error -1032.
Event Record #/Type5463 / Error
Event Submitted/Written: 06/04/2008 09:58:42 AM
Event ID/Source: 490 / ESENT
Event Description:
svchost (1764) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).
Event Record #/Type5462 / Error
Event Submitted/Written: 06/03/2008 08:07:45 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.40413, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type5457 / Error
Event Submitted/Written: 06/03/2008 04:58:52 PM
Event ID/Source: 1512 / Userenv
Event Description:
Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.
DETAIL - Insufficient system resources exist to complete the requested service.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type37386 / Error
Event Submitted/Written: 06/05/2008 05:13:00 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MySQL service failed to start due to the following error:
%%3
Event Record #/Type37385 / Error
Event Submitted/Written: 06/05/2008 05:13:00 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Abel service failed to start due to the following error:
%%2
Event Record #/Type37357 / Error
Event Submitted/Written: 06/05/2008 04:59:41 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MySQL service failed to start due to the following error:
%%3
Event Record #/Type37356 / Error
Event Submitted/Written: 06/05/2008 04:59:41 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Abel service failed to start due to the following error:
%%2
Event Record #/Type37350 / Error
Event Submitted/Written: 06/05/2008 04:55:06 AM / 06/05/2008 04:55:07 AM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC000009A' while processing the file '00000042.bak' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
-- End of Deckard's System Scanner: finished at 2008-06-05 07:06:58 ------------
<--end-->
Thanks for the reply.
Hi
There's malware in your system. Let's see if it's behind the problems.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
__
After Malwarebytes' Anti-Malware run it's time for ComboFix.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
__
Finally HijackThis log.
Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only
* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
ndipebot
2008-06-07, 03:45
here are the logs
<--Malwarebytes' Anti-Malware-->
Malwarebytes' Anti-Malware 1.15
Database version: 830
1:38:21 PM 6/6/2008
mbam-log-6-6-2008 (13-38-20).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 143432
Time elapsed: 43 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
<--end-->
<--ComboFix-->
ComboFix 08-06-06.4 - Ndip 2008-06-06 13:57:04.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.18 [GMT -7:00]
Running from: C:\Documents and Settings\Ndip\My Documents\Downloads\Programs\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Ndip\My Documents\new 2007\XP Pictures\Desktop_.ini
C:\phpdev\mysql\data\ubsdata\Desktop_.ini
C:\phpdev\www\ubstudents.com\Desktop_.ini
C:\phpdev\www\ubstudents.com\forum_ads\Desktop_.ini
C:\phpdev\www\ubstudents.com\forums\Desktop_.ini
C:\phpdev\www\ubstudents.com\forums\templates\BlueSilver_C\Desktop_.ini
C:\phpdev\www\ubstudents.com\forums\templates\BlueSilver_C\images\Desktop_.ini
C:\phpdev\www\ubstudents.com\forums\templates\Desktop_.ini
C:\phpdev\www\ubstudents.com\forums\templates\subSilver\admin\Desktop_.ini
C:\phpdev\www\ubstudents.com\forums\templates\subSilver\Desktop_.ini
C:\phpdev\www\ubstudents.com\forums\templates\subSilver\images\Desktop_.ini
C:\phpdev\www\ubstudents.com\forums\templates\subSilver\images\lang_english\Desktop_.ini
C:\phpdev\www\ubstudents.com\graphics\_notes\Desktop_.ini
C:\phpdev\www\ubstudents.com\graphics\Desktop_.ini
C:\phpdev\www\ubstudents.com\hotvibes\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\Effects_files\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\How_jQuery_Works_files\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\inplace.php_files\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\inplace_editor_files\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\jQuery Flash Plugin_files\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\jQuery Form Plugin_files\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\themes\dark\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\themes\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\themes\flora\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\themes\flora\i\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\themes\light\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\Tutorials jQuery_For_Designers_files\Desktop_.ini
C:\phpdev\www\ubstudents.com\jquery\Tutorials Live_Examples_of_jQuery_files\Desktop_.ini
C:\phpdev\www\ubstudents.com\logos\Desktop_.ini
C:\phpdev\www\ubstudents.com\memberpictures\Desktop_.ini
C:\phpdev\www\ubstudents.com\members\Desktop_.ini
C:\phpdev\www\ubstudents.com\newsimages\Desktop_.ini
C:\phpdev\www\ubstudents.com\profiles\Desktop_.ini
C:\phpdev\www\ubstudents.com\studentprofiles\Desktop_.ini
C:\phpdev\www\ubstudents.com\students\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\config\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\controllers\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\errors\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\hooks\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\libraries\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\models\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\views\adverts\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\views\associations\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\views\campus\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\views\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\views\hotvibes\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\views\more\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\application\views\profile\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\cache\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\codeigniter\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\drivers\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\drivers\mssql\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\drivers\mysql\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\drivers\mysqli\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\drivers\oci8\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\drivers\odbc\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\drivers\postgre\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\database\drivers\sqlite\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\fonts\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\helpers\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\language\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\language\english\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\libraries\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\logs\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\plugins\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\scaffolding\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\scaffolding\images\Desktop_.ini
C:\phpdev\www\ubstudents.com\ub_students_apps\scaffolding\views\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\database\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\general\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\helpers\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\images\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\installation\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\libraries\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\nav\Desktop_.ini
C:\phpdev\www\ubstudents.com\user_guide\overview\Desktop_.ini
C:\temp\iee
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\o01PrEz
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.
2008-06-06 12:47 . 2008-06-06 12:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 12:47 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-06 12:47 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 08:38 . 2008-06-06 08:38 <DIR> d---s---- C:\Documents and Settings\Ndip\UserData
2008-06-05 10:40 . 2008-06-05 10:42 32 --a------ C:\WINDOWS\system32\thxcfg.ini
2008-06-05 07:09 . 2008-06-05 07:09 <DIR> d-------- C:\Documents and Settings\Ndip\Application Data\Malwarebytes
2008-06-05 07:09 . 2008-06-05 07:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 06:32 . 2008-06-05 06:32 <DIR> d-------- C:\Deckard
2008-06-05 05:40 . 2008-06-05 05:40 262,144 --a------ C:\ntuser.dat
2008-06-05 05:12 . 2008-06-05 05:12 <DIR> d--hs---- C:\FOUND.045
2008-06-04 19:20 . 2008-06-04 19:20 <DIR> d--hs---- C:\FOUND.044
2008-06-01 08:12 . 2008-06-01 08:12 <DIR> d--hs---- C:\FOUND.043
2008-05-19 13:00 . 2008-05-19 13:00 <DIR> d--hs---- C:\FOUND.042
2008-05-18 13:10 . 2008-05-18 13:10 <DIR> d-------- C:\Documents and Settings\Ndip\Application Data\SlySoft
2008-05-06 20:28 . 2008-05-06 20:28 <DIR> d-------- C:\Program Files\Zamaan's Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 21:24 91,424 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-06 21:24 30,920 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-06 21:24 2,244,608 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-06 21:24 11,684 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-02 04:47 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-02 04:46 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-06-02 04:46 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-11 05:21 --------- d-----w C:\Program Files\mobile PhoneTools
2008-04-10 09:22 --------- d-----w C:\Program Files\iPod
2008-04-10 09:21 --------- d-----w C:\Program Files\iTunes
2008-03-14 04:57 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
2004-08-04 12:00 690176 3a5ee0514f56b1b775d7641cfba5ad37 C:\WINDOWS\system32\wininet.dll
2004-08-04 12:00 974336 24cf7fa276be247b38d0f7970284616b C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-03 17:32 961024]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-05-29 12:10 893184]
"SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 09:45 1052672]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"BizJotter"="C:\WINDOWS\system32\MsiExec.exe" [2005-05-04 14:45 78848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 01:27 65536]
"NWEReboot"="" []
"SunJavaUpdateSched"="F:\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152]
"ffpsrv"="c:\windows\ffpext\ffpsrv.exe" [2007-02-03 01:17 83968]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-13 21:05 344064]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18 270648]
"Vista Eyes"="C:\Program Files\Zamaan's Software\Vista Eyes 2.0\VistaEyes.exe" [2005-01-01 03:33 606208]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-03 17:32 961024]
C:\Documents and Settings\Ndip\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 15:05:02 630784]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 00:43:08 180224]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - C:\bin\Apache2\bin\ApacheMonitor.exe [2008-01-17 22:59:58 41042]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"=
"C:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\phpdev\\Apache\\Apache.exe"=
"C:\\phpdev\\mysql\\bin\\mysqld-nt.exe"=
"C:\\Program Files\\LispBox\\CLISP\\clisp-2.33\\full\\lisp.exe"=
"F:\\eclipse\\eclipse.exe"=
"C:\\bin\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\LispWorks Personal\\lispworks-personal-5-0-1-x86-win32.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22335:TCP"= 22335:TCP:BitComet 22335 TCP
"22335:UDP"= 22335:UDP:BitComet 22335 UDP
"24568:TCP"= 24568:TCP:BitComet 24568 TCP
"24568:UDP"= 24568:UDP:BitComet 24568 UDP
"59006:TCP"= 59006:TCP:BitComet 59006 TCP
"59006:UDP"= 59006:UDP:BitComet 59006 UDP
"56009:TCP"= 56009:TCP:BitComet 56009 TCP
"56009:UDP"= 56009:UDP:BitComet 56009 UDP
R1 FDCDNT;FDCDNT;C:\WINDOWS\system32\drivers\FDCDNT.SYS [2007-01-27 19:27]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-23 07:06]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S2 Abel;Abel;C:\Program Files\Cain\Abel.exe []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;C:\WINDOWS\system32\DRIVERS\ZTEusbser.sys []
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;C:\Program Files\Ufasoft\IcqSnif\usft_sn4.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00487fd8-5b12-11dc-ba0c-00026f42dae0}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NTDETECT.exe i:
\Shell\²¥·Å\command - NTDETECT.exe i:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0de9fb0b-f54b-11dc-bb59-00026f42dae0}]
\Shell\Auto\command - G:\printer.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL printer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f2921d3-1946-11dc-b97f-0016361f63ff}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1943e025-8ea0-11dc-ba83-e79b0b5d03ea}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1943e026-8ea0-11dc-ba83-e79b0b5d03ea}]
\Shell\Auto\command - H:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c042b27-cdad-11dc-bb88-00026f42dae0}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - ino6.com
\Shell\open\Command - ino6.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2f4a9-1217-11dc-b96b-0016361f63ff}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ef7143a-a6a5-11dc-baae-00026f42dae0}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37eaf819-7b72-11dc-ba74-00026f42dae0}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40698b76-1c87-11dc-b98a-e39925050897}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c255802-fb8c-11dc-bb61-00026f42dae0}]
\Shell\AutoRun\command - G:\semo2x.exe
\Shell\explore\Command - G:\semo2x.exe
\Shell\open\Command - G:\semo2x.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f722dbe-0135-11dd-bb68-00026f42dae0}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\Open\command - scvhost.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac9491b8-b98c-11dc-badd-00026f42dae0}]
\Shell\AutoRun\command - G:\x6.bat
\Shell\explore\Command - G:\x6.bat
\Shell\open\Command - G:\x6.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afb4aefc-049f-11dc-b912-0016361f63ff}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0bd022a-0b1d-11dc-b950-0016361f63ff}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c451c698-58d1-11dc-ba09-00026f42dae0}]
\Shell\Auto\command - G:\OSO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c80ca0e8-0ca0-11dc-b95a-0016361f63ff}]
\Shell\AutoRun\command - G:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c80ca0ea-0ca0-11dc-b95a-0016361f63ff}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8fee092-d4da-11dc-bb0e-00026f42dae0}]
\Shell\Auto\command - G:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df8d734e-2e1e-11dd-bbaf-00026f42dae0}]
\Shell\Auto\command - wscript "esta ig.vbs"
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "esta ig.vbs"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3d163c0-473d-11dc-b9ec-0016361f63ff}]
\Shell\Auto\command - OSO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f93b7c4c-35ed-11dc-b9cc-0016361f63ff}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 14:26:43
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\Ndip\LOCALS~1\Temp\mc22.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll
-> C:\Program Files\LClock\LC.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\BIN\APACHE2\BIN\APACHE.EXE
C:\BIN\APACHE2\BIN\APACHE.EXE
C:\PROGRAM FILES\CYBERLINK\SHARED FILES\RICHVIDEO.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-06 14:35:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 21:35:22
Pre-Run: 4,182,704,128 bytes free
Post-Run: 3,497,951,232 bytes free
321 --- E O F --- 2007-10-09 17:26:26
<--end-->
<--HijackThis-->
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:27 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\bin\Apache2\bin\Apache.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\bin\Apache2\bin\Apache.exe
C:\Program Files\LClock\LClock.exe
F:\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\windows\ffpext\ffpsrv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\bin\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ndip\My Documents\Downloads\Programs\dss.exe
C:\DOCUME~1\Ndip\Desktop\Ndip.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ffpsrv] c:\windows\ffpext\ffpsrv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Vista Eyes] C:\Program Files\Zamaan's Software\Vista Eyes 2.0\VistaEyes.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BizJotter] C:\WINDOWS\system32\MsiExec.exe
O4 - HKUS\S-1-5-18\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\bin\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Add to &Teleport - C:\DOCUME~1\Ndippp\LOCALS~1\Temp\Rar$EX00.875\(ADULT) XXX DVD SITE RIPPER v1.40 -CRACKED\teleport.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2953FB0D-09C5-402F-B1BE-03C5CC9425B3}: NameServer = 195.24.208.2 195.24.192.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{410C8327-BF6E-4CF8-BD32-863B7A8B0C22}: NameServer = 192.168.1.1,192.168.1.0
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain\Abel.exe (file missing)
O23 - Service: Apache2 - Apache Software Foundation - C:\bin\Apache2\bin\Apache.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 8068 bytes
<--end-->
Hi
Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O8 - Extra context menu item: Add to &Teleport - C:\DOCUME~1\Ndippp\LOCALS~1\Temp\Rar$EX00.875\(ADULT) XXX DVD SITE RIPPER v1.40 -CRACKED\teleport.htm
Close browsers and other windows. Click fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
Abel
mchInjDrv
File::
C:\WINDOWS\system32\thxcfg.ini
C:\DOCUME~1\Ndip\LOCALS~1\Temp\mc22.tmp
Folder::
C:\Program Files\Cain
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BizJotter"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00487fd8-5b12-11dc-ba0c-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0de9fb0b-f54b-11dc-bb59-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f2921d3-1946-11dc-b97f-0016361f63ff}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1943e026-8ea0-11dc-ba83-e79b0b5d03ea}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c042b27-cdad-11dc-bb88-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2f4a9-1217-11dc-b96b-0016361f63ff}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ef7143a-a6a5-11dc-baae-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37eaf819-7b72-11dc-ba74-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c255802-fb8c-11dc-bb61-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f722dbe-0135-11dd-bb68-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac9491b8-b98c-11dc-badd-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afb4aefc-049f-11dc-b912-0016361f63ff}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0bd022a-0b1d-11dc-b950-0016361f63ff}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c451c698-58d1-11dc-ba09-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c80ca0ea-0ca0-11dc-b95a-0016361f63ff}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8fee092-d4da-11dc-bb0e-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df8d734e-2e1e-11dd-bbaf-00026f42dae0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3d163c0-473d-11dc-b9ec-0016361f63ff}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f93b7c4c-35ed-11dc-b9cc-0016361f63ff}]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.