PDA

View Full Version : Virtumonde - Advice needed.



saminoregon
2008-06-06, 00:23
My computer is infected with Virtumonde. I am running Win XP. I am posting my Hijack This logfile as well as my CCleaner install log. Any help would be greatly appreciated. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:34 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
F:\Programs\a-squared Free\a2service.exe
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
F:\AOL 9.0a\waol.exe
E:\Program Files\Common Files\AOL\1204715252\ee\aolsoftware.exe
E:\WINDOWS\system32\wuauclt.exe
F:\AOL 9.0a\shellmon.exe
E:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [LogonStudio] "F:\Programs\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [BM87540d81] Rundll32.exe "E:\WINDOWS\system32\vsrwdjxf.dll",s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] E:\Program Files\Common Files\AOL\1204715252\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [31415989] rundll32.exe "E:\WINDOWS\system32\navlklax.dll",b
O4 - HKLM\..\Run: [000000af] rundll32.exe "E:\WINDOWS\system32\nmojeexw.dll",b
O4 - HKCU\..\Run: [AOL Fast Start] "F:\AOL 9.0a\AOL.EXE" -b
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7C635EC-1279-4A51-BAFD-8BFB078615F9}: NameServer = 205.188.146.145
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - F:\Programs\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UPnPService - Magix AG - E:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 3196 bytes




CCleaner install log:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
ArcSoft PhotoImpression 6
ArcSoft Print Creations
Audacity 1.3.4 (Unicode)
AVG 7.5
AVG Anti-Rootkit Free
CCleaner (remove only)
EPSON Print CD
EPSON Printer Software
EPSON RX595 User's Guide
EPSON Scan
EPSON Stylus Photo RX595 Series Scanner Driver Update
FastStone Image Viewer 3.4
GIMP 2.4.2
HijackThis 2.0.2
Intellihance Pro 4.2
iTunes
Java Runtime Environment 1.1
Kaspersky Anti-Virus 7.0
LogonStudio
Maxthon Browser (remove only)
Microsoft .NET Framework 2.0
Microsoft Visual C Runtime
Microsoft XML Parser
MMD DupFinder
Mozilla Firefox (2.0.0.7)
Nero 7 Premium
NVIDIA Drivers
OpenOffice.org 2.0
Opera 9.02
PhotoFiltre
QuickTime
Sound Blaster Audigy
Spybot - Search & Destroy
ThreatFire 3.0
Update for Windows XP (KB898461)
Web Creator OpenOffice.org 1.1
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
XoftSpySE

Shaba
2008-06-07, 12:33
Hi saminoregon

Rename HijackThis.exe to saminoregon.exe and post back a fresh HijackThis log, please :)

saminoregon
2008-06-07, 22:08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:28 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\Maxthon\Maxthon.exe
E:\Program Files\Trend Micro\HijackThis\saminoregon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {012A1597-43A8-42A5-BAD9-FDD34FCE4466} - (no file)
O2 - BHO: (no name) - {015FB85D-A4E9-4039-B61D-320D31E87643} - (no file)
O2 - BHO: (no name) - {0D8C3CA8-296F-49C8-A5A2-E5699BED2668} - (no file)
O2 - BHO: (no name) - {0f559429-db8e-4d8a-8861-f6a174ea10e6} - (no file)
O2 - BHO: (no name) - {17C3555E-C654-4AC1-B3B9-2715F1CC8BE2} - (no file)
O2 - BHO: (no name) - {204EE03C-D56D-4142-9C57-272B43E534A4} - (no file)
O2 - BHO: (no name) - {22161762-2489-44ED-8A16-11B73C78C5B7} - (no file)
O2 - BHO: (no name) - {2BDBC640-CA92-419F-9FCD-A0D679BDF2CB} - (no file)
O2 - BHO: (no name) - {2CDDD719-0926-492C-8900-D8B75DA0E3CE} - (no file)
O2 - BHO: (no name) - {2DFDD20B-7D9D-4DB7-B7C4-19B0111F81FA} - (no file)
O2 - BHO: (no name) - {2F7F521D-D735-40FE-A599-6DB02DEA40C0} - (no file)
O2 - BHO: (no name) - {3A629E5A-24D2-4425-B087-BE0C59B1FAB9} - (no file)
O2 - BHO: (no name) - {3CB4C934-C304-40D2-9803-76A0A7A532D7} - (no file)
O2 - BHO: (no name) - {43080F67-893F-4BDA-B5B2-AA7156867691} - E:\WINDOWS\system32\rqRJbCVm.dll (file missing)
O2 - BHO: (no name) - {53FE12C2-4429-488F-847B-7B285F8F6778} - (no file)
O2 - BHO: (no name) - {5A4E0B53-8A43-4F5B-9C82-841C7B08C01D} - (no file)
O2 - BHO: (no name) - {5D5BCF34-1F3C-4A5E-BA0D-CC8D711D2390} - (no file)
O2 - BHO: (no name) - {5D7DC3C8-A7ED-4E27-981B-8B1827B6316A} - (no file)
O2 - BHO: (no name) - {5F53DF3C-90B8-419A-9214-6CD916C3C6B9} - (no file)
O2 - BHO: (no name) - {64F79860-67A9-4A5C-9E31-79D261F63B36} - (no file)
O2 - BHO: (no name) - {8033D9AF-2DF9-4AF4-B335-B9F38C13ED4D} - (no file)
O2 - BHO: (no name) - {856CB233-DB2B-41EE-ACC5-D2F74AD17848} - (no file)
O2 - BHO: (no name) - {8685471B-3CC2-4BD7-B662-5C85AF423648} - (no file)
O2 - BHO: (no name) - {911DAB8D-2D48-4E29-8C2F-7C2AC223E668} - (no file)
O2 - BHO: (no name) - {93ed837d-e99f-4e41-bb01-4f9a08f19b00} - (no file)
O2 - BHO: (no name) - {959CAD1F-538A-41CB-8CCC-84B06B6D3DB3} - (no file)
O2 - BHO: (no name) - {A92A313B-8946-4AF0-A05A-F167AC84F225} - (no file)
O2 - BHO: (no name) - {C6EB87F1-7F25-4B8E-9689-773450C4D748} - (no file)
O2 - BHO: (no name) - {D0F9F99E-ACC6-406B-A68D-99BCF015F43A} - (no file)
O2 - BHO: (no name) - {D3F1F57F-7BED-4062-BCC0-7665996F9F0D} - (no file)
O2 - BHO: (no name) - {DB50D3B2-069A-4B90-88E0-9128C9603503} - (no file)
O2 - BHO: (no name) - {e9ba4229-71c2-4449-a519-815bedd88ec1} - (no file)
O2 - BHO: (no name) - {EF301E0A-870C-41AD-B98C-D55BE6C47815} - (no file)
O2 - BHO: (no name) - {EFAE7371-F8A8-407D-92C8-9C7C4AB8592D} - (no file)
O2 - BHO: (no name) - {F0750CCE-5F2D-4B83-A5A2-16ECA5D80AB1} - (no file)
O2 - BHO: (no name) - {F2660FC4-7310-42E8-9EA8-207C75F61E26} - (no file)
O2 - BHO: (no name) - {F3DF7914-7325-4472-80A9-EAC14DEF6D5D} - (no file)
O2 - BHO: (no name) - {F8FA44C5-759D-4B48-BDE7-006DBEBCC52C} - (no file)
O2 - BHO: (no name) - {FC91B3E4-D4E5-494E-B270-B2E9B6B97070} - (no file)
O2 - BHO: (no name) - {FD5D9A98-5A96-4AD2-AC66-5F31F5519E40} - (no file)
O2 - BHO: (no name) - {FEE52451-B33F-4D49-B74F-8862D6B2ECEA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BM87540d81] Rundll32.exe "E:\WINDOWS\system32\vhahwulu.dll",s
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7C635EC-1279-4A51-BAFD-8BFB078615F9}: NameServer = 66.178.167.3 66.178.152.10
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - F:\Programs\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: UPnPService - Magix AG - E:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 6367 bytes

Shaba
2008-06-08, 11:59
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

saminoregon
2008-06-08, 21:23
By the way, thank you very much for the help. I really appreciate it.

ComboFix 08-06-07.3 - Sam 2008-06-10 11:12:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.715 [GMT -7:00]
Running from: E:\Documents and Settings\Sam\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\RECYCLER\mxfilerelatedcache.mxc2

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-08 04:47 . 2008-06-08 04:47 <DIR> d-------- E:\WINDOWS\Downloaded Installations
2008-06-08 04:16 . 2008-06-08 04:35 <DIR> d-------- E:\Program Files\Free Window Registry Repair
2008-06-08 04:15 . 2008-06-08 04:15 <DIR> d-------- E:\Program Files\Enigma Software Group
2008-06-07 15:49 . 2008-06-07 15:49 754 --a------ E:\WINDOWS\WORDPAD.INI
2008-06-07 07:01 . 2008-06-07 07:01 <DIR> d-------- E:\Program Files\Common Files\aolback
2008-06-07 07:01 . 2008-06-07 07:13 <DIR> d-------- E:\Documents and Settings\Katie\Application Data\AOL
2008-06-07 07:00 . 2008-06-07 07:00 <DIR> d-------- E:\Program Files\Viewpoint
2008-06-07 07:00 . 2008-06-07 07:00 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-07 06:59 . 2008-06-07 07:01 <DIR> d-------- E:\Program Files\Common Files\aolshare
2008-06-07 06:59 . 2008-06-07 12:11 <DIR> d-------- E:\Program Files\Common Files\aol
2008-06-07 06:59 . 2008-06-07 07:08 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\AOL
2008-06-06 23:15 . 2008-06-06 21:48 354 --ahs---- E:\WINDOWS\system32\jrrjwqoy.ini
2008-06-06 23:04 . 2008-06-06 23:04 0 --a------ E:\WINDOWS\system32\PTPTT.dat
2008-06-05 22:05 . 2001-08-17 13:28 112,574 --a------ E:\WINDOWS\system32\drivers\ptserlp.sys
2008-06-05 22:05 . 2001-12-31 22:36 1,536 --a------ E:\WINDOWS\system32\TrueSoft.dat
2008-06-05 22:04 . 2001-07-21 14:29 456 --a------ E:\WINDOWS\system32\pthsp.dat
2008-06-05 20:53 . 2008-06-05 20:53 <DIR> d-------- E:\Program Files\Common Files\Mediafour
2008-06-05 20:53 . 2008-06-05 20:53 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Mediafour
2008-06-03 10:16 . 2008-06-03 10:17 <DIR> d-------- E:\Documents and Settings\Katie\Application Data\.clamwin
2008-06-02 23:56 . 2008-06-03 01:01 <DIR> d-------- E:\Documents and Settings\Administrator
2008-06-02 22:36 . 2008-06-02 22:36 <DIR> d-------- E:\Program Files\Mediafour
2008-06-01 20:35 . 2008-02-26 12:40 524,382 --a------ E:\cpuz_144.zip
2008-06-01 18:12 . 2008-06-01 18:12 28 --a------ E:\WINDOWS\kmcdfa2200.dat
2008-06-01 18:11 . 2008-06-01 18:11 <DIR> d-------- E:\Program Files\MMD
2008-05-30 08:03 . 2008-06-03 09:54 <DIR> d-------- E:\Documents and Settings\Katie\Application Data\AVG7
2008-05-30 05:16 . 2008-05-30 05:16 <DIR> d-------- E:\Program Files\Trend Micro
2008-05-30 05:09 . 2008-05-30 05:09 <DIR> d-------- E:\Program Files\proess
2008-05-30 05:08 . 2008-05-30 05:08 <DIR> d-------- E:\Program
2008-05-30 05:07 . 2008-03-10 17:42 545,278 --a------ E:\Autoruns.zip
2008-05-30 05:05 . 2008-06-07 00:20 <DIR> d-------- E:\Documents and Settings\Sam\Application Data\AVG7
2008-05-30 05:04 . 2008-05-30 05:04 <DIR> d-------- E:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-30 05:04 . 2008-05-30 05:04 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 05:04 . 2008-05-30 05:24 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\avg7
2008-05-30 04:38 . 2008-06-08 04:15 2,560 --a------ E:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-30 00:16 . 2008-03-10 18:17 1,649,814 --a------ E:\ProcessExplorer.zip
2008-05-30 00:13 . 2008-05-30 00:13 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-30 00:12 . 2001-12-31 23:53 <DIR> d-------- E:\Program Files\Eusing Free Registry Cleaner
2008-05-30 00:12 . 2007-01-18 05:00 3,968 --a------ E:\WINDOWS\system32\drivers\AvgArCln.sys
2008-05-24 11:56 . 2008-05-24 11:56 <DIR> d-------- E:\Transfered from External
2008-05-24 09:27 . 2008-05-24 09:27 <DIR> d-------- E:\WINDOWS\system32\NtmsData
2008-05-22 10:37 . 2004-08-04 05:00 221,184 --a------ E:\WINDOWS\system32\wmpns.dll
2008-05-21 21:41 . 2008-06-07 12:45 <DIR> d--h----- E:\WINDOWS\$hf_mig$
2008-05-21 21:41 . 2005-02-24 20:35 22,752 --a------ E:\WINDOWS\system32\spupdsvc.exe
2008-05-19 10:43 . 2008-05-19 10:43 0 --a------ E:\WINDOWS\BM87540d81.xml
2008-05-14 01:24 . 2008-06-07 00:22 785 --a------ E:\WINDOWS\wininit.ini
2008-05-10 17:17 . 2008-05-10 17:17 <DIR> d-------- E:\Documents and Settings\Sam\Application Data\Publish Providers
2008-05-10 17:17 . 2008-05-10 17:17 <DIR> d-------- E:\Documents and Settings\Sam\Application Data\NetMedia Providers
2008-05-10 17:14 . 2002-12-17 16:23 33,340 --a------ E:\WINDOWS\system32\dbmsqlgc.dll
2008-05-10 17:14 . 2002-10-20 14:05 24,576 --a------ E:\WINDOWS\system32\dbmsgnet.dll
2008-05-10 17:12 . 2008-05-10 17:12 <DIR> d-------- E:\Program Files\Microsoft SQL Server
2008-05-10 17:12 . 2008-05-30 05:06 <DIR> d-------- E:\Documents and Settings\Sam\Application Data\Sony
2008-05-10 17:11 . 2008-05-30 05:06 <DIR> d-------- E:\Program Files\Sony
2008-05-10 16:53 . 2008-05-30 04:47 <DIR> d-------- E:\Program Files\onOne Software
2008-05-10 16:48 . 2008-05-30 00:17 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy
2008-05-10 16:48 . 2008-05-30 00:17 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 18:14 23,742,240 --sha-w E:\WINDOWS\system32\drivers\fidbox.dat
2008-06-10 18:13 1,035,808 --sha-w E:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-07 22:53 --------- d-----w E:\Documents and Settings\Katie\Application Data\OpenOffice.org2
2008-06-07 19:00 5,893,632 ----a-w E:\WINDOWS\system32\logonuiX.exe
2008-06-07 08:16 322,724 --sha-w E:\WINDOWS\system32\drivers\fidbox.idx
2008-06-07 08:16 100,928 --sha-w E:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-05 21:08 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 12:00 --------- d-----w E:\Program Files\Common Files\Stardock
2008-05-15 04:18 --------- d-----w E:\Documents and Settings\Sam\Application Data\OpenOffice.org2
2008-05-12 18:56 --------- d-----w E:\Documents and Settings\Sam\Application Data\uTorrent
2008-05-11 12:11 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-05-07 22:16 --------- d-----w E:\Program Files\Sony Setup
2008-05-07 22:02 --------- d-----w E:\Program Files\XoftSpySE
2008-05-07 22:01 --------- d-----w E:\Program Files\Searchanddestroy
2008-05-06 22:33 --------- d-----w E:\Documents and Settings\Katie\Application Data\uTorrent
2008-05-02 04:02 5,893,632 ----a-w E:\WINDOWS\system32\RCX2.tmp
2008-04-27 04:48 2,560 ----a-w E:\WINDOWS\_MSRSTRT.EXE
2008-04-27 04:38 886,784 ----a-w E:\WINDOWS\ebook_library.dll
2008-04-25 22:40 --------- d-----w E:\Documents and Settings\Katie\Application Data\Lavasoft
2008-04-24 21:11 --------- d-----w E:\Documents and Settings\Sam\Application Data\gtk-2.0
2008-04-24 06:55 --------- d-----w E:\Program Files\Lavasoft
2008-04-24 06:55 --------- d-----w E:\Documents and Settings\Sam\Application Data\Lavasoft
2008-04-24 05:09 --------- d-----w E:\Program Files\Setup NetZero
2008-04-22 12:11 --------- d-----w E:\Documents and Settings\Katie\Application Data\Apple Computer
2008-04-18 18:53 --------- d-----w E:\Program Files\Maxthon
2008-04-18 18:44 --------- d-----w E:\Program Files\JavaSoft
2008-04-14 00:28 --------- d-----w E:\Documents and Settings\Sam\Application Data\Audacity
2008-04-13 03:21 77,894 ----a-w E:\WINDOWS\uinst001.exe
2008-04-11 00:01 --------- d-----w E:\Documents and Settings\Sam\Application Data\FileZilla
2008-03-12 16:33 1,996,336 ----a-w E:\WINDOWS\system32\Checker.exe
2008-03-12 16:19 581,120 ----a-w E:\WINDOWS\Adobe Pdf Money Guide.exe
2007-12-21 21:22 1,298,920 ----a-w E:\Program Files\blast.zip
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_ 0.40.20.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 07:18:03 2,048 --s-a-w E:\WINDOWS\bootstat.dat
+ 2002-01-01 07:01:50 2,048 --s-a-w E:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{012A1597-43A8-42A5-BAD9-FDD34FCE4466}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{015FB85D-A4E9-4039-B61D-320D31E87643}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D8C3CA8-296F-49C8-A5A2-E5699BED2668}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f559429-db8e-4d8a-8861-f6a174ea10e6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17C3555E-C654-4AC1-B3B9-2715F1CC8BE2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{204EE03C-D56D-4142-9C57-272B43E534A4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22161762-2489-44ED-8A16-11B73C78C5B7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BDBC640-CA92-419F-9FCD-A0D679BDF2CB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CDDD719-0926-492C-8900-D8B75DA0E3CE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DFDD20B-7D9D-4DB7-B7C4-19B0111F81FA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F7F521D-D735-40FE-A599-6DB02DEA40C0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A629E5A-24D2-4425-B087-BE0C59B1FAB9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CB4C934-C304-40D2-9803-76A0A7A532D7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43080F67-893F-4BDA-B5B2-AA7156867691}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A4E0B53-8A43-4F5B-9C82-841C7B08C01D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D5BCF34-1F3C-4A5E-BA0D-CC8D711D2390}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D7DC3C8-A7ED-4E27-981B-8B1827B6316A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F53DF3C-90B8-419A-9214-6CD916C3C6B9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64F79860-67A9-4A5C-9E31-79D261F63B36}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8033D9AF-2DF9-4AF4-B335-B9F38C13ED4D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{856CB233-DB2B-41EE-ACC5-D2F74AD17848}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8685471B-3CC2-4BD7-B662-5C85AF423648}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{911DAB8D-2D48-4E29-8C2F-7C2AC223E668}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93ed837d-e99f-4e41-bb01-4f9a08f19b00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{959CAD1F-538A-41CB-8CCC-84B06B6D3DB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A92A313B-8946-4AF0-A05A-F167AC84F225}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6EB87F1-7F25-4B8E-9689-773450C4D748}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0F9F99E-ACC6-406B-A68D-99BCF015F43A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F1F57F-7BED-4062-BCC0-7665996F9F0D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB50D3B2-069A-4B90-88E0-9128C9603503}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9ba4229-71c2-4449-a519-815bedd88ec1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF301E0A-870C-41AD-B98C-D55BE6C47815}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFAE7371-F8A8-407D-92C8-9C7C4AB8592D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0750CCE-5F2D-4B83-A5A2-16ECA5D80AB1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2660FC4-7310-42E8-9EA8-207C75F61E26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3DF7914-7325-4472-80A9-EAC14DEF6D5D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8FA44C5-759D-4B48-BDE7-006DBEBCC52C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC91B3E4-D4E5-494E-B270-B2E9B6B97070}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD5D9A98-5A96-4AD2-AC66-5F31F5519E40}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FEE52451-B33F-4D49-B74F-8862D6B2ECEA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 E:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-30 05:04 579072]
"PCTVOICE"="pctspk.exe" [2001-08-17 23:36 86016 E:\WINDOWS\system32\pctspk.exe]
"PV92TRAY"="PV92Tray.exe" [2003-04-24 19:35 135168 E:\WINDOWS\system32\PV92Tray.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"SpyHunter Security Suite"="E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKLM\~\startupfolder\E:^Documents and Settings^Sam^Start Menu^Programs^Startup^Adobe Gamma.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\User Themes]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
"BM87540d81"=Rundll32.exe "E:\WINDOWS\system32\osxtdexh.dll",s
"000000af"=rundll32.exe "E:\WINDOWS\system32\icemroyt.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\iTunes\\iTunes.exe"=
"E:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"E:\\WINDOWS\\Adobe Pdf Money Guide.exe"=
"E:\\WINDOWS\\system32\\mmc.exe"=
"E:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;E:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-06-08 04:15]
R2 ACEDRV09;ACEDRV09;E:\WINDOWS\system32\drivers\ACEDRV09.sys [2008-02-28 01:25]
R2 Pctspk;PCTEL Speaker Phone;E:\WINDOWS\system32\pctspk.exe [2001-08-17 23:36]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;E:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 14:28]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);E:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;E:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S3 UPnPService;UPnPService;E:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 17:00]

.
Contents of the 'Scheduled Tasks' folder
"2002-01-01 05:42:23 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-01-01 05:42:23 E:\WINDOWS\Tasks\XoftSpySE 2.job"
- E:\Program Files\XoftSpySE\XoftSpy.exe
"2002-01-01 05:42:23 E:\WINDOWS\Tasks\XoftSpySE.job"
- E:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 11:13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-06-10 11:15:02
ComboFix-quarantined-files.txt 2008-06-10 18:14:59
ComboFix2.txt 2008-06-07 07:40:55

Pre-Run: 242,073,485,312 bytes free
Post-Run: 242,064,969,728 bytes free

216 --- E O F --- 2008-05-22 04:41:09



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:25 AM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
F:\Programs\a-squared Free\a2service.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\saminoregon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {012A1597-43A8-42A5-BAD9-FDD34FCE4466} - (no file)
O2 - BHO: (no name) - {015FB85D-A4E9-4039-B61D-320D31E87643} - (no file)
O2 - BHO: (no name) - {0D8C3CA8-296F-49C8-A5A2-E5699BED2668} - (no file)
O2 - BHO: (no name) - {0f559429-db8e-4d8a-8861-f6a174ea10e6} - (no file)
O2 - BHO: (no name) - {17C3555E-C654-4AC1-B3B9-2715F1CC8BE2} - (no file)
O2 - BHO: (no name) - {204EE03C-D56D-4142-9C57-272B43E534A4} - (no file)
O2 - BHO: (no name) - {22161762-2489-44ED-8A16-11B73C78C5B7} - (no file)
O2 - BHO: (no name) - {2BDBC640-CA92-419F-9FCD-A0D679BDF2CB} - (no file)
O2 - BHO: (no name) - {2CDDD719-0926-492C-8900-D8B75DA0E3CE} - (no file)
O2 - BHO: (no name) - {2DFDD20B-7D9D-4DB7-B7C4-19B0111F81FA} - (no file)
O2 - BHO: (no name) - {2F7F521D-D735-40FE-A599-6DB02DEA40C0} - (no file)
O2 - BHO: (no name) - {3A629E5A-24D2-4425-B087-BE0C59B1FAB9} - (no file)
O2 - BHO: (no name) - {3CB4C934-C304-40D2-9803-76A0A7A532D7} - (no file)
O2 - BHO: (no name) - {43080F67-893F-4BDA-B5B2-AA7156867691} - (no file)
O2 - BHO: (no name) - {5A4E0B53-8A43-4F5B-9C82-841C7B08C01D} - (no file)
O2 - BHO: (no name) - {5D5BCF34-1F3C-4A5E-BA0D-CC8D711D2390} - (no file)
O2 - BHO: (no name) - {5D7DC3C8-A7ED-4E27-981B-8B1827B6316A} - (no file)
O2 - BHO: (no name) - {5F53DF3C-90B8-419A-9214-6CD916C3C6B9} - (no file)
O2 - BHO: (no name) - {64F79860-67A9-4A5C-9E31-79D261F63B36} - (no file)
O2 - BHO: (no name) - {8033D9AF-2DF9-4AF4-B335-B9F38C13ED4D} - (no file)
O2 - BHO: (no name) - {856CB233-DB2B-41EE-ACC5-D2F74AD17848} - (no file)
O2 - BHO: (no name) - {8685471B-3CC2-4BD7-B662-5C85AF423648} - (no file)
O2 - BHO: (no name) - {911DAB8D-2D48-4E29-8C2F-7C2AC223E668} - (no file)
O2 - BHO: (no name) - {93ed837d-e99f-4e41-bb01-4f9a08f19b00} - (no file)
O2 - BHO: (no name) - {959CAD1F-538A-41CB-8CCC-84B06B6D3DB3} - (no file)
O2 - BHO: (no name) - {A92A313B-8946-4AF0-A05A-F167AC84F225} - (no file)
O2 - BHO: (no name) - {C6EB87F1-7F25-4B8E-9689-773450C4D748} - (no file)
O2 - BHO: (no name) - {D0F9F99E-ACC6-406B-A68D-99BCF015F43A} - (no file)
O2 - BHO: (no name) - {D3F1F57F-7BED-4062-BCC0-7665996F9F0D} - (no file)
O2 - BHO: (no name) - {DB50D3B2-069A-4B90-88E0-9128C9603503} - (no file)
O2 - BHO: (no name) - {e9ba4229-71c2-4449-a519-815bedd88ec1} - (no file)
O2 - BHO: (no name) - {EF301E0A-870C-41AD-B98C-D55BE6C47815} - (no file)
O2 - BHO: (no name) - {EFAE7371-F8A8-407D-92C8-9C7C4AB8592D} - (no file)
O2 - BHO: (no name) - {F0750CCE-5F2D-4B83-A5A2-16ECA5D80AB1} - (no file)
O2 - BHO: (no name) - {F2660FC4-7310-42E8-9EA8-207C75F61E26} - (no file)
O2 - BHO: (no name) - {F3DF7914-7325-4472-80A9-EAC14DEF6D5D} - (no file)
O2 - BHO: (no name) - {F8FA44C5-759D-4B48-BDE7-006DBEBCC52C} - (no file)
O2 - BHO: (no name) - {FC91B3E4-D4E5-494E-B270-B2E9B6B97070} - (no file)
O2 - BHO: (no name) - {FD5D9A98-5A96-4AD2-AC66-5F31F5519E40} - (no file)
O2 - BHO: (no name) - {FEE52451-B33F-4D49-B74F-8862D6B2ECEA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7C635EC-1279-4A51-BAFD-8BFB078615F9}: NameServer = 66.178.167.3 66.178.152.10
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - F:\Programs\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: UPnPService - Magix AG - E:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 6468 bytes

Shaba
2008-06-09, 17:09
Hi

Open notepad and copy/paste the text in the codebox below into it:


File::
E:\WINDOWS\system32\jrrjwqoy.ini
E:\WINDOWS\system32\RCX2.tmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{012A1597-43A8-42A5-BAD9-FDD34FCE4466}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{015FB85D-A4E9-4039-B61D-320D31E87643}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D8C3CA8-296F-49C8-A5A2-E5699BED2668}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f559429-db8e-4d8a-8861-f6a174ea10e6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17C3555E-C654-4AC1-B3B9-2715F1CC8BE2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{204EE03C-D56D-4142-9C57-272B43E534A4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22161762-2489-44ED-8A16-11B73C78C5B7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BDBC640-CA92-419F-9FCD-A0D679BDF2CB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CDDD719-0926-492C-8900-D8B75DA0E3CE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DFDD20B-7D9D-4DB7-B7C4-19B0111F81FA}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F7F521D-D735-40FE-A599-6DB02DEA40C0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A629E5A-24D2-4425-B087-BE0C59B1FAB9}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CB4C934-C304-40D2-9803-76A0A7A532D7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43080F67-893F-4BDA-B5B2-AA7156867691}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A4E0B53-8A43-4F5B-9C82-841C7B08C01D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D5BCF34-1F3C-4A5E-BA0D-CC8D711D2390}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D7DC3C8-A7ED-4E27-981B-8B1827B6316A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F53DF3C-90B8-419A-9214-6CD916C3C6B9}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64F79860-67A9-4A5C-9E31-79D261F63B36}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8033D9AF-2DF9-4AF4-B335-B9F38C13ED4D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{856CB233-DB2B-41EE-ACC5-D2F74AD17848}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8685471B-3CC2-4BD7-B662-5C85AF423648}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{911DAB8D-2D48-4E29-8C2F-7C2AC223E668}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93ed837d-e99f-4e41-bb01-4f9a08f19b00}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{959CAD1F-538A-41CB-8CCC-84B06B6D3DB3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A92A313B-8946-4AF0-A05A-F167AC84F225}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6EB87F1-7F25-4B8E-9689-773450C4D748}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0F9F99E-ACC6-406B-A68D-99BCF015F43A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F1F57F-7BED-4062-BCC0-7665996F9F0D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB50D3B2-069A-4B90-88E0-9128C9603503}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9ba4229-71c2-4449-a519-815bedd88ec1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF301E0A-870C-41AD-B98C-D55BE6C47815}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFAE7371-F8A8-407D-92C8-9C7C4AB8592D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0750CCE-5F2D-4B83-A5A2-16ECA5D80AB1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2660FC4-7310-42E8-9EA8-207C75F61E26}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3DF7914-7325-4472-80A9-EAC14DEF6D5D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8FA44C5-759D-4B48-BDE7-006DBEBCC52C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC91B3E4-D4E5-494E-B270-B2E9B6B97070}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD5D9A98-5A96-4AD2-AC66-5F31F5519E40}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FEE52451-B33F-4D49-B74F-8862D6B2ECEA}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM87540d81"=-
"000000af"=-



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

saminoregon
2008-06-10, 04:39
ComboFix 08-06-07.3 - Sam 2008-06-11 16:38:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.637 [GMT -7:00]
Running from: E:\Documents and Settings\Sam\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Sam\Desktop\CFScript.txt
* Created a new restore point

FILE ::
E:\WINDOWS\system32\jrrjwqoy.ini
E:\WINDOWS\system32\RCX2.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\jrrjwqoy.ini
E:\WINDOWS\system32\RCX2.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-10 15:37 . 2003-10-03 16:28 45,056 --a------ E:\WINDOWS\system32\vusetup.dll
2008-06-10 15:37 . 2005-06-06 02:51 11,264 --a------ E:\WINDOWS\system32\drivers\vulfntr.sys
2008-06-10 15:37 . 2005-01-05 03:02 6,912 --a------ E:\WINDOWS\system32\drivers\vulfnth.sys
2008-06-08 04:47 . 2008-06-08 04:47 <DIR> d-------- E:\WINDOWS\Downloaded Installations
2008-06-08 04:16 . 2008-06-08 04:35 <DIR> d-------- E:\Program Files\Free Window Registry Repair
2008-06-08 04:15 . 2008-06-08 04:15 <DIR> d-------- E:\Program Files\Enigma Software Group
2008-06-07 15:49 . 2008-06-07 15:49 754 --a------ E:\WINDOWS\WORDPAD.INI
2008-06-07 07:01 . 2008-06-07 07:01 <DIR> d-------- E:\Program Files\Common Files\aolback
2008-06-07 07:01 . 2008-06-07 07:13 <DIR> d-------- E:\Documents and Settings\Katie\Application Data\AOL
2008-06-07 07:00 . 2008-06-07 07:00 <DIR> d-------- E:\Program Files\Viewpoint
2008-06-07 07:00 . 2008-06-07 07:00 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-07 06:59 . 2008-06-07 07:01 <DIR> d-------- E:\Program Files\Common Files\aolshare
2008-06-07 06:59 . 2008-06-07 12:11 <DIR> d-------- E:\Program Files\Common Files\aol
2008-06-07 06:59 . 2008-06-07 07:08 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\AOL
2008-06-06 23:04 . 2008-06-06 23:04 0 --a------ E:\WINDOWS\system32\PTPTT.dat
2008-06-05 22:05 . 2001-08-17 13:28 112,574 --a------ E:\WINDOWS\system32\drivers\ptserlp.sys
2008-06-05 22:05 . 2001-12-31 22:36 1,536 --a------ E:\WINDOWS\system32\TrueSoft.dat
2008-06-05 22:04 . 2001-07-21 14:29 456 --a------ E:\WINDOWS\system32\pthsp.dat
2008-06-05 20:53 . 2008-06-05 20:53 <DIR> d-------- E:\Program Files\Common Files\Mediafour
2008-06-05 20:53 . 2008-06-05 20:53 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Mediafour
2008-06-03 10:16 . 2008-06-03 10:17 <DIR> d-------- E:\Documents and Settings\Katie\Application Data\.clamwin
2008-06-02 23:56 . 2008-06-03 01:01 <DIR> d-------- E:\Documents and Settings\Administrator
2008-06-02 22:36 . 2008-06-02 22:36 <DIR> d-------- E:\Program Files\Mediafour
2008-06-01 20:35 . 2008-02-26 12:40 524,382 --a------ E:\cpuz_144.zip
2008-06-01 18:12 . 2008-06-01 18:12 28 --a------ E:\WINDOWS\kmcdfa2200.dat
2008-06-01 18:11 . 2008-06-01 18:11 <DIR> d-------- E:\Program Files\MMD
2008-05-30 08:03 . 2008-06-03 09:54 <DIR> d-------- E:\Documents and Settings\Katie\Application Data\AVG7
2008-05-30 05:16 . 2008-05-30 05:16 <DIR> d-------- E:\Program Files\Trend Micro
2008-05-30 05:09 . 2008-05-30 05:09 <DIR> d-------- E:\Program Files\proess
2008-05-30 05:08 . 2008-05-30 05:08 <DIR> d-------- E:\Program
2008-05-30 05:07 . 2008-03-10 17:42 545,278 --a------ E:\Autoruns.zip
2008-05-30 05:05 . 2008-06-07 00:20 <DIR> d-------- E:\Documents and Settings\Sam\Application Data\AVG7
2008-05-30 05:04 . 2008-05-30 05:04 <DIR> d-------- E:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-30 05:04 . 2008-05-30 05:04 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 05:04 . 2008-05-30 05:24 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\avg7
2008-05-30 04:38 . 2008-06-08 04:15 2,560 --a------ E:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-30 00:16 . 2008-03-10 18:17 1,649,814 --a------ E:\ProcessExplorer.zip
2008-05-30 00:13 . 2008-05-30 00:13 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-30 00:12 . 2001-12-31 23:53 <DIR> d-------- E:\Program Files\Eusing Free Registry Cleaner
2008-05-30 00:12 . 2007-01-18 05:00 3,968 --a------ E:\WINDOWS\system32\drivers\AvgArCln.sys
2008-05-24 11:56 . 2008-05-24 11:56 <DIR> d-------- E:\Transfered from External
2008-05-24 09:27 . 2008-05-24 09:27 <DIR> d-------- E:\WINDOWS\system32\NtmsData
2008-05-22 10:37 . 2004-08-04 05:00 221,184 --a------ E:\WINDOWS\system32\wmpns.dll
2008-05-21 21:41 . 2008-06-07 12:45 <DIR> d--h----- E:\WINDOWS\$hf_mig$
2008-05-21 21:41 . 2005-02-24 20:35 22,752 --a------ E:\WINDOWS\system32\spupdsvc.exe
2008-05-19 10:43 . 2008-05-19 10:43 0 --a------ E:\WINDOWS\BM87540d81.xml
2008-05-14 01:24 . 2008-06-07 00:22 785 --a------ E:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 23:40 24,177,696 --sha-w E:\WINDOWS\system32\drivers\fidbox.dat
2008-06-11 23:40 1,094,432 --sha-w E:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-11 23:37 --------- d-----w E:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-11 23:24 --------- d-----w E:\Documents and Settings\Katie\Application Data\OpenOffice.org2
2008-06-10 22:37 323,732 --sha-w E:\WINDOWS\system32\drivers\fidbox.idx
2008-06-10 22:37 101,648 --sha-w E:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-07 19:00 5,893,632 ----a-w E:\WINDOWS\system32\logonuiX.exe
2008-06-05 21:08 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 12:06 --------- d-----w E:\Program Files\Sony
2008-05-30 12:06 --------- d-----w E:\Documents and Settings\Sam\Application Data\Sony
2008-05-30 12:00 --------- d-----w E:\Program Files\Common Files\Stardock
2008-05-30 11:47 --------- d-----w E:\Program Files\onOne Software
2008-05-30 07:17 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-05-30 07:17 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 04:18 --------- d-----w E:\Documents and Settings\Sam\Application Data\OpenOffice.org2
2008-05-12 18:56 --------- d-----w E:\Documents and Settings\Sam\Application Data\uTorrent
2008-05-11 12:11 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-05-11 00:17 --------- d-----w E:\Documents and Settings\Sam\Application Data\Publish Providers
2008-05-11 00:17 --------- d-----w E:\Documents and Settings\Sam\Application Data\NetMedia Providers
2008-05-11 00:12 --------- d-----w E:\Program Files\Microsoft SQL Server
2008-05-07 22:16 --------- d-----w E:\Program Files\Sony Setup
2008-05-07 22:02 --------- d-----w E:\Program Files\XoftSpySE
2008-05-07 22:01 --------- d-----w E:\Program Files\Searchanddestroy
2008-05-06 22:33 --------- d-----w E:\Documents and Settings\Katie\Application Data\uTorrent
2008-04-27 04:48 2,560 ----a-w E:\WINDOWS\_MSRSTRT.EXE
2008-04-27 04:38 886,784 ----a-w E:\WINDOWS\ebook_library.dll
2008-04-25 22:40 --------- d-----w E:\Documents and Settings\Katie\Application Data\Lavasoft
2008-04-24 21:11 --------- d-----w E:\Documents and Settings\Sam\Application Data\gtk-2.0
2008-04-24 06:55 --------- d-----w E:\Program Files\Lavasoft
2008-04-24 06:55 --------- d-----w E:\Documents and Settings\Sam\Application Data\Lavasoft
2008-04-24 05:09 --------- d-----w E:\Program Files\Setup NetZero
2008-04-22 12:11 --------- d-----w E:\Documents and Settings\Katie\Application Data\Apple Computer
2008-04-18 18:53 --------- d-----w E:\Program Files\Maxthon
2008-04-18 18:44 --------- d-----w E:\Program Files\JavaSoft
2008-04-14 00:28 --------- d-----w E:\Documents and Settings\Sam\Application Data\Audacity
2008-04-13 03:21 77,894 ----a-w E:\WINDOWS\uinst001.exe
2008-04-11 00:01 --------- d-----w E:\Documents and Settings\Sam\Application Data\FileZilla
2008-03-12 16:33 1,996,336 ----a-w E:\WINDOWS\system32\Checker.exe
2008-03-12 16:19 581,120 ----a-w E:\WINDOWS\Adobe Pdf Money Guide.exe
2007-12-21 21:22 1,298,920 ----a-w E:\Program Files\blast.zip
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_ 0.40.20.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 07:18:03 2,048 --s-a-w E:\WINDOWS\bootstat.dat
+ 2008-06-11 23:06:06 2,048 --s-a-w E:\WINDOWS\bootstat.dat
- 1998-10-29 22:45:06 306,688 ----a-w E:\WINDOWS\IsUninst.exe
+ 1998-10-29 23:45:06 306,688 ----a-w E:\WINDOWS\IsUninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{012A1597-43A8-42A5-BAD9-FDD34FCE4466}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{015FB85D-A4E9-4039-B61D-320D31E87643}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D8C3CA8-296F-49C8-A5A2-E5699BED2668}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f559429-db8e-4d8a-8861-f6a174ea10e6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17C3555E-C654-4AC1-B3B9-2715F1CC8BE2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{204EE03C-D56D-4142-9C57-272B43E534A4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22161762-2489-44ED-8A16-11B73C78C5B7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BDBC640-CA92-419F-9FCD-A0D679BDF2CB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CDDD719-0926-492C-8900-D8B75DA0E3CE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DFDD20B-7D9D-4DB7-B7C4-19B0111F81FA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F7F521D-D735-40FE-A599-6DB02DEA40C0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A629E5A-24D2-4425-B087-BE0C59B1FAB9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CB4C934-C304-40D2-9803-76A0A7A532D7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43080F67-893F-4BDA-B5B2-AA7156867691}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A4E0B53-8A43-4F5B-9C82-841C7B08C01D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D5BCF34-1F3C-4A5E-BA0D-CC8D711D2390}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D7DC3C8-A7ED-4E27-981B-8B1827B6316A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F53DF3C-90B8-419A-9214-6CD916C3C6B9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64F79860-67A9-4A5C-9E31-79D261F63B36}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8033D9AF-2DF9-4AF4-B335-B9F38C13ED4D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{856CB233-DB2B-41EE-ACC5-D2F74AD17848}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8685471B-3CC2-4BD7-B662-5C85AF423648}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{911DAB8D-2D48-4E29-8C2F-7C2AC223E668}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93ed837d-e99f-4e41-bb01-4f9a08f19b00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{959CAD1F-538A-41CB-8CCC-84B06B6D3DB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A92A313B-8946-4AF0-A05A-F167AC84F225}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6EB87F1-7F25-4B8E-9689-773450C4D748}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0F9F99E-ACC6-406B-A68D-99BCF015F43A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F1F57F-7BED-4062-BCC0-7665996F9F0D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB50D3B2-069A-4B90-88E0-9128C9603503}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9ba4229-71c2-4449-a519-815bedd88ec1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF301E0A-870C-41AD-B98C-D55BE6C47815}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFAE7371-F8A8-407D-92C8-9C7C4AB8592D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0750CCE-5F2D-4B83-A5A2-16ECA5D80AB1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2660FC4-7310-42E8-9EA8-207C75F61E26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3DF7914-7325-4472-80A9-EAC14DEF6D5D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8FA44C5-759D-4B48-BDE7-006DBEBCC52C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC91B3E4-D4E5-494E-B270-B2E9B6B97070}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD5D9A98-5A96-4AD2-AC66-5F31F5519E40}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FEE52451-B33F-4D49-B74F-8862D6B2ECEA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 E:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-30 05:04 579072]
"PCTVOICE"="pctspk.exe" [2001-08-17 23:36 86016 E:\WINDOWS\system32\pctspk.exe]
"PV92TRAY"="PV92Tray.exe" [2003-04-24 19:35 135168 E:\WINDOWS\system32\PV92Tray.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"SpyHunter Security Suite"="E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKLM\~\startupfolder\E:^Documents and Settings^Sam^Start Menu^Programs^Startup^Adobe Gamma.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\User Themes]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\iTunes\\iTunes.exe"=
"E:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"E:\\WINDOWS\\Adobe Pdf Money Guide.exe"=
"E:\\WINDOWS\\system32\\mmc.exe"=
"E:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;E:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-06-08 04:15]
R2 ACEDRV09;ACEDRV09;E:\WINDOWS\system32\drivers\ACEDRV09.sys [2008-02-28 01:25]
R2 Pctspk;PCTEL Speaker Phone;E:\WINDOWS\system32\pctspk.exe [2001-08-17 23:36]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;E:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 14:28]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);E:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;E:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S3 UPnPService;UPnPService;E:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 17:00]

.
Contents of the 'Scheduled Tasks' folder
"2002-01-01 05:42:23 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-01-01 05:42:23 E:\WINDOWS\Tasks\XoftSpySE 2.job"
- E:\Program Files\XoftSpySE\XoftSpy.exe
"2002-01-01 05:42:23 E:\WINDOWS\Tasks\XoftSpySE.job"
- E:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 16:40:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\tsd32.dll
PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-06-11 16:41:19
ComboFix-quarantined-files.txt 2008-06-11 23:41:16
ComboFix2.txt 2008-06-10 18:15:06
ComboFix3.txt 2008-06-07 07:40:55

Pre-Run: 242,015,178,752 bytes free
Post-Run: 242,005,970,944 bytes free

225 --- E O F --- 2008-05-22 04:41:09



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:20 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
F:\Programs\a-squared Free\a2service.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Trend Micro\HijackThis\saminoregon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {012A1597-43A8-42A5-BAD9-FDD34FCE4466} - (no file)
O2 - BHO: (no name) - {015FB85D-A4E9-4039-B61D-320D31E87643} - (no file)
O2 - BHO: (no name) - {0D8C3CA8-296F-49C8-A5A2-E5699BED2668} - (no file)
O2 - BHO: (no name) - {0f559429-db8e-4d8a-8861-f6a174ea10e6} - (no file)
O2 - BHO: (no name) - {17C3555E-C654-4AC1-B3B9-2715F1CC8BE2} - (no file)
O2 - BHO: (no name) - {204EE03C-D56D-4142-9C57-272B43E534A4} - (no file)
O2 - BHO: (no name) - {22161762-2489-44ED-8A16-11B73C78C5B7} - (no file)
O2 - BHO: (no name) - {2BDBC640-CA92-419F-9FCD-A0D679BDF2CB} - (no file)
O2 - BHO: (no name) - {2CDDD719-0926-492C-8900-D8B75DA0E3CE} - (no file)
O2 - BHO: (no name) - {2DFDD20B-7D9D-4DB7-B7C4-19B0111F81FA} - (no file)
O2 - BHO: (no name) - {2F7F521D-D735-40FE-A599-6DB02DEA40C0} - (no file)
O2 - BHO: (no name) - {3A629E5A-24D2-4425-B087-BE0C59B1FAB9} - (no file)
O2 - BHO: (no name) - {3CB4C934-C304-40D2-9803-76A0A7A532D7} - (no file)
O2 - BHO: (no name) - {43080F67-893F-4BDA-B5B2-AA7156867691} - (no file)
O2 - BHO: (no name) - {5A4E0B53-8A43-4F5B-9C82-841C7B08C01D} - (no file)
O2 - BHO: (no name) - {5D5BCF34-1F3C-4A5E-BA0D-CC8D711D2390} - (no file)
O2 - BHO: (no name) - {5D7DC3C8-A7ED-4E27-981B-8B1827B6316A} - (no file)
O2 - BHO: (no name) - {5F53DF3C-90B8-419A-9214-6CD916C3C6B9} - (no file)
O2 - BHO: (no name) - {64F79860-67A9-4A5C-9E31-79D261F63B36} - (no file)
O2 - BHO: (no name) - {8033D9AF-2DF9-4AF4-B335-B9F38C13ED4D} - (no file)
O2 - BHO: (no name) - {856CB233-DB2B-41EE-ACC5-D2F74AD17848} - (no file)
O2 - BHO: (no name) - {8685471B-3CC2-4BD7-B662-5C85AF423648} - (no file)
O2 - BHO: (no name) - {911DAB8D-2D48-4E29-8C2F-7C2AC223E668} - (no file)
O2 - BHO: (no name) - {93ed837d-e99f-4e41-bb01-4f9a08f19b00} - (no file)
O2 - BHO: (no name) - {959CAD1F-538A-41CB-8CCC-84B06B6D3DB3} - (no file)
O2 - BHO: (no name) - {A92A313B-8946-4AF0-A05A-F167AC84F225} - (no file)
O2 - BHO: (no name) - {C6EB87F1-7F25-4B8E-9689-773450C4D748} - (no file)
O2 - BHO: (no name) - {D0F9F99E-ACC6-406B-A68D-99BCF015F43A} - (no file)
O2 - BHO: (no name) - {D3F1F57F-7BED-4062-BCC0-7665996F9F0D} - (no file)
O2 - BHO: (no name) - {DB50D3B2-069A-4B90-88E0-9128C9603503} - (no file)
O2 - BHO: (no name) - {e9ba4229-71c2-4449-a519-815bedd88ec1} - (no file)
O2 - BHO: (no name) - {EF301E0A-870C-41AD-B98C-D55BE6C47815} - (no file)
O2 - BHO: (no name) - {EFAE7371-F8A8-407D-92C8-9C7C4AB8592D} - (no file)
O2 - BHO: (no name) - {F0750CCE-5F2D-4B83-A5A2-16ECA5D80AB1} - (no file)
O2 - BHO: (no name) - {F2660FC4-7310-42E8-9EA8-207C75F61E26} - (no file)
O2 - BHO: (no name) - {F3DF7914-7325-4472-80A9-EAC14DEF6D5D} - (no file)
O2 - BHO: (no name) - {F8FA44C5-759D-4B48-BDE7-006DBEBCC52C} - (no file)
O2 - BHO: (no name) - {FC91B3E4-D4E5-494E-B270-B2E9B6B97070} - (no file)
O2 - BHO: (no name) - {FD5D9A98-5A96-4AD2-AC66-5F31F5519E40} - (no file)
O2 - BHO: (no name) - {FEE52451-B33F-4D49-B74F-8862D6B2ECEA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - F:\Programs\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: UPnPService - Magix AG - E:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 6191 bytes

Shaba
2008-06-10, 16:04
Hi

Boot in safe mode.

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {012A1597-43A8-42A5-BAD9-FDD34FCE4466} - (no file)
O2 - BHO: (no name) - {015FB85D-A4E9-4039-B61D-320D31E87643} - (no file)
O2 - BHO: (no name) - {0D8C3CA8-296F-49C8-A5A2-E5699BED2668} - (no file)
O2 - BHO: (no name) - {0f559429-db8e-4d8a-8861-f6a174ea10e6} - (no file)
O2 - BHO: (no name) - {17C3555E-C654-4AC1-B3B9-2715F1CC8BE2} - (no file)
O2 - BHO: (no name) - {204EE03C-D56D-4142-9C57-272B43E534A4} - (no file)
O2 - BHO: (no name) - {22161762-2489-44ED-8A16-11B73C78C5B7} - (no file)
O2 - BHO: (no name) - {2BDBC640-CA92-419F-9FCD-A0D679BDF2CB} - (no file)
O2 - BHO: (no name) - {2CDDD719-0926-492C-8900-D8B75DA0E3CE} - (no file)
O2 - BHO: (no name) - {2DFDD20B-7D9D-4DB7-B7C4-19B0111F81FA} - (no file)
O2 - BHO: (no name) - {2F7F521D-D735-40FE-A599-6DB02DEA40C0} - (no file)
O2 - BHO: (no name) - {3A629E5A-24D2-4425-B087-BE0C59B1FAB9} - (no file)
O2 - BHO: (no name) - {3CB4C934-C304-40D2-9803-76A0A7A532D7} - (no file)
O2 - BHO: (no name) - {43080F67-893F-4BDA-B5B2-AA7156867691} - (no file)
O2 - BHO: (no name) - {5A4E0B53-8A43-4F5B-9C82-841C7B08C01D} - (no file)
O2 - BHO: (no name) - {5D5BCF34-1F3C-4A5E-BA0D-CC8D711D2390} - (no file)
O2 - BHO: (no name) - {5D7DC3C8-A7ED-4E27-981B-8B1827B6316A} - (no file)
O2 - BHO: (no name) - {5F53DF3C-90B8-419A-9214-6CD916C3C6B9} - (no file)
O2 - BHO: (no name) - {64F79860-67A9-4A5C-9E31-79D261F63B36} - (no file)
O2 - BHO: (no name) - {8033D9AF-2DF9-4AF4-B335-B9F38C13ED4D} - (no file)
O2 - BHO: (no name) - {856CB233-DB2B-41EE-ACC5-D2F74AD17848} - (no file)
O2 - BHO: (no name) - {8685471B-3CC2-4BD7-B662-5C85AF423648} - (no file)
O2 - BHO: (no name) - {911DAB8D-2D48-4E29-8C2F-7C2AC223E668} - (no file)
O2 - BHO: (no name) - {93ed837d-e99f-4e41-bb01-4f9a08f19b00} - (no file)
O2 - BHO: (no name) - {959CAD1F-538A-41CB-8CCC-84B06B6D3DB3} - (no file)
O2 - BHO: (no name) - {A92A313B-8946-4AF0-A05A-F167AC84F225} - (no file)
O2 - BHO: (no name) - {C6EB87F1-7F25-4B8E-9689-773450C4D748} - (no file)
O2 - BHO: (no name) - {D0F9F99E-ACC6-406B-A68D-99BCF015F43A} - (no file)
O2 - BHO: (no name) - {D3F1F57F-7BED-4062-BCC0-7665996F9F0D} - (no file)
O2 - BHO: (no name) - {DB50D3B2-069A-4B90-88E0-9128C9603503} - (no file)
O2 - BHO: (no name) - {e9ba4229-71c2-4449-a519-815bedd88ec1} - (no file)
O2 - BHO: (no name) - {EF301E0A-870C-41AD-B98C-D55BE6C47815} - (no file)
O2 - BHO: (no name) - {EFAE7371-F8A8-407D-92C8-9C7C4AB8592D} - (no file)
O2 - BHO: (no name) - {F0750CCE-5F2D-4B83-A5A2-16ECA5D80AB1} - (no file)
O2 - BHO: (no name) - {F2660FC4-7310-42E8-9EA8-207C75F61E26} - (no file)
O2 - BHO: (no name) - {F3DF7914-7325-4472-80A9-EAC14DEF6D5D} - (no file)
O2 - BHO: (no name) - {F8FA44C5-759D-4B48-BDE7-006DBEBCC52C} - (no file)
O2 - BHO: (no name) - {FC91B3E4-D4E5-494E-B270-B2E9B6B97070} - (no file)
O2 - BHO: (no name) - {FD5D9A98-5A96-4AD2-AC66-5F31F5519E40} - (no file)
O2 - BHO: (no name) - {FEE52451-B33F-4D49-B74F-8862D6B2ECEA} - (no file)

Close all windows including browser and press fix checked.

Delete this:

E:\WINDOWS\BM87540d81.xml

Empty Recycle Bin.

Reboot.

Post back a fresh HijackThis log.

saminoregon
2008-06-11, 05:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:11 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Trend Micro\HijackThis\saminoregon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Unknown owner - F:\Programs\a-squared Free\a2service.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: UPnPService - Magix AG - E:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 3234 bytes

Shaba
2008-06-11, 16:34
Hi

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply along with a fresh HijackThis log.

saminoregon
2008-06-12, 06:44
Malwarebytes' Anti-Malware 1.17
Database version: 849

8:40:31 PM 6/11/2008
mbam-log-6-11-2008 (20-40-31).txt

Scan type: Full Scan (E:\|)
Objects scanned: 74658
Time elapsed: 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{f9fa603d-697c-4900-a950-e54f08324a24} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nmwegbsf.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:27 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
F:\Programs\a-squared Free\a2service.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Programs\Malwarebytes' Anti-Malware\mbam.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Trend Micro\HijackThis\saminoregon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - E:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - E:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Run Google Web Accelerator.lnk = E:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7C635EC-1279-4A51-BAFD-8BFB078615F9}: NameServer = 66.178.167.3 66.178.152.10
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - F:\Programs\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: UPnPService - Magix AG - E:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 3750 bytes

Shaba
2008-06-12, 16:31
Hi

That looks good :)

Any issues left?

Shaba
2008-06-17, 16:43
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.