PDA

View Full Version : Help, Virus? RUNDLL32.exe?



ninja.jack15
2008-06-07, 08:57
Hi,
In the last few days, i have been getting the
"'RUNDLL32.exe - APPLICATION ERROR'
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application" error when trying to open the Windows Security Alerts menu, My Computer properties, Add-Remove problems, and etc.

Also, i have been getting the "Userinit - Application Error" at startup, and none of my icons or the taskbar / start menu show up.
This causes me to have to open Task Manager and run the "Explorer.exe" process.

I have tried to use the "Regcure program, but it gives me the Blue Screen of death half way through, saying "Windows encountered a problem and has shut down to prevent any damage" or something along the lines of that.


Here's the Hijack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:21 PM, on 7/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\sysmtor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 216.55.133.9 handybackup.com www.handybackup.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {c83bf8bf-c9ec-4fc1-9c29-e03c804c22ac} - C:\WINDOWS\system32\fccbYspP.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer TV-FM\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BM313e2b3d] Rundll32.exe "C:\WINDOWS\system32\ggikntda.dll",s
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Handy Backup] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Eroca] C:\Program Files\Eroca\Eroca.exe
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\JAZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--094a7b6d-7416-40a4-b9e7-9ffe610a30f7/online/heavy_weapon/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00D60F2.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: sysmtor - BioNet Systems, LLC - C:\WINDOWS\system32\sysmtor.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 1: (no name) - http://www.myspace.com/

--
End of file - 11872 bytes





Help would be appreciated heaps.
Thanks In Advance,
Jack. :wink:

Shaba
2008-06-08, 12:12
Hi ninja.jack15

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

ninja.jack15
2008-06-08, 16:13
Thanks for the reply, it seems to be working better now.
During the combofix thing, this "swreg.cfexe - Application error" kept popping up, but i'm not sure thats a problem.
I can now get into my computer properties and etc.

Also did not get the "Userinit" error message at reboot.




HIJACKTHIS LOG:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12, on 2008-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\sysmtor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Program Files\Acer TV-FM\PCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {c83bf8bf-c9ec-4fc1-9c29-e03c804c22ac} - C:\WINDOWS\system32\fccbYspP.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer TV-FM\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Handy Backup] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\JAZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--094a7b6d-7416-40a4-b9e7-9ffe610a30f7/online/heavy_weapon/popcaploader_v6.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: sysmtor - BioNet Systems, LLC - C:\WINDOWS\system32\sysmtor.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 1: (no name) - http://www.myspace.com/

--
End of file - 11765 bytes







COMBOFIX LOG:

ComboFix 08-06-07.3 - JAZ 2008-06-08 22:20:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.52 [GMT 10:00]
Running from: C:\Documents and Settings\JAZ\Desktop\ComboFix.exe
* Created a new restore point

[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Eroca
C:\Program Files\Eroca\Eroca.exe
C:\Program Files\Spcron
C:\Program Files\Svconr
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\Temporary
C:\WINDOWS\BM313e2b3d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\arylceks.ini
C:\WINDOWS\system32\bhutrtte.ini
C:\WINDOWS\system32\byXNfFwu.dll
C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\eaugubqa.ini
C:\WINDOWS\system32\fccCTnmj.dll
C:\WINDOWS\system32\fojrfvcd.ini
C:\WINDOWS\system32\gvcjcuet.ini
C:\WINDOWS\system32\iarqriuy.ini
C:\WINDOWS\system32\jxxwksri.dll
C:\WINDOWS\system32\lpyoluca.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nxdlcdnc.ini
C:\WINDOWS\system32\ohxbjvnp.ini
C:\WINDOWS\system32\oojfntoo.ini
C:\WINDOWS\system32\pljelsfc.dll
C:\WINDOWS\system32\PpsYbccf.ini
C:\WINDOWS\system32\PpsYbccf.ini2
C:\WINDOWS\system32\rayvkcgn.ini
C:\WINDOWS\system32\sfwbbrcb.dll
C:\WINDOWS\system32\sispjcpg.ini
C:\WINDOWS\system32\tjjelsbm.ini
C:\WINDOWS\system32\uevtglqo.dll
C:\WINDOWS\system32\urqQkkLE.dll
C:\WINDOWS\system32\usbcfvpq.ini
C:\WINDOWS\system32\vtUmmLEt.dll
C:\WINDOWS\system32\yjinsjfs.dll
C:\WINDOWS\system32\gsbgqpwwfw.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gsbgqpwwfw


((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-08 12:36 . 2008-06-08 22:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-08 12:36 . 2008-06-08 12:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-07 12:59 . 2008-06-07 12:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-07 12:59 . 2008-06-07 13:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 12:55 . 2008-06-07 12:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 12:43 . 2008-06-07 12:43 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-07 12:43 . 2008-06-07 12:49 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-06 22:19 . 2008-06-06 22:19 5,727 --a------ C:\WINDOWS\system32\yiaoephw.exe
2008-06-06 22:13 . 2008-06-06 22:13 5,769 --a------ C:\WINDOWS\system32\exgujktw.dll
2008-06-06 22:07 . 2008-06-06 22:07 5,727 --a------ C:\WINDOWS\system32\cmtcifyc.dll
2008-06-06 22:01 . 2008-06-06 22:01 5,763 --a------ C:\WINDOWS\system32\ijcrcrxm.dll
2008-06-06 21:09 . 2008-06-06 21:09 82 --a------ C:\WINDOWS\mafosav.INI
2008-06-06 21:07 . 2008-06-06 21:07 <DIR> d----c--- C:\Buziol Games
2008-06-05 22:17 . 2008-06-05 22:17 5,727 --a------ C:\WINDOWS\system32\qacpynfs.exe
2008-06-05 22:14 . 2008-06-05 22:14 5,769 --a------ C:\WINDOWS\system32\qsbdecxv.dll
2008-06-05 22:02 . 2008-06-05 22:02 5,727 --a------ C:\WINDOWS\system32\cidumagn.dll
2008-06-05 22:00 . 2008-06-05 22:00 5,763 --a------ C:\WINDOWS\system32\wqtrweoc.dll
2008-06-04 18:52 . 2008-06-04 18:52 5,727 --a------ C:\WINDOWS\system32\poviyuvv.dll
2008-06-04 18:40 . 2008-06-04 18:40 5,729 --a------ C:\WINDOWS\system32\xejckqti.exe
2008-06-04 18:34 . 2008-06-04 18:34 5,763 --a------ C:\WINDOWS\system32\qtfhneqq.dll
2008-06-04 17:49 . 2008-06-04 17:49 5,727 --a------ C:\WINDOWS\system32\xppoxkjo.dll
2008-06-04 17:40 . 2008-06-04 17:40 5,727 --a------ C:\WINDOWS\system32\juhxhytf.exe
2008-06-04 17:34 . 2008-06-04 17:34 5,763 --a------ C:\WINDOWS\system32\hocplbux.dll
2008-06-04 16:20 . 2008-06-04 16:20 <DIR> d-------- C:\Program Files\RegCure
2008-06-03 20:47 . 2008-06-06 22:08 400 --a------ C:\WINDOWS\wininit.ini
2008-06-03 17:45 . 2008-06-03 17:45 51,200 --a------ C:\WINDOWS\system32\__c00D60F2.dat
2008-06-03 17:39 . 2008-06-03 17:39 5,729 --a------ C:\WINDOWS\system32\mfidodrq.exe
2008-06-03 09:59 . 2008-06-03 09:59 5,727 --a------ C:\WINDOWS\system32\xrjfasyk.dll
2008-06-03 09:51 . 2008-06-03 09:51 5,729 --a------ C:\WINDOWS\system32\fdklvxoi.exe
2008-06-01 15:13 . 2007-10-10 16:41 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-06-01 15:13 . 2007-06-18 14:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-06-01 15:13 . 2007-11-02 14:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-06-01 15:13 . 2007-11-02 14:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-06-01 13:57 . 2008-06-01 13:57 5,727 --a------ C:\WINDOWS\system32\vkmookjx.exe
2008-06-01 13:48 . 2008-06-01 13:48 5,727 --a------ C:\WINDOWS\system32\abnsgwgb.dll
2008-05-30 20:15 . 2008-05-30 20:15 5,727 --a------ C:\WINDOWS\system32\fiqyoifa.dll
2008-05-30 20:12 . 2008-05-30 20:12 5,727 --a------ C:\WINDOWS\system32\degnatuj.exe
2008-05-30 20:03 . 2008-05-30 20:03 5,763 --a------ C:\WINDOWS\system32\swsldtow.dll
2008-05-29 20:08 . 2008-05-29 20:10 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-05-28 21:02 . 2008-05-28 18:02 74,240 --------- C:\WINDOWS\b156.exe_old
2008-05-28 18:53 . 2008-06-01 18:22 <DIR> d-------- C:\WINDOWS\Bigfish Games - Cooking Academy
2008-05-28 16:28 . 2008-05-28 16:28 5,727 --a------ C:\WINDOWS\system32\lqteynpn.dll
2008-05-27 16:24 . 2008-05-27 16:24 5,727 --a------ C:\WINDOWS\system32\agwsynwd.exe
2008-05-27 16:12 . 2008-05-27 16:12 5,727 --a------ C:\WINDOWS\system32\garvkbjs.dll
2008-05-26 16:21 . 2008-05-26 16:21 5,727 --a------ C:\WINDOWS\system32\saafffbc.dll
2008-05-26 16:10 . 2008-05-26 16:10 5,727 --a------ C:\WINDOWS\system32\axoxmcwd.exe
2008-05-26 16:08 . 2008-05-26 16:08 5,763 --a------ C:\WINDOWS\system32\nmgsqecr.dll
2008-05-25 15:59 . 2008-05-25 15:59 5,727 --a------ C:\WINDOWS\system32\ovthtvsk.exe
2008-05-25 15:53 . 2008-05-25 15:53 5,727 --a------ C:\WINDOWS\system32\ssoiisrq.dll
2008-05-25 15:50 . 2008-05-25 15:50 5,763 --a------ C:\WINDOWS\system32\gnrglnaj.dll
2008-05-25 15:01 . 2008-04-09 10:37 93,268 --a------ C:\WINDOWS\VGAsetup.ini
2008-05-25 15:00 . 2008-05-25 15:00 <DIR> d-------- C:\WINDOWS\SIS
2008-05-25 15:00 . 2006-03-22 21:53 337,320 --a------ C:\WINDOWS\difxapi.dll
2008-05-25 15:00 . 2008-03-20 18:57 262,144 --a------ C:\WINDOWS\system32\sistray.exe
2008-05-25 15:00 . 2006-04-12 19:35 208,896 --a------ C:\WINDOWS\Progress.exe
2008-05-25 15:00 . 2008-03-20 18:55 135,168 --a------ C:\WINDOWS\system32\SiSApCom.dll
2008-05-25 15:00 . 2008-03-20 18:57 110,592 --a------ C:\WINDOWS\system32\TVMode.dll
2008-05-25 15:00 . 2008-03-20 18:58 65,536 --a------ C:\WINDOWS\system32\SiSHook.dll
2008-05-25 14:58 . 2008-05-25 15:01 <DIR> d-------- C:\Program Files\SiS VGA Utilities V3.84
2008-05-25 14:57 . 2008-05-25 16:08 79,872 --a------ C:\WINDOWS\system32\VGAunistlog.ini
2008-05-25 14:56 . 2008-03-20 18:56 258,048 --a------ C:\WINDOWS\system32\SiSParse.dll
2008-05-25 14:56 . 2008-03-20 18:55 49,152 --a------ C:\WINDOWS\system32\SiSBase.dll
2008-05-25 14:56 . 2008-03-20 18:57 9,728 --a------ C:\WINDOWS\system32\SiSPIns2.dll
2008-05-24 17:48 . 2006-10-20 09:16 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-05-24 17:48 . 2008-05-24 17:48 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-05-24 16:07 . 2008-05-24 16:07 5,727 --a------ C:\WINDOWS\system32\kbouidyf.exe
2008-05-24 15:59 . 2008-05-24 15:59 5,727 --a------ C:\WINDOWS\system32\glgkssmy.dll
2008-05-24 15:48 . 2008-05-24 15:48 5,763 --a------ C:\WINDOWS\system32\blhubkli.dll
2008-05-23 15:54 . 2008-05-23 15:54 5,727 --a------ C:\WINDOWS\system32\xqgivaci.dll
2008-05-22 20:04 . 2008-05-22 20:04 370,688 --a------ C:\WINDOWS\system32\fccbYspP.dll_old
2008-05-21 20:32 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-05-21 16:16 . 2008-05-24 17:07 45 --a--c--- C:\TEST.XML
2008-05-20 20:54 . 2008-05-20 20:54 152,792 --a--c--- C:\nnjamld.exe
2008-05-20 20:48 . 2008-05-20 20:48 61 --a--c--- C:\1.bat
2008-05-20 20:48 . 2008-05-20 20:54 2 --a--c--- C:\839718926
2008-05-20 20:47 . 2008-06-08 22:34 65,458 --a------ C:\WINDOWS\system32\gsbgqpwwfw.sys
2008-05-20 16:36 . 2008-05-20 16:37 <DIR> d-------- C:\Program Files\Safari
2008-05-19 20:28 . 2008-05-19 20:28 <DIR> d-------- C:\Program Files\Viewpoint
2008-05-19 20:28 . 2008-06-01 18:20 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-05-19 20:28 . 2008-05-19 20:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-19 20:28 . 2008-05-19 20:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-19 20:28 . 2008-05-19 20:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AOL
2008-05-19 20:27 . 2008-05-19 20:29 365 --ah-c--- C:\IPH.PH
2008-05-18 20:49 . 2008-05-18 20:49 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-05-18 19:59 . 2008-04-11 16:07 212 -rahsc--- C:\BOOT.BKK
2008-05-18 19:49 . 2008-05-18 19:49 <DIR> d-------- C:\Program Files\TGTSoft
2008-05-18 18:23 . 2008-05-18 18:23 <DIR> d-------- C:\Program Files\Stardock
2008-05-18 18:23 . 2008-05-18 18:23 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-05-18 18:18 . 2008-05-29 20:35 <DIR> d-------- C:\Program Files\IconPhile
2008-05-18 18:04 . 2008-05-18 18:04 22 --a------ C:\WINDOWS\system32\ms_xml_2.pic
2008-05-18 17:45 . 2008-05-18 17:46 <DIR> d-------- C:\WINDOWS\Super Mario .etc
2008-05-18 17:03 . 2008-05-18 17:03 <DIR> d-------- C:\Program Files\Devious Codeworks
2008-05-18 16:50 . 2008-05-18 17:03 <DIR> d-------- C:\Program Files\Easy Graphic Converter
2008-05-17 22:32 . 2007-03-12 17:49 7,277,568 --a------ C:\WINDOWS\system32\iPodmedia.dll
2008-05-17 19:07 . 2008-05-17 19:07 <DIR> d-------- C:\Program Files\Smallvideosoft
2008-05-17 19:07 . 2004-05-26 20:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-05-17 19:07 . 2006-12-31 10:16 313,344 --a------ C:\WINDOWS\system32\avisynth.dll
2008-05-17 18:41 . 2008-05-17 18:41 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-10 09:22 . 2008-05-10 09:25 <DIR> d-------- C:\Program Files\Windows Live
2008-05-09 21:04 . 2008-05-09 22:27 <DIR> d-------- C:\Program Files\Tansee iPod Transfer Photo
2008-05-09 18:57 . 2001-08-17 14:05 48,000 --a------ C:\WINDOWS\system32\drivers\OVCam2.sys
2008-05-09 18:57 . 2001-08-17 14:05 48,000 --a------ C:\WINDOWS\system32\dllcache\ovcam2.sys
2008-05-09 14:37 . 2008-06-08 22:30 926,809 --a------ C:\WINDOWS\system32\mscache.sys
2008-05-08 20:22 . 2008-04-15 03:32 469,888 --a------ C:\WINDOWS\system32\drivers\srv2k.sys
2008-05-08 20:22 . 2008-04-02 03:50 20,480 --a------ C:\WINDOWS\system32\drivers\srex.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 02:40 --------- d-----w C:\Documents and Settings\JAZ\Application Data\LimeWire
2008-06-07 05:45 --------- d-----w C:\Program Files\Trend Micro
2008-06-06 06:07 --------- d-----w C:\Documents and Settings\JAZ\Application Data\uTorrent
2008-06-04 06:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 09:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-01 05:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-06-01 05:04 --------- d-----w C:\Program Files\LiveUpdate
2008-05-28 08:03 --------- d-----w C:\Program Files\MSECACHE
2008-05-25 05:01 --------- d-----w C:\Program Files\sisagp
2008-05-25 05:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 10:52 --------- d-----w C:\Program Files\Trillian
2008-05-20 06:36 --------- d-----w C:\Program Files\Apple Software Update
2008-05-09 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-09 12:25 --------- d-----w C:\Program Files\PopCap Games
2008-05-08 10:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-07 03:48 59,392 ------w C:\WINDOWS\version.exe
2008-05-06 18:48 --------- d-----w C:\Program Files\uTorrent
2008-05-05 05:58 --------- d-----w C:\Program Files\uTorrent Speed Booster
2008-05-05 04:54 --------- d-----w C:\Documents and Settings\JAZ\Application Data\Mp3tag
2008-05-05 04:50 --------- d-----w C:\Program Files\Mp3tag
2008-05-03 10:00 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-05-03 08:47 --------- d-----w C:\Documents and Settings\JAZ\Application Data\fretsonfire
2008-05-02 06:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 06:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 06:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-04-29 01:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 01:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 01:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 06:19 --------- d-----w C:\Program Files\Zuma Deluxe
2008-04-24 06:36 --------- d-----w C:\Documents and Settings\JAZ\Application Data\dvdcss
2008-04-20 15:33 4,448,256 ----a-w C:\WINDOWS\system32\findsvr.exe
2008-04-19 01:27 --------- d-----w C:\Program Files\Motorola
2008-04-13 01:41 --------- d-----w C:\Documents and Settings\JAZ\Application Data\DeepBurner
2008-04-13 01:31 --------- d-----w C:\Documents and Settings\JAZ\Application Data\Novosoft
2008-04-12 09:48 --------- d-----w C:\Program Files\Xilisoft
2008-04-12 05:07 --------- d-----w C:\Program Files\Google
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 09:21 1,571,001 ----a-w C:\WINDOWS\system32\sisgl.dll
2008-03-20 09:05 3,467,264 ----a-w C:\WINDOWS\system32\sisgrv.dll
2008-03-20 09:00 323,072 ----a-w C:\WINDOWS\system32\dllcache\sisgrp.sys
2008-03-20 08:58 53,248 ----a-w C:\WINDOWS\system32\SiSPower.dll
2008-03-20 08:56 172,032 ----a-w C:\WINDOWS\system32\SiSInst.dll
2008-03-20 08:56 12,288 ----a-w C:\WINDOWS\InstFunc.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2007-10-18 10:13 87,608 ----a-w C:\Documents and Settings\JAZ\Application Data\inst.exe
2007-10-18 10:13 47,360 ----a-w C:\Documents and Settings\JAZ\Application Data\pcouffin.sys
2007-04-21 02:36 6,144 -csha-w C:\Program Files\Thumbs.db
2005-09-09 09:55 7,155,864 ----a-w C:\Program Files\NGhost10.msi
2005-09-09 09:55 4,588,454 ----a-w C:\Program Files\setup.exe
2005-09-09 09:55 37,766,164 ----a-w C:\Program Files\Data1.cab
2005-09-09 09:55 35 ----a-w C:\Program Files\SCSSDist.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\JAZ\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-09 07:32:57 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2008-05-25 15:00:15 262144]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 06:36:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-08 12:33:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-08 12:30:34 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-04 20:52:45 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 22:31:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\strdat.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\sysmtor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Program Files\Acer TV-FM\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-08 22:59:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-08 12:57:06

Pre-Run: 16,231,243,776 bytes free
Post-Run: 17,611,886,592 bytes free

307

Shaba
2008-06-08, 17:24
Hi

Lots of stuff there but safe mode needs to be corrected first:

Download & run this tool > SafeBootRepair (http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe)
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply.

ninja.jack15
2008-06-09, 04:10
Yeah that seems to be a broken link, do you have another link for the program?
Or could you email it to me?

cheers.:)

ninja.jack15
2008-06-09, 05:44
I think i fixed it another way, i downloaded a Registry Key (Safe Boot one), and now i can get into safe mode at start up succesfully.
Do you still need a log?
Cause i cant find the program.

Shaba
2008-06-09, 17:29
Hi

In that case, please re-run combofix :)

ninja.jack15
2008-06-10, 10:07
ComboFix 08-06-09.7 - JAZ 2008-06-10 16:42:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.150 [GMT 10:00]
Running from: C:\Documents and Settings\JAZ\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\JAZ\Application Data\inst.exe
C:\Documents and Settings\JAZ\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\JAZ\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\system32\__c00D60F2.dat
C:\WINDOWS\system32\gsbgqpwwfw.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gsbgqpwwfw


((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-09 22:22 . 2008-06-09 22:22 <DIR> d----c--- C:\Logs
2008-06-08 12:36 . 2008-06-10 16:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-08 12:36 . 2008-06-08 12:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-07 12:59 . 2008-06-07 12:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-07 12:59 . 2008-06-07 13:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 12:55 . 2008-06-07 12:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 12:43 . 2008-06-07 12:43 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-07 12:43 . 2008-06-07 12:49 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-06 22:19 . 2008-06-06 22:19 5,727 --a------ C:\WINDOWS\system32\yiaoephw.exe
2008-06-06 22:13 . 2008-06-06 22:13 5,769 --a------ C:\WINDOWS\system32\exgujktw.dll
2008-06-06 22:07 . 2008-06-06 22:07 5,727 --a------ C:\WINDOWS\system32\cmtcifyc.dll
2008-06-06 22:01 . 2008-06-06 22:01 5,763 --a------ C:\WINDOWS\system32\ijcrcrxm.dll
2008-06-06 21:09 . 2008-06-09 16:22 82 --a------ C:\WINDOWS\mafosav.INI
2008-06-06 21:07 . 2008-06-06 21:07 <DIR> d----c--- C:\Buziol Games
2008-06-05 22:17 . 2008-06-05 22:17 5,727 --a------ C:\WINDOWS\system32\qacpynfs.exe
2008-06-05 22:14 . 2008-06-05 22:14 5,769 --a------ C:\WINDOWS\system32\qsbdecxv.dll
2008-06-05 22:02 . 2008-06-05 22:02 5,727 --a------ C:\WINDOWS\system32\cidumagn.dll
2008-06-05 22:00 . 2008-06-05 22:00 5,763 --a------ C:\WINDOWS\system32\wqtrweoc.dll
2008-06-04 18:52 . 2008-06-04 18:52 5,727 --a------ C:\WINDOWS\system32\poviyuvv.dll
2008-06-04 18:40 . 2008-06-04 18:40 5,729 --a------ C:\WINDOWS\system32\xejckqti.exe
2008-06-04 18:34 . 2008-06-04 18:34 5,763 --a------ C:\WINDOWS\system32\qtfhneqq.dll
2008-06-04 17:49 . 2008-06-04 17:49 5,727 --a------ C:\WINDOWS\system32\xppoxkjo.dll
2008-06-04 17:40 . 2008-06-04 17:40 5,727 --a------ C:\WINDOWS\system32\juhxhytf.exe
2008-06-04 17:34 . 2008-06-04 17:34 5,763 --a------ C:\WINDOWS\system32\hocplbux.dll
2008-06-04 16:20 . 2008-06-04 16:20 <DIR> d-------- C:\Program Files\RegCure
2008-06-03 20:47 . 2008-06-06 22:08 400 --a------ C:\WINDOWS\wininit.ini
2008-06-03 17:39 . 2008-06-03 17:39 5,729 --a------ C:\WINDOWS\system32\mfidodrq.exe
2008-06-03 09:59 . 2008-06-03 09:59 5,727 --a------ C:\WINDOWS\system32\xrjfasyk.dll
2008-06-03 09:51 . 2008-06-03 09:51 5,729 --a------ C:\WINDOWS\system32\fdklvxoi.exe
2008-06-01 15:13 . 2007-10-10 16:41 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-06-01 15:13 . 2007-06-18 14:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-06-01 15:13 . 2007-11-02 14:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-06-01 15:13 . 2007-11-02 14:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-06-01 13:57 . 2008-06-01 13:57 5,727 --a------ C:\WINDOWS\system32\vkmookjx.exe
2008-06-01 13:48 . 2008-06-01 13:48 5,727 --a------ C:\WINDOWS\system32\abnsgwgb.dll
2008-05-30 20:15 . 2008-05-30 20:15 5,727 --a------ C:\WINDOWS\system32\fiqyoifa.dll
2008-05-30 20:12 . 2008-05-30 20:12 5,727 --a------ C:\WINDOWS\system32\degnatuj.exe
2008-05-30 20:03 . 2008-05-30 20:03 5,763 --a------ C:\WINDOWS\system32\swsldtow.dll
2008-05-29 20:08 . 2008-05-29 20:10 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-05-28 21:02 . 2008-05-28 18:02 74,240 --------- C:\WINDOWS\b156.exe_old
2008-05-28 18:53 . 2008-06-01 18:22 <DIR> d-------- C:\WINDOWS\Bigfish Games - Cooking Academy
2008-05-28 16:28 . 2008-05-28 16:28 5,727 --a------ C:\WINDOWS\system32\lqteynpn.dll
2008-05-27 16:24 . 2008-05-27 16:24 5,727 --a------ C:\WINDOWS\system32\agwsynwd.exe
2008-05-27 16:12 . 2008-05-27 16:12 5,727 --a------ C:\WINDOWS\system32\garvkbjs.dll
2008-05-26 16:21 . 2008-05-26 16:21 5,727 --a------ C:\WINDOWS\system32\saafffbc.dll
2008-05-26 16:10 . 2008-05-26 16:10 5,727 --a------ C:\WINDOWS\system32\axoxmcwd.exe
2008-05-26 16:08 . 2008-05-26 16:08 5,763 --a------ C:\WINDOWS\system32\nmgsqecr.dll
2008-05-25 15:59 . 2008-05-25 15:59 5,727 --a------ C:\WINDOWS\system32\ovthtvsk.exe
2008-05-25 15:53 . 2008-05-25 15:53 5,727 --a------ C:\WINDOWS\system32\ssoiisrq.dll
2008-05-25 15:50 . 2008-05-25 15:50 5,763 --a------ C:\WINDOWS\system32\gnrglnaj.dll
2008-05-25 15:01 . 2008-04-09 10:37 93,268 --a------ C:\WINDOWS\VGAsetup.ini
2008-05-25 15:00 . 2008-05-25 15:00 <DIR> d-------- C:\WINDOWS\SIS
2008-05-25 15:00 . 2006-03-22 21:53 337,320 --a------ C:\WINDOWS\difxapi.dll
2008-05-25 15:00 . 2008-03-20 18:57 262,144 --a------ C:\WINDOWS\system32\sistray.exe
2008-05-25 15:00 . 2006-04-12 19:35 208,896 --a------ C:\WINDOWS\Progress.exe
2008-05-25 15:00 . 2008-03-20 18:55 135,168 --a------ C:\WINDOWS\system32\SiSApCom.dll
2008-05-25 15:00 . 2008-03-20 18:57 110,592 --a------ C:\WINDOWS\system32\TVMode.dll
2008-05-25 15:00 . 2008-03-20 18:58 65,536 --a------ C:\WINDOWS\system32\SiSHook.dll
2008-05-25 14:58 . 2008-05-25 15:01 <DIR> d-------- C:\Program Files\SiS VGA Utilities V3.84
2008-05-25 14:57 . 2008-05-25 16:08 79,872 --a------ C:\WINDOWS\system32\VGAunistlog.ini
2008-05-25 14:56 . 2008-03-20 18:56 258,048 --a------ C:\WINDOWS\system32\SiSParse.dll
2008-05-25 14:56 . 2008-03-20 18:55 49,152 --a------ C:\WINDOWS\system32\SiSBase.dll
2008-05-25 14:56 . 2008-03-20 18:57 9,728 --a------ C:\WINDOWS\system32\SiSPIns2.dll
2008-05-24 17:48 . 2006-10-20 09:16 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-05-24 17:48 . 2008-05-24 17:48 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-05-24 16:07 . 2008-05-24 16:07 5,727 --a------ C:\WINDOWS\system32\kbouidyf.exe
2008-05-24 15:59 . 2008-05-24 15:59 5,727 --a------ C:\WINDOWS\system32\glgkssmy.dll
2008-05-24 15:48 . 2008-05-24 15:48 5,763 --a------ C:\WINDOWS\system32\blhubkli.dll
2008-05-23 15:54 . 2008-05-23 15:54 5,727 --a------ C:\WINDOWS\system32\xqgivaci.dll
2008-05-22 20:04 . 2008-05-22 20:04 370,688 --a------ C:\WINDOWS\system32\fccbYspP.dll_old
2008-05-21 20:32 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-05-21 16:16 . 2008-05-24 17:07 45 --a--c--- C:\TEST.XML
2008-05-20 20:54 . 2008-05-20 20:54 152,792 --a--c--- C:\nnjamld.exe
2008-05-20 20:48 . 2008-05-20 20:48 61 --a--c--- C:\1.bat
2008-05-20 20:48 . 2008-05-20 20:54 2 --a--c--- C:\839718926
2008-05-20 16:36 . 2008-05-20 16:37 <DIR> d-------- C:\Program Files\Safari
2008-05-19 20:28 . 2008-05-19 20:28 <DIR> d-------- C:\Program Files\Viewpoint
2008-05-19 20:28 . 2008-06-01 18:20 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-05-19 20:28 . 2008-05-19 20:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-19 20:28 . 2008-05-19 20:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-19 20:28 . 2008-05-19 20:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AOL
2008-05-19 20:27 . 2008-05-19 20:29 365 --ah-c--- C:\IPH.PH
2008-05-18 20:49 . 2008-05-18 20:49 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-05-18 19:59 . 2008-04-11 16:07 212 -rahsc--- C:\BOOT.BKK
2008-05-18 19:49 . 2008-05-18 19:49 <DIR> d-------- C:\Program Files\TGTSoft
2008-05-18 18:23 . 2008-05-18 18:23 <DIR> d-------- C:\Program Files\Stardock
2008-05-18 18:23 . 2008-05-18 18:23 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-05-18 18:18 . 2008-05-29 20:35 <DIR> d-------- C:\Program Files\IconPhile
2008-05-18 18:04 . 2008-05-18 18:04 22 --a------ C:\WINDOWS\system32\ms_xml_2.pic
2008-05-18 17:45 . 2008-05-18 17:46 <DIR> d-------- C:\WINDOWS\Super Mario .etc
2008-05-18 17:03 . 2008-05-18 17:03 <DIR> d-------- C:\Program Files\Devious Codeworks
2008-05-18 16:50 . 2008-05-18 17:03 <DIR> d-------- C:\Program Files\Easy Graphic Converter
2008-05-17 22:32 . 2007-03-12 17:49 7,277,568 --a------ C:\WINDOWS\system32\iPodmedia.dll
2008-05-17 19:07 . 2008-05-17 19:07 <DIR> d-------- C:\Program Files\Smallvideosoft
2008-05-17 19:07 . 2004-05-26 20:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-05-17 19:07 . 2006-12-31 10:16 313,344 --a------ C:\WINDOWS\system32\avisynth.dll
2008-05-17 18:41 . 2008-05-17 18:41 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-10 09:22 . 2008-05-10 09:25 <DIR> d-------- C:\Program Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 06:49 1,282,312 ----a-w C:\WINDOWS\system32\mscache.sys
2008-06-10 06:10 --------- d-----w C:\Documents and Settings\JAZ\Application Data\LimeWire
2008-06-09 08:30 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-06-07 05:45 --------- d-----w C:\Program Files\Trend Micro
2008-06-06 06:07 --------- d-----w C:\Documents and Settings\JAZ\Application Data\uTorrent
2008-06-04 06:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 09:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-01 05:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-06-01 05:04 --------- d-----w C:\Program Files\LiveUpdate
2008-05-28 08:03 --------- d-----w C:\Program Files\MSECACHE
2008-05-25 05:01 --------- d-----w C:\Program Files\sisagp
2008-05-25 05:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 10:52 --------- d-----w C:\Program Files\Trillian
2008-05-20 06:36 --------- d-----w C:\Program Files\Apple Software Update
2008-05-09 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-09 12:27 --------- d-----w C:\Program Files\Tansee iPod Transfer Photo
2008-05-09 12:25 --------- d-----w C:\Program Files\PopCap Games
2008-05-08 10:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-07 03:48 59,392 ------w C:\WINDOWS\version.exe
2008-05-06 18:48 --------- d-----w C:\Program Files\uTorrent
2008-05-05 05:58 --------- d-----w C:\Program Files\uTorrent Speed Booster
2008-05-05 04:54 --------- d-----w C:\Documents and Settings\JAZ\Application Data\Mp3tag
2008-05-05 04:50 --------- d-----w C:\Program Files\Mp3tag
2008-05-03 10:00 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-05-03 08:47 --------- d-----w C:\Documents and Settings\JAZ\Application Data\fretsonfire
2008-05-02 06:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 06:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 06:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-04-29 01:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 01:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 01:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 06:19 --------- d-----w C:\Program Files\Zuma Deluxe
2008-04-24 06:36 --------- d-----w C:\Documents and Settings\JAZ\Application Data\dvdcss
2008-04-20 15:33 4,448,256 ----a-w C:\WINDOWS\system32\findsvr.exe
2008-04-19 01:27 --------- d-----w C:\Program Files\Motorola
2008-04-14 17:32 469,888 ----a-w C:\WINDOWS\system32\drivers\srv2k.sys
2008-04-13 01:41 --------- d-----w C:\Documents and Settings\JAZ\Application Data\DeepBurner
2008-04-13 01:31 --------- d-----w C:\Documents and Settings\JAZ\Application Data\Novosoft
2008-04-12 09:48 --------- d-----w C:\Program Files\Xilisoft
2008-04-12 05:07 --------- d-----w C:\Program Files\Google
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 09:21 1,571,001 ----a-w C:\WINDOWS\system32\sisgl.dll
2008-03-20 09:05 3,467,264 ----a-w C:\WINDOWS\system32\sisgrv.dll
2008-03-20 09:00 323,072 ----a-w C:\WINDOWS\system32\dllcache\sisgrp.sys
2008-03-20 08:58 53,248 ----a-w C:\WINDOWS\system32\SiSPower.dll
2008-03-20 08:56 172,032 ----a-w C:\WINDOWS\system32\SiSInst.dll
2008-03-20 08:56 12,288 ----a-w C:\WINDOWS\InstFunc.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2007-10-18 10:13 47,360 ----a-w C:\Documents and Settings\JAZ\Application Data\pcouffin.sys
2007-04-21 02:36 6,144 -csha-w C:\Program Files\Thumbs.db
2005-09-09 09:55 7,155,864 ----a-w C:\Program Files\NGhost10.msi
2005-09-09 09:55 4,588,454 ----a-w C:\Program Files\setup.exe
2005-09-09 09:55 37,766,164 ----a-w C:\Program Files\Data1.cab
2005-09-09 09:55 35 ----a-w C:\Program Files\SCSSDist.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\JAZ\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-09 07:32:57 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2008-05-25 15:00:15 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Acer TV-FM\\PowerCinema.exe"=
"C:\\Program Files\\Acer TV-FM\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard downloader 1
"6112:TCP"= 6112:TCP:Blizzard downloader 2

R0 srex;srex;C:\WINDOWS\system32\drivers\srex.sys [2008-04-02 03:50]
R1 srv2k;srv2k;C:\WINDOWS\system32\drivers\srv2k.sys [2008-04-15 03:32]
R2 sysmtor;sysmtor;C:\WINDOWS\system32\sysmtor.exe [2003-09-18 09:54]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-05 07:38]
R3 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-14 07:46]
S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;C:\WINDOWS\system32\drivers\hcw88aud.sys [2006-01-31 09:05]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 14:05]
S3 dsreader;MaxDrive Driver (dsreader.sys);C:\WINDOWS\system32\Drivers\dsreader.sys [2001-01-02 23:53]
S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;C:\WINDOWS\system32\drivers\hcw88bda.sys [2006-01-31 09:05]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;C:\WINDOWS\system32\drivers\hcw88tse.sys [2006-01-31 09:06]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;C:\WINDOWS\system32\drivers\hcw88tun.sys [2006-01-31 10:17]
S3 hcw88vid;Hauppauge WinTV 88x Video;C:\WINDOWS\system32\drivers\hcw88vid.sys [2006-01-31 09:04]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;C:\WINDOWS\system32\drivers\HCW88BAR.sys [2006-01-31 09:04]
S3 LVHybrid;LVHybrid service;C:\WINDOWS\system32\DRIVERS\LVHybrid.sys [2006-05-16 12:04]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 14:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 16:41]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 14:05]
S3 rxp;rxp;C:\WINDOWS\system32\drivers\rxp.sys []
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-29 04:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfcdf564-ea7c-11dc-b932-001921078c8e}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 03:18:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-10 06:52:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-10 07:00:08 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-04 20:52:45 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 16:50:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fastfat]

--

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TDTCP]

--

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\strdat.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Program Files\Acer TV-FM\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-10 17:05:02 - machine was rebooted [JAZ]
ComboFix-quarantined-files.txt 2008-06-10 07:04:39
ComboFix2.txt 2008-06-08 13:00:15

Pre-Run: 17,567,571,968 bytes free
Post-Run: 17,495,453,696 bytes free

303 --- E O F --- 2008-06-09 02:15:54

Shaba
2008-06-10, 16:09
Hi

Have you installed Elite Keylogger?

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\yiaoephw.exe
C:\WINDOWS\system32\exgujktw.dll
C:\WINDOWS\system32\cmtcifyc.dll
C:\WINDOWS\system32\ijcrcrxm.dll
C:\WINDOWS\system32\qacpynfs.exe
C:\WINDOWS\system32\qsbdecxv.dll
C:\WINDOWS\system32\cidumagn.dll
C:\WINDOWS\system32\wqtrweoc.dll
C:\WINDOWS\system32\poviyuvv.dll
C:\WINDOWS\system32\xejckqti.exe
C:\WINDOWS\system32\qtfhneqq.dll
C:\WINDOWS\system32\xppoxkjo.dll
C:\WINDOWS\system32\juhxhytf.exe
C:\WINDOWS\system32\hocplbux.dll
C:\WINDOWS\system32\mfidodrq.exe
C:\WINDOWS\system32\xrjfasyk.dll
C:\WINDOWS\system32\fdklvxoi.exe
C:\WINDOWS\system32\vkmookjx.exe
C:\WINDOWS\system32\abnsgwgb.dll
C:\WINDOWS\system32\fiqyoifa.dll
C:\WINDOWS\system32\degnatuj.exe
C:\WINDOWS\system32\swsldtow.dll
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\b156.exe_old
C:\WINDOWS\system32\lqteynpn.dll
C:\WINDOWS\system32\agwsynwd.exe
C:\WINDOWS\system32\garvkbjs.dll
C:\WINDOWS\system32\saafffbc.dll
C:\WINDOWS\system32\axoxmcwd.exe
C:\WINDOWS\system32\nmgsqecr.dll
C:\WINDOWS\system32\ovthtvsk.exe
C:\WINDOWS\system32\ssoiisrq.dll
C:\WINDOWS\system32\gnrglnaj.dll
C:\WINDOWS\system32\kbouidyf.exe
C:\WINDOWS\system32\glgkssmy.dll
C:\WINDOWS\system32\blhubkli.dll
C:\WINDOWS\system32\xqgivaci.dll
C:\WINDOWS\system32\fccbYspP.dll_old
C:\TEST.XML
C:\nnjamld.exe
C:\1.bat
C:\839718926
C:\WINDOWS\system32\mscache.sys
C:\WINDOWS\system32\drivers\srex.sys

Driver::
srex
rxp


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

ninja.jack15
2008-06-11, 10:33
Yeah, i installed EK to check what my mum was doing on MY computer. She was always snooping around and yeah, i decided to try that. Trial is expired now so you can uninstall / get rid of it.

Shaba
2008-06-11, 16:36
Hi

Thanks for the info.

Please uninstall it and perform action I instructed in my previous post and post back logs :)

Shaba
2008-06-16, 17:31
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.