View Full Version : Virtumonde!! AGAIN!!!!
niccorny
2008-09-03, 03:34
Team spybot please help I've been infected by Virtumonde trojan for the second time, this because of some rar file that my brother downloaded in the internet...i did the best i could...please help me and look in to my problem (again)...thanks and hope some1 will help me again! here's my HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:50 AM, on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7BC6B793-BBAA-4EED-9E56-8CBFA6F5BB03} - C:\WINDOWS\system32\byXNgFwu.dll
O2 - BHO: (no name) - {C17419FC-3D5F-4E05-8E8B-A6531AE2632F} - C:\WINDOWS\system32\pmnlJDUk.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RAM Idle] D:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [dllcache32.exe] C:\Documents and Settings\All Users\Application Data\dllcache32.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: byXNgFwu - C:\WINDOWS\SYSTEM32\byXNgFwu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 8102 bytes
Have a nice day!
------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/forumdisplay.php?f=37)
Hi niccorny
1 - teatimer
Please disable Teatimer as it may interfere with the fix.
First: Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident
Second: Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
2 - Scan With ComboFix
Please visit this webpage for download links, and instructions for running ComboFix -
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says -
The Recovery Console was successfully installed.
Please continue as follows -
Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
3 - uninstall list
Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. the uninstall list
3. a fresh HijackThis log
Thanks peku006
niccorny
2008-09-06, 15:34
Hello Peku006 appreciate your reply but I did some manual deletion and combination of tools and program to delete virtumonde! Thus, somehow I succeed, the detection in spybot of virtumonde disappeard and I think it was really gone. But just to make sure could you look on my fresh HJT and see if I am still infected with this trojan! thanks a bunch! ^_^
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:12 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Azureus\Azureus.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {4E74E985-6252-4630-854B-07DBE0D6472F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {C17419FC-3D5F-4E05-8E8B-A6531AE2632F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RAM Idle] D:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [dllcache32.exe] C:\Documents and Settings\All Users\Application Data\dllcache32.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wpnvjg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 7862 bytes
What do you think sir? Am I still infected?
Hi niccorny
What do you think sir? Am I still infected?
Yes,your computer is infected
Just follow my instructions in my previous post
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
Azureus
I'd like you to read the this thread. (http://forums.spybot.info/showthread.php?t=282)
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).NOW
Thanks peku006
niccorny
2008-09-08, 05:13
Hi Peku...sorry for the late reply got busy this weekends here's the combofix, uninstall and HJT logs:
1.) Combofix Log
ComboFix 08-09-05.05 - Dominic Caracter 2008-09-08 10:56:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.608 [GMT 8:00]
Running from: C:\Documents and Settings\Dominic Caracter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dominic Caracter\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMf77ed7f5.txt
C:\WINDOWS\BMf77ed7f5.xml
C:\WINDOWS\system32\byXNgFwu.dll
C:\WINDOWS\system32\kUDJlnmp.ini
C:\WINDOWS\system32\kUDJlnmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\wpnvjg.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.
2008-09-06 05:47 . 2008-09-06 05:47 <DIR> d-------- C:\Documents and Settings\Dominic Caracter\Application Data\BearShare
2008-09-05 12:51 . 2006-05-01 12:15 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-09-05 10:14 . 2008-09-05 10:28 <DIR> d-------- C:\VundoFix Backups
2008-09-03 02:02 . 2008-09-04 23:26 719 --a------ C:\WINDOWS\wininit.ini
2008-08-30 15:42 . 2008-09-01 15:34 <DIR> d-------- C:\Documents and Settings\Dominic Caracter\Application Data\uTorrent
2008-08-09 22:00 . <DIR> C:\Documents and Settings\Dominic Caracter\Application Data\NeroDigitalT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 18:24 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\Azureus
2008-09-05 22:12 --------- d-----w C:\Program Files\BearShare
2008-09-04 12:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-31 09:45 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\DNA
2008-08-31 08:44 --------- d-----w C:\Program Files\DNA
2008-08-31 07:17 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\Skype
2008-08-31 03:48 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\skypePM
2008-08-21 07:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-18 02:18 --------- d-----w C:\Program Files\Just Sudoku PE
2008-08-09 14:00 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\NeroDigital™
2008-08-07 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 12:41 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\TransRender
2008-08-03 12:41 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\Temporary
2008-07-20 03:17 --------- d-----w C:\Program Files\Skype
2008-07-20 03:17 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-20 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 14:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 01:20 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-14 09:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-14 09:10 --------- d-----w C:\Program Files\Vimicro
2008-07-14 08:45 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-07-11 11:34 --------- d-----w C:\Program Files\LimeWire
2008-07-11 03:41 --------- d-----w C:\Program Files\Lavasoft
2008-07-11 03:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 15:27 --------- d-----w C:\Program Files\Chikka
2008-07-10 11:38 --------- d-----w C:\Program Files\Java
2008-07-10 11:38 --------- d-----w C:\Program Files\Common Files\Java
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock(3).dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dnsapi(3).dll
.
------- Sigcheck -------
2007-08-07 03:41 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2007-08-07 03:41 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
2005-03-02 08:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 17:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 16:38 2027520 54a8b9806027049f8b19f1274a63c7b4 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-12 21:29 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 08:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 16:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 16:38 2027520 54a8b9806027049f8b19f1274a63c7b4 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 16:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-02-28 16:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe
2005-03-02 09:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 17:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 17:08 2147840 5fb20cabc9a81baaabbe63f30ffc5284 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-12 21:25 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 08:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 17:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 17:08 2147840 5fb20cabc9a81baaabbe63f30ffc5284 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 17:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-02-28 17:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\VITrans\ntoskrnl.exe
2007-06-13 18:23 1423360 e4368d08c22012b357bef3ba239ac667 C:\WINDOWS\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 18:23 1423360 e4368d08c22012b357bef3ba239ac667 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-12 21:19 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-11-19 163840]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-07 949376]
"RAM Idle"="D:\Program Files\Customizer XP\RAMIdle.exe" [2002-06-11 104448]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"VMSnap3"="C:\WINDOWS\VMSnap3.exe" [2006-08-30 49152]
"Domino"="C:\WINDOWS\Domino.exe" [2006-06-28 49152]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-01 C:\WINDOWS\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-09 113664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"D:\Rockman\rockman x4\ROCKMAN X4\RMX4.EXE"= RMX4.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wpnvjg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^trayit!.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\trayit!.exe
backup=C:\WINDOWS\pss\trayit!.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Dominic Caracter^Start Menu^Programs^Startup^Shortcut to start.lnk]
path=C:\Documents and Settings\Dominic Caracter\Start Menu\Programs\Startup\Shortcut to start.lnk
backup=C:\WINDOWS\pss\Shortcut to start.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Dominic Caracter^Start Menu^Programs^Startup^TrayIt!.lnk]
path=C:\Documents and Settings\Dominic Caracter\Start Menu\Programs\Startup\TrayIt!.lnk
backup=C:\WINDOWS\pss\TrayIt!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
--a------ 2006-07-26 13:48 3305472 C:\Program Files\BearShare\BearShare.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 15:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 15:54 21718312 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
--------- 2008-07-30 14:45 4891984 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-07-17 06:17 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\backups\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 vvftav303;vvftav303;C:\WINDOWS\system32\drivers\vvftav303.sys [2007-06-23 480128]
R3 ZSMC0303;A4 TECH PC Camera H;C:\WINDOWS\system32\Drivers\usbVM303.sys [2006-12-01 392122]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2006-05-16 13824]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;C:\DOCUME~1\DOMINI~1\LOCALS~1\Temp\TCCpuInfo.sys [ ]
S3 vmfilter303;vmfilter303;C:\WINDOWS\system32\drivers\vmfilter303.sys [2006-04-25 428160]
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys [ ]
S3 XDva030;XDva030;C:\WINDOWS\system32\XDva030.sys [ ]
S3 XDva031;XDva031;C:\WINDOWS\system32\XDva031.sys [ ]
S3 XDva033;XDva033;C:\WINDOWS\system32\XDva033.sys [ ]
S3 XDva035;XDva035;C:\WINDOWS\system32\XDva035.sys [ ]
S3 XDva052;XDva052;C:\WINDOWS\system32\XDva052.sys [ ]
S3 XDva098;XDva098;C:\WINDOWS\system32\XDva098.sys [ ]
S3 XDva189;XDva189;C:\WINDOWS\system32\XDva189.sys [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de1ee350-9f80-11dc-b23e-00196627469c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e32272b0-5e81-11dc-b108-00196627469c}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{4E74E985-6252-4630-854B-07DBE0D6472F} - (no file)
BHO-{C17419FC-3D5F-4E05-8E8B-A6531AE2632F} - (no file)
HKLM-Run-BigDog303 - C:\WINDOWS\VM303_STI.EXE
HKLM-Explorer_Run-dllcache32.exe - C:\Documents and Settings\All Users\Application Data\dllcache32.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dominic Caracter\Application Data\Mozilla\Firefox\Profiles\5b652vnr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 10:59:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
.
**************************************************************************
.
Completion time: 2008-09-08 11:01:25 - machine was rebooted [Dominic Caracter]
ComboFix-quarantined-files.txt 2008-09-08 03:01:23
Pre-Run: 14,025,940,992 bytes free
Post-Run: 13,976,322,048 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
245 --- E O F --- 2008-08-15 00:11:09
2.) Uninstall list Log
A4 TECH PC Camera H
A4 TECH PC Camera H
Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0
Alarm 2.0.4
Azureus Vuze
BearShare
Chikka Messenger V4
CIA Test Prep
CoffeeRO V. 1.0
Devil May Cry 3 Special Edition
DietMP3 4.03.00
DriverAgent by TouchStone Software
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan Assistant
ESC58_59 User's Guide
FLV Player 1.3.3
GG E-Sports Platform
Gleim's CIA Test Prep 4.2
Granado Espada
Guitar Pro 5.2
Hamachi 1.0.2.3
HangARoo v2.052
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
IsoBuster 2.4
Java(TM) 6 Update 7
Just Sudoku - Professional Edition 1.1
K-Lite Mega Codec Pack 3.5.3
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.5
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
myGlobe IM (3.0.48)
Nero 8
neroxml
NOD32 antivirus system
NOD32 FiX v2.1
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
PC Connectivity Solution
Pcsx2 0.9.2 Watermoose
PIF DESIGNER
RagnarokOnline-Valkyrie
Rain
Realtek High Definition Audio Driver
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Skype™ 3.8
Special Force
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster 4.1
Super TextTwist
SWiSHmax
Total Video Converter 3.02
Treasures of Ancient Cavern
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB943729)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
VCRedistSetup
Vista Transformation Pack 8.0
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
3.) Fresh HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:29 AM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RAM Idle] D:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wpnvjg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 7168 bytes
Note: Sir i didnt uninstall Azureus I read the link about p2p i saw that Azureus is under the CLEAN category and for I've been using this torrent tool for quite some time. Uninstall Utorrent instead.
Good day :)
Hi niccorny
Before we continue.......
There are still signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BearShare
Azureus
I'd like you to read the this thread. (http://forums.spybot.info/showthread.php?t=282)
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).NOW
We will withdraw our help should you not agree to their removal.
Do you know what this program is? NOD32 FiX v2.1
Note:
We do not support the use of illegal Pirated/Warez/Cracked software.
Thanks peku006
niccorny
2008-09-08, 13:55
Hays! alright alright! Removed Azureus and Bareshare!
Do you know what this program is? NOD32 FiX v2.1
I'm afraid not...why? does it have something to do with my antivirus?
Hi niccorny
NOD32 FiX v2.1 is NOD32 antivirus crack.....you should remove it immediately
there are decent free anti-virus programs you can use, such as Avast! or AVG Free.
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.
Please post a new uninstall list
Thanks peku006
niccorny
2008-09-08, 18:58
T_T you mean I should remove NOD32 completely?? OK...read the policy that this forum impose to those who want to be helped...(that you dont support cracked programs). I've downloaded avira installed it. And after updating it suddenly it detects a trojan at c:\windows\system32\wowfx.dll. I kept on clicking delete, etc and it still comes back plus the beeping sounds really annoys and scares me! That why I stopped its process uninstalled it and try downloading AVG this time (I am downloading AVG as I write my reply)...I'll post my uninstall list if AVG doesnt interruptive as avira! sorry sir to kept you waiting T_T but I am willing to cooperate!
niccorny
2008-09-09, 03:21
Still the same happens on AVG...it still detect and prompt me! That a trojan found at C:\WINDOWS\system32\wowfx.dll but without the beeping sounds as AVIRA...I think I'll stick with avg! Can we now proceed?? Here a new uninstall list.
A4 TECH PC Camera H
A4 TECH PC Camera H
Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0
Alarm 2.0.4
altcompare
AVG Free 8.0
Chikka Messenger V4
CIA Test Prep
CoffeeRO V. 1.0
Devil May Cry 3 Special Edition
DietMP3 4.03.00
DriverAgent by TouchStone Software
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan Assistant
ESC58_59 User's Guide
FLV Player 1.3.3
GG E-Sports Platform
Gleim's CIA Test Prep 4.2
Granado Espada
Guitar Pro 5.2
Hamachi 1.0.2.3
HangARoo v2.052
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
IsoBuster 2.4
Java(TM) 6 Update 7
Just Sudoku - Professional Edition 1.1
K-Lite Mega Codec Pack 3.5.3
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
myGlobe IM (3.0.48)
Nero 8
neroxml
NOD32 FiX v2.1
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
PC Connectivity Solution
Pcsx2 0.9.2 Watermoose
PIF DESIGNER
RagnarokOnline-Valkyrie
Rain
Realtek High Definition Audio Driver
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Skype™ 3.8
Special Force
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster 4.1
Super TextTwist
SWiSHmax
Total Video Converter 3.02
Treasures of Ancient Cavern
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB943729)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
VCRedistSetup
Vista Transformation Pack 8.0
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
niccorny
2008-09-09, 03:24
I also uninstalled NOD32 fix V2.1 (after i noticed it is on the list) its gone now!
Hi niccorny
You’ve done a good job so far :2thumb:
1 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O20 - AppInit_DLLs: wpnvjg.dll
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
2 - Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
3 - OTScanIt
Download OTScanIt (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Open the OTScanIt folder and double-click on OTScanIt to start the program.
In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please post the resulting log here.
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the Malwarebytes' Anti-Malware Log
2. the OtScanIt log
3. a fresh HijackThis log
description of any problems you are having with your PC
Thanks peku006
niccorny
2008-09-09, 10:25
Cut my replies in 3 parts...can't send in ONE! :cool:
Thanks Alot Peku006! :)
1.) HJT entries
Only found in HJT scan 020 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
This dll file was found infected by Avira and AVG. I cannot delete it manually even in safe mode...should I put check on this too??
2.) Mbam Log
Malwarebytes' Anti-Malware 1.27
Database version: 1131
Windows 5.1.2600 Service Pack 2
9/9/2008 4:02:02 PM
mbam-log-2008-09-09 (16-02-02).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 114413
Time elapsed: 42 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\altcompare (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\msliksur (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ofb1= (Trojan.Clicker) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\altcmd (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\altcmd\altcmd.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\altcmd\uninstall.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msliksurcredo.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msliksurdns.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msliksurserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
niccorny
2008-09-09, 10:26
3.) OtScanit Log
OTScanIt logfile created on: 9/9/2008 4:06:51 PM
OTScanIt by OldTimer - Version 1.0.19.0 Folder = C:\Documents and Settings\Dominic Caracter\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1023.23 Mb Total Physical Memory | 569.28 Mb Available Physical Memory | 55.64% Memory free
2.40 Gb Paging File | 1.80 Gb Available in Paging File | 74.89% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 13.65 Gb Free Space | 36.64% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 15.74 Gb Free Space | 42.25% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: CARACTER-3D93FE
Current User Name: Dominic Caracter
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
[Processes - Non-Microsoft Only]
ramidle.exe -> D:\Program Files\Customizer XP\RAMIdle.exe -> [Ver = | Size = 104448 bytes | Modified Date = 6/11/2002 11:11:27 AM | Attr = ]
vmsnap3.exe -> %SystemRoot%\vmsnap3.exe -> ZSMCSNAP [Ver = 3, 6, 818, 7 | Size = 49152 bytes | Modified Date = 8/30/2006 10:58:38 AM | Attr = ]
domino.exe -> %SystemRoot%\Domino.exe -> Vimicro [Ver = 4, 2, 1124, 6 | Size = 49152 bytes | Modified Date = 6/28/2006 5:54:06 PM | Attr = ]
viorb.exe -> %ProgramFiles%\ViOrb\ViOrb.exe -> Lee-Soft.com [Ver = 1.00.0040 | Size = 163840 bytes | Modified Date = 11/19/2007 1:01:00 PM | Attr = ]
teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 6, 2, 23 | Size = 1832272 bytes | Modified Date = 8/18/2008 6:41:00 PM | Attr = RHS]
apache.exe -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe -> Apache Software Foundation [Ver = 2.0.52 | Size = 20543 bytes | Modified Date = 4/4/2006 9:04:02 AM | Attr = ]
apache.exe -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe -> Apache Software Foundation [Ver = 2.0.52 | Size = 20543 bytes | Modified Date = 4/4/2006 9:04:02 AM | Attr = ]
ioctlsvc.exe -> %SystemRoot%\system32\IoctlSvc.exe -> Prolific Technology Inc. [Ver = 1, 6, 0, 0 | Size = 81920 bytes | Modified Date = 12/19/2006 9:30:26 AM | Attr = ]
chikkalauncher.exe -> %ProgramFiles%\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe -> [Ver = 1, 0, 0, 23 | Size = 36864 bytes | Modified Date = 4/11/2007 7:40:22 PM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.9.0.1 | Size = 307712 bytes | Modified Date = 7/3/2008 9:52:30 AM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(ForcewareWebInterface) Forceware Web Interface [Win32_Own | Auto | Running] -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe -> Apache Software Foundation [Ver = 2.0.52 | Size = 20543 bytes | Modified Date = 4/4/2006 9:04:02 AM | Attr = ]
(PLFlash DeviceIoControl Service) PLFlash DeviceIoControl Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\IoctlSvc.exe -> Prolific Technology Inc. [Ver = 1, 6, 0, 0 | Size = 81920 bytes | Modified Date = 12/19/2006 9:30:26 AM | Attr = ]
(ServiceLayer) ServiceLayer [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\PC Connectivity Solution\ServiceLayer.exe -> Nokia. [Ver = 6, 84, 83, 3 | Size = 300544 bytes | Modified Date = 6/15/2007 4:55:00 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
AVG8_TRAY -> %ProgramFiles%\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> AVG Technologies CZ, s.r.o. [Ver = 8.0.0.145 | Size = 1235736 bytes | Modified Date = 9/9/2008 9:03:50 AM | Attr = ]
Domino -> %SystemRoot%\Domino.exe [C:\WINDOWS\Domino.exe] -> Vimicro [Ver = 4, 2, 1124, 6 | Size = 49152 bytes | Modified Date = 6/28/2006 5:54:06 PM | Attr = ]
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 7700480 bytes | Modified Date = 10/22/2006 12:22:00 PM | Attr = ]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 86016 bytes | Modified Date = 10/22/2006 12:22:00 PM | Attr = ]
nwiz -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> [Ver = | Size = 1622016 bytes | Modified Date = 10/22/2006 12:22:00 PM | Attr = ]
RAM Idle -> D:\Program Files\Customizer XP\RAMIdle.exe [D:\Program Files\Customizer XP\RAMIdle.exe] -> [Ver = | Size = 104448 bytes | Modified Date = 6/11/2002 11:11:27 AM | Attr = ]
RTHDCPL -> %SystemRoot%\RTHDCPL.EXE [RTHDCPL.EXE] -> Realtek Semiconductor Corp. [Ver = 2.0.8.3 | Size = 16049664 bytes | Modified Date = 8/1/2006 7:10:18 PM | Attr = R ]
SkyTel -> %SystemRoot%\SkyTel.exe [SkyTel.EXE] -> Realtek Semiconductor Corp. [Ver = 1.0.0.0 | Size = 2879488 bytes | Modified Date = 5/16/2006 6:04:26 PM | Attr = R ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 6/10/2008 4:27:04 AM | Attr = ]
VMSnap3 -> %SystemRoot%\vmsnap3.exe [C:\WINDOWS\VMSnap3.exe] -> ZSMCSNAP [Ver = 3, 6, 818, 7 | Size = 49152 bytes | Modified Date = 8/30/2006 10:58:38 AM | Attr = ]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe [C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe] -> Safer Networking Limited [Ver = 1, 6, 2, 23 | Size = 1832272 bytes | Modified Date = 8/18/2008 6:41:00 PM | Attr = RHS]
ViOrb -> %ProgramFiles%\ViOrb\ViOrb.exe [C:\Program Files\ViOrb\ViOrb.exe] -> Lee-Soft.com [Ver = 1.00.0040 | Size = 163840 bytes | Modified Date = 11/19/2007 1:01:00 PM | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/5/1999 6:06:48 AM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> -> File not found
< Dominic Caracter Startup Folder > -> C:\Documents and Settings\Dominic Caracter\Start Menu\Programs\Startup ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
C:\WINDOWS\system32\wowfx.dll -> %SystemRoot%\system32\wowfx.dll -> File not found
*MultiFile Done* -> ->
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Size = 1423360 bytes | Modified Date = 6/13/2007 6:23:08 PM | Attr = ]
*MultiFile Done* -> ->
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit ->
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Modified Date = 8/12/2004 9:31:54 PM | Attr = ]
*MultiFile Done* -> ->
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost ->
vistaui.exe -> %SystemRoot%\system32\vistaui.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6181376 bytes | Modified Date = 4/15/2007 1:30:58 AM | Attr = ]
*MultiFile Done* -> ->
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3241 (xpsp_sp2_qfe.071025-1245) | Size = 14581760 bytes | Modified Date = 10/26/2007 11:34:02 AM | Attr = ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\SYSdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 328704 bytes | Modified Date = 8/12/2004 9:30:28 PM | Attr = ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoInstrumentation -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\\D:\Rockman\rockman x4\ROCKMAN X4\RMX4.EXE -> RMX4.EXE ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 8/12/2004 9:17:38 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC MBR-7 -> -> File not found
NEC MBR-7.4 -> -> File not found
PIONEER CHANGR DRM-1804X -> -> File not found
PIONEER CD-ROM DRM-6324X -> -> File not found
PIONEER CD-ROM DRM-624X -> -> File not found
TORiSAN CD-ROM CDR_C36 -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
< Drives with AutoRun files > -> ->
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [Ver = | Size = 0 bytes | Modified Date = 8/7/2007 3:32:52 AM | Attr = ]
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.friendster.com/ ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://home.microsoft.com/access/autosearch.asp?p=%s[Reg Error: Value provider does not exist or could not be read.] ->
HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 5, 30, 1 | Size = 808472 bytes | Modified Date = 5/31/2007 5:18:26 AM | Attr = ]
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4764 domain(s) found. ->
44 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7113 domain(s) found. ->
51 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 98 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [&Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2007, 5, 30, 1 | Size = 808472 bytes | Modified Date = 5/31/2007 5:18:26 AM | Attr = ]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> AVG Technologies CZ, s.r.o. [Ver = 8.0.0.152 | Size = 455960 bytes | Modified Date = 9/9/2008 9:03:50 AM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 7/30/2008 2:45:34 PM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 11/1/2006 4:33:52 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{D2F8F919-690B-4EA2-9FA7-A203D1E04F75} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Styler\TB\StylerTB.dll [StylerToolBar] -> StyleFantasist [Ver = 1, 1, 8, 0 | Size = 102400 bytes | Modified Date = 5/2/2006 4:31:26 AM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 5, 30, 1 | Size = 808472 bytes | Modified Date = 5/31/2007 5:18:26 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 5, 30, 1 | Size = 808472 bytes | Modified Date = 5/31/2007 5:18:26 AM | Attr = ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}:{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! Services] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 11/1/2006 4:33:52 AM | Attr = ]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 7/30/2008 2:45:34 PM | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr = ]
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 11/1/2006 4:33:52 AM | Attr = ]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
&Search -> -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{19F6EDB7-AFB8-43AB-B030-194B595FE9B2} -> 203.84.191.216,121.1.3.208,121.1.3.199,121.1.3.250 (NVIDIA nForce Networking Controller) ->
{2C272DC9-8FB5-46F3-AD84-F11E77F8378F} -> () ->
{4F9B8F8A-F23B-42F7-AB40-73500643B98E} -> () ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\AVG\AVG8\avgpp.dll[XPLPPFilter Class] -> AVG Technologies CZ, s.r.o. [Ver = | Size = 79128 bytes | Modified Date = 9/9/2008 9:03:54 AM | Attr = ]
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Skype\Skype4COM.dll[IEProtocolHandler Class] -> Skype Technologies [Ver = 1, 0, 29, 0 | Size = 1942864 bytes | Modified Date = 5/30/2008 3:54:14 PM | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}[HKEY_LOCAL_MACHINE] -> C:\Program Files\Yahoo!\Common\Yinsthelper.dll[Installation Support] ->
{48884C41-EFAC-433D-958A-9FADAC41408E}[HKEY_LOCAL_MACHINE] -> https://www.e-games.com.ph/com/EGamesPlugin.cab[EGamesPlugin Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/EGamesPlugin.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/EGamesPlugin.dll\\.Owner -> {48884C41-EFAC-433D-958A-9FADAC41408E} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/EGamesPlugin.dll\\{48884C41-EFAC-433D-958A-9FADAC41408E} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\\.Owner -> {D27CDB6E-AE6D-11CF-96B8-444553540000} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\\{D27CDB6E-AE6D-11CF-96B8-444553540000} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/egames.ico\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/egames.ico\\.Owner -> {48884C41-EFAC-433D-958A-9FADAC41408E} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/egames.ico\\{48884C41-EFAC-433D-958A-9FADAC41408E} -> ->
[Files/Folders - Created Within 30 days]
$AVG8.VAULT$ -> %SystemDrive%\$AVG8.VAULT$ -> [Folder | Created Date = 9/9/2008 9:06:39 AM | Attr = H ]
Boot.bak -> %SystemDrive%\Boot.bak -> [Ver = | Size = 223 bytes | Created Date = 9/8/2008 10:56:30 AM | Attr = ]
cmdcons -> %SystemDrive%\cmdcons -> [Folder | Created Date = 9/8/2008 10:56:24 AM | Attr = ]
cmldr -> %SystemDrive%\cmldr -> [Ver = | Size = 260272 bytes | Created Date = 9/8/2008 10:56:28 AM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 9/7/2008 2:32:56 AM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Created Date = 9/8/2008 8:01:54 PM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 9/5/2008 10:14:29 AM | Attr = ]
Avg -> %SystemRoot%\System32\drivers\Avg -> [Folder | Created Date = 9/9/2008 9:03:55 AM | Attr = ]
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [Ver = | Size = 6061540 bytes | Created Date = 9/9/2008 9:03:55 AM | Attr = ]
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [Ver = | Size = 27030295 bytes | Created Date = 9/9/2008 9:03:55 AM | Attr = ]
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [Ver = | Size = 102370 bytes | Created Date = 9/9/2008 9:03:55 AM | Attr = ]
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [Ver = | Size = 211986 bytes | Created Date = 9/9/2008 9:03:55 AM | Attr = ]
actskn45.ocx -> %SystemRoot%\System32\actskn45.ocx -> SoftShape Development [Ver = 4, 50, 0, 0 | Size = 483328 bytes | Created Date = 9/5/2008 12:51:45 PM | Attr = ]
fdsv.exe -> %SystemRoot%\fdsv.exe -> Smallfrogs Studio [Ver = 1, 2, 0, 22 | Size = 89504 bytes | Created Date = 9/8/2008 10:55:47 AM | Attr = ]
grep.exe -> %SystemRoot%\grep.exe -> [Ver = | Size = 80412 bytes | Created Date = 9/8/2008 10:55:47 AM | Attr = ]
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.10 | Size = 28672 bytes | Created Date = 9/8/2008 10:55:47 AM | Attr = ]
sed.exe -> %SystemRoot%\sed.exe -> [Ver = | Size = 98816 bytes | Created Date = 9/8/2008 10:55:47 AM | Attr = ]
swreg.exe -> %SystemRoot%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 9/8/2008 10:55:47 AM | Attr = ]
swsc.exe -> %SystemRoot%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 9/8/2008 10:55:46 AM | Attr = ]
swxcacls.exe -> %SystemRoot%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 9/8/2008 10:55:46 AM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 9/8/2008 11:01:28 AM | Attr = ]
6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
VFind.exe -> %SystemRoot%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 9/8/2008 10:55:47 AM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 982 bytes | Created Date = 9/3/2008 2:02:13 AM | Attr = ]
zip.exe -> %SystemRoot%\zip.exe -> [Ver = | Size = 68096 bytes | Created Date = 9/8/2008 10:55:47 AM | Attr = ]
[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 293 bytes | Modified Date = 9/8/2008 10:56:30 AM | Attr = RHS]
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [Ver = | Size = 6061540 bytes | Modified Date = 9/9/2008 9:03:55 AM | Attr = ]
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [Ver = | Size = 27030295 bytes | Modified Date = 9/9/2008 2:40:47 PM | Attr = ]
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [Ver = | Size = 102370 bytes | Modified Date = 9/9/2008 9:06:06 AM | Attr = ]
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [Ver = | Size = 211986 bytes | Modified Date = 9/9/2008 9:03:55 AM | Attr = ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [Ver = | Size = 27 bytes | Modified Date = 9/8/2008 10:59:08 AM | Attr = ]
hosts.20080814-212447.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080814-212447.backup -> [Ver = | Size = 257018 bytes | Modified Date = 8/11/2008 9:55:58 AM | Attr = R ]
hosts.20080818-174909.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080818-174909.backup -> [Ver = | Size = 258525 bytes | Modified Date = 8/14/2008 9:24:47 PM | Attr = R ]
hosts.20080821-153154.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080821-153154.backup -> [Ver = | Size = 258525 bytes | Modified Date = 8/18/2008 5:49:09 PM | Attr = R ]
hosts.20080822-110747.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080822-110747.backup -> [Ver = | Size = 260077 bytes | Modified Date = 8/21/2008 3:31:54 PM | Attr = R ]
hosts.20080827-121445.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080827-121445.backup -> [Ver = | Size = 260027 bytes | Modified Date = 8/22/2008 11:07:47 AM | Attr = R ]
5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
nvapps.xml -> %SystemRoot%\System32\nvapps.xml -> [Ver = | Size = 88556 bytes | Modified Date = 9/9/2008 9:48:14 AM | Attr = ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [Ver = | Size = 2278 bytes | Modified Date = 8/22/2008 9:06:39 AM | Attr = ]
6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 9/9/2008 9:48:10 AM | Attr = S]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 8/15/2008 8:11:02 AM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Modified Date = 9/7/2008 9:54:53 PM | Attr = ]
SCRABOUT.INI -> %SystemRoot%\SCRABOUT.INI -> [Ver = | Size = 515 bytes | Modified Date = 8/25/2008 8:29:49 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 246 bytes | Modified Date = 9/8/2008 10:59:12 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 1107 bytes | Modified Date = 8/31/2008 1:21:47 PM | Attr = ]
wincstmizxp.dat -> %SystemRoot%\wincstmizxp.dat -> [Ver = | Size = 14 bytes | Modified Date = 9/7/2008 2:25:43 AM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 982 bytes | Modified Date = 9/8/2008 11:00:30 PM | Attr = ]
Pareto UNS.job -> %SystemRoot%\tasks\Pareto UNS.job -> [Ver = | Size = 428 bytes | Modified Date = 8/26/2008 6:00:01 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 9/9/2008 9:48:17 AM | Attr = H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help -> [Folder | Modified Date = 9/18/2007 6:15:38 AM | Attr = ]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat -> [Ver = | Size = 1307 bytes | Modified Date = 9/18/2007 6:15:38 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader -> [Folder | Modified Date = 8/7/2007 9:46:24 AM | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 4232 bytes | Modified Date = 8/15/2008 8:06:23 AM | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 4617 bytes | Modified Date = 8/15/2008 8:06:23 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA -> [Folder | Modified Date = 8/7/2007 4:15:29 AM | Attr = ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [Ver = | Size = 8206 bytes | Modified Date = 8/7/2007 4:17:34 AM | Attr = ]
C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\ -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp -> [Folder | Modified Date = 9/9/2008 4:03:09 PM | Attr = ]
i4jdel0.exe -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\i4jdel0.exe -> [Ver = | Size = 4608 bytes | Modified Date = 9/8/2008 7:51:18 PM | Attr = ]
sfsrv.exe -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\sfsrv.exe -> [Ver = | Size = 0 bytes | Modified Date = 9/8/2008 10:41:48 PM | Attr = ]
33 C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\*.tmp ->
C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\ -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp -> [Folder | Modified Date = 9/9/2008 4:03:09 PM | Attr = ]
Perflib_Perfdata_704.dat -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\Perflib_Perfdata_704.dat -> [Ver = | Size = 16384 bytes | Modified Date = 9/9/2008 9:48:14 AM | Attr = ]
Perflib_Perfdata_9b8.dat -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\Perflib_Perfdata_9b8.dat -> [Ver = | Size = 16384 bytes | Modified Date = 9/9/2008 12:04:38 PM | Attr = ]
33 C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\*.tmp ->
C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\issB75.tmp\ -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\issB75.tmp\ -> [Folder | Modified Date = 9/8/2008 10:40:40 PM | Attr = ]
setup.ini -> C:\Documents and Settings\Dominic Caracter\Local Settings\Temp\issB75.tmp\setup.ini -> [Ver = | Size = 530 bytes | Modified Date = 9/8/2008 10:40:40 PM | Attr = ]
C:\WINDOWS\Temp\Cookies\ -> C:\WINDOWS\temp\Cookies -> [Folder | Modified Date = 9/9/2008 12:39:59 AM | Attr = HS]
index.dat -> C:\WINDOWS\temp\Cookies\index.dat -> [Ver = | Size = 32768 bytes | Modified Date = 9/9/2008 12:40:52 AM | Attr = HS]
C:\WINDOWS\Temp\History\History.IE5\ -> C:\WINDOWS\Temp\History\History.IE5\ -> [Folder | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
index.dat -> C:\WINDOWS\Temp\History\History.IE5\index.dat -> [Ver = | Size = 32768 bytes | Modified Date = 9/9/2008 12:40:52 AM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ -> [Folder | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
index.dat -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat -> [Ver = | Size = 49152 bytes | Modified Date = 9/9/2008 12:40:52 AM | Attr = HS]
C:\WINDOWS\Temp\History\History.IE5\ -> C:\WINDOWS\Temp\History\History.IE5\ -> [Folder | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
desktop.ini -> C:\WINDOWS\Temp\History\History.IE5\desktop.ini -> [Ver = | Size = 145 bytes | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ -> [Folder | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
desktop.ini -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\1FFL9NS5\ -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\1FFL9NS5 -> [Folder | Modified Date = 9/9/2008 12:38:10 AM | Attr = HS]
desktop.ini -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\1FFL9NS5\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ACYHT4LH\ -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\ACYHT4LH -> [Folder | Modified Date = 9/9/2008 12:39:46 AM | Attr = HS]
desktop.ini -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\ACYHT4LH\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\BYMRAT5D\ -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\BYMRAT5D -> [Folder | Modified Date = 9/9/2008 12:39:47 AM | Attr = HS]
desktop.ini -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\BYMRAT5D\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ZSGLCYDJ\ -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\ZSGLCYDJ -> [Folder | Modified Date = 9/9/2008 12:40:14 AM | Attr = HS]
desktop.ini -> C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\ZSGLCYDJ\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 9/9/2008 12:36:54 AM | Attr = HS]
< End of report >
niccorny
2008-09-09, 10:27
4.) Fresh HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:30 PM, on 9/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle] D:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19F6EDB7-AFB8-43AB-B030-194B595FE9B2}: NameServer = 203.84.191.216,121.1.3.208,121.1.3.199,121.1.3.250
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 203.84.191.216 121.1.3.208,121.1.3.199,121.1.3.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{19F6EDB7-AFB8-43AB-B030-194B595FE9B2}: NameServer = 203.84.191.216,121.1.3.208,121.1.3.199,121.1.3.250
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 203.84.191.216 121.1.3.208,121.1.3.199,121.1.3.250
O17 - HKLM\System\CS2\Services\Tcpip\..\{19F6EDB7-AFB8-43AB-B030-194B595FE9B2}: NameServer = 203.84.191.216,121.1.3.208,121.1.3.199,121.1.3.250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 203.84.191.216 121.1.3.208,121.1.3.199,121.1.3.250
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 8400 bytes
5.) Status check
I didn't notice anything unusual (for now), but I'll report on you if any infections would occur...right now the only thing left is that DLL file...wowfx.dll I browsed through its path in C:\WINDOWS\system32 but the file was gone...yet it still registered on HJT that I gave you.
Thank you very much for helping me! :yes:
Hi niccorny
don´t worry about wowfx.dll , we will remove it now......
1 - Run CFScript
Open Notepad and copy/paste the text in the box into the window:
File::
C:\WINDOWS\system32\wowfx.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
3 - Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the ComboFix log
2. the Kaspersky online scanner report
3. a fresh HijackThis log
Thanks peku006
niccorny
2008-09-09, 18:16
I. Combofix log
ComboFix 08-09-05.10 - Dominic Caracter 2008-09-09 17:38:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.678 [GMT 8:00]
Running from: C:\Documents and Settings\Dominic Caracter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dominic Caracter\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.
2008-09-09 15:15 . 2008-09-09 15:15 <DIR> d-------- C:\Documents and Settings\Dominic Caracter\Application Data\Malwarebytes
2008-09-09 15:15 . 2008-09-09 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 15:15 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 15:15 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 09:06 . 2008-09-09 12:58 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-09 09:04 . 2008-09-09 09:04 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-09 09:04 . 2008-09-09 09:04 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-09 09:03 . 2008-09-09 14:40 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-09 09:03 . 2008-09-09 09:03 <DIR> d-------- C:\Program Files\AVG
2008-09-09 09:03 . 2008-09-09 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-09 09:03 . 2008-09-09 09:03 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-09 00:40 . 2008-09-09 00:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-09-05 12:51 . 2006-05-01 12:15 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-09-05 10:14 . 2008-09-09 12:33 <DIR> d-------- C:\VundoFix Backups
2008-09-03 02:02 . 2008-09-08 23:00 982 --a------ C:\WINDOWS\wininit.ini
2008-08-30 15:42 . 2008-09-01 15:34 <DIR> d-------- C:\Documents and Settings\Dominic Caracter\Application Data\uTorrent
2008-08-09 22:00 . <DIR> C:\Documents and Settings\Dominic Caracter\Application Data\NeroDigitalT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 11:51 --------- d-----w C:\Program Files\Azureus
2008-09-07 18:24 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\Azureus
2008-09-04 12:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-31 09:45 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\DNA
2008-08-31 08:44 --------- d-----w C:\Program Files\DNA
2008-08-31 07:17 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\Skype
2008-08-31 03:48 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\skypePM
2008-08-21 07:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-18 02:18 --------- d-----w C:\Program Files\Just Sudoku PE
2008-08-09 14:00 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\NeroDigital™
2008-08-07 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 12:41 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\TransRender
2008-08-03 12:41 --------- d-----w C:\Documents and Settings\Dominic Caracter\Application Data\Temporary
2008-07-20 03:17 --------- d-----w C:\Program Files\Skype
2008-07-20 03:17 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-20 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-18 01:20 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-14 09:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-14 09:10 --------- d-----w C:\Program Files\Vimicro
2008-07-14 08:45 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-07-11 11:34 --------- d-----w C:\Program Files\LimeWire
2008-07-11 03:41 --------- d-----w C:\Program Files\Lavasoft
2008-07-11 03:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 15:27 --------- d-----w C:\Program Files\Chikka
2008-07-10 11:38 --------- d-----w C:\Program Files\Java
2008-07-10 11:38 --------- d-----w C:\Program Files\Common Files\Java
.
------- Sigcheck -------
2007-08-07 03:41 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2007-08-07 03:41 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
2005-03-02 08:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 17:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 16:38 2027520 54a8b9806027049f8b19f1274a63c7b4 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-12 21:29 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 08:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 16:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 16:38 2027520 54a8b9806027049f8b19f1274a63c7b4 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 16:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-02-28 16:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe
2005-03-02 09:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 17:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 17:08 2147840 5fb20cabc9a81baaabbe63f30ffc5284 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-12 21:25 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 08:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 17:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 17:08 2147840 5fb20cabc9a81baaabbe63f30ffc5284 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 17:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-02-28 17:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\VITrans\ntoskrnl.exe
2007-06-13 18:23 1423360 e4368d08c22012b357bef3ba239ac667 C:\WINDOWS\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 18:23 1423360 e4368d08c22012b357bef3ba239ac667 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-12 21:19 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-08_11.01.05.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-09 01:03:57 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-11-19 163840]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"RAM Idle"="D:\Program Files\Customizer XP\RAMIdle.exe" [2002-06-11 104448]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"VMSnap3"="C:\WINDOWS\VMSnap3.exe" [2006-08-30 49152]
"Domino"="C:\WINDOWS\Domino.exe" [2006-06-28 49152]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-09 1235736]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-01 C:\WINDOWS\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-09 113664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"D:\Rockman\rockman x4\ROCKMAN X4\RMX4.EXE"= RMX4.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^trayit!.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\trayit!.exe
backup=C:\WINDOWS\pss\trayit!.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Dominic Caracter^Start Menu^Programs^Startup^Shortcut to start.lnk]
path=C:\Documents and Settings\Dominic Caracter\Start Menu\Programs\Startup\Shortcut to start.lnk
backup=C:\WINDOWS\pss\Shortcut to start.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Dominic Caracter^Start Menu^Programs^Startup^TrayIt!.lnk]
path=C:\Documents and Settings\Dominic Caracter\Start Menu\Programs\Startup\TrayIt!.lnk
backup=C:\WINDOWS\pss\TrayIt!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 15:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 15:54 21718312 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
--------- 2008-07-30 14:45 4891984 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-07-17 06:17 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"D:\\backups\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"D:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-09 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-09 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-09 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-09 76040]
R3 vvftav303;vvftav303;C:\WINDOWS\system32\drivers\vvftav303.sys [2007-06-23 480128]
R3 ZSMC0303;A4 TECH PC Camera H;C:\WINDOWS\system32\Drivers\usbVM303.sys [2006-12-01 392122]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2006-05-16 13824]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 vmfilter303;vmfilter303;C:\WINDOWS\system32\drivers\vmfilter303.sys [2006-04-25 428160]
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys [ ]
S3 XDva030;XDva030;C:\WINDOWS\system32\XDva030.sys [ ]
S3 XDva031;XDva031;C:\WINDOWS\system32\XDva031.sys [ ]
S3 XDva033;XDva033;C:\WINDOWS\system32\XDva033.sys [ ]
S3 XDva035;XDva035;C:\WINDOWS\system32\XDva035.sys [ ]
S3 XDva052;XDva052;C:\WINDOWS\system32\XDva052.sys [ ]
S3 XDva098;XDva098;C:\WINDOWS\system32\XDva098.sys [ ]
S3 XDva189;XDva189;C:\WINDOWS\system32\XDva189.sys [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de1ee350-9f80-11dc-b23e-00196627469c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e32272b0-5e81-11dc-b108-00196627469c}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-BearShare - C:\Program Files\BearShare\BearShare.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 17:42:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-09 17:44:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-09 09:44:24
ComboFix2.txt 2008-09-08 03:01:26
Pre-Run: 14,613,123,072 bytes free
Post-Run: 14,611,742,720 bytes free
213 --- E O F --- 2008-08-15 00:11:09
niccorny
2008-09-09, 18:20
II. Kaspersky online scanner
Note: Disabled AVG before performing kaspersky.
Note: I've only scanned critical areas because for some reason it always got stocked only reaches 7-8% (tried it for several time 5 times I think). Anyways here's the log for critical areas.
Wednesday, September 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 09, 2008 12:08:21
Records in database: 1203438
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Dominic Caracter\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 42194
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:44:45
No malware has been detected. The scan area is clean.
The selected area was scanned.
III. Fresh HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:13 AM, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle] D:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19F6EDB7-AFB8-43AB-B030-194B595FE9B2}: NameServer = 203.84.191.216,121.1.3.208,121.1.3.199,121.1.3.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{19F6EDB7-AFB8-43AB-B030-194B595FE9B2}: NameServer = 203.84.191.216,121.1.3.208,121.1.3.199,121.1.3.250
O17 - HKLM\System\CS2\Services\Tcpip\..\{19F6EDB7-AFB8-43AB-B030-194B595FE9B2}: NameServer = 203.84.191.216,121.1.3.208,121.1.3.199,121.1.3.250
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 7844 bytes
Thanks peku006
Hello niccorny
Congratulations, your log looks clean! :)
Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK
http://i147.photobucket.com/albums/r301/DFW_photos/CF_Cleanup.png
When shown the disclaimer, Select "2"
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double click OTMoveIt.exe to launch the programme.
Click on the CleanUp! button.
OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
When finished exit out of OTMoveIt
The tool will delete itself once it finishes, if not delete it by yourself.
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster 4.1
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Note:"Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note: If you are running Windows XP SP2, you should upgrade to SP3.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :thumbup:
niccorny
2008-09-09, 20:07
THanks peku006...:cool:
hmmmm I already have spyblaster do I need to execute it b4 browsing to take effect?? also I think my booting got slow (a little bit) what can be done?? how can I determine which processes are most important...here's a list of the process being done upon booting:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
Which are these are least important and how to modify them?
Thank you so much! From now on I will not patronize the usage of P2P file sharing and cracked programs...I've learned my lesson ^_^
Hi niccorny
I will not patronize the usage of P2P file sharing and cracked programs
Wise Choice...:yahoo:
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Many of these Downloads are targeted to carry infections.
You can fix these lines with HijackThis, if you want. This could to speed up to your computer starting.
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Regards
peku006
niccorny
2008-09-09, 20:48
It did boot a little faster...
Again a many thanks to you peku006!
Thanks for helping me out on this problem about malwares...
Good luck on everything! 'Till next time!! :laugh: