PDA

View Full Version : Regedit and TaskManager Disabled.



ushpen25
2008-09-07, 18:23
Hello,

I need some help here, my task manager and regedit was disabled. Here is the HJT Log.


Deckard's System Scanner v20071014.68
Run by Pen on 2007-08-10 09:15:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Pen.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:19 AM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\password_viewer.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pen\My Documents\Cleaning Tool\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Pen.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.javacoolsoftware.com/sb-link/firefox.html
F2 - REG:system.ini: UserInit=userinit.exe,password_viewer.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [L08AXLRD_1569000] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7399 bytes

-- Files created between 2007-07-10 and 2007-08-10 -----------------------------

2008-07-18 22:20:35 0 d--hs---- C:\WINDOWS\Installer
2008-07-18 22:20:34 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-18 22:20:31 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-07-18 22:20:30 0 dr------- C:\Program Files
2008-07-18 22:20:30 0 d-------- C:\Program Files\Common Files
2008-07-18 22:20:14 155136 --a------ C:\WINDOWS\notepad.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 22:20:04 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-07-18 22:20:04 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-07-18 22:20:04 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-07-18 22:20:04 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-07-18 22:20:04 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-07-18 22:20:04 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-07-18 22:20:04 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-07-18 22:20:04 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-07-18 22:20:04 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-07-18 22:20:04 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-07-18 22:20:04 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-07-18 22:20:04 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-07-18 22:20:04 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-07-18 22:20:04 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-07-18 22:20:04 0 dr------- C:\Documents and Settings\All Users\Documents
2008-07-18 22:20:04 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-07-18 22:18:13 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-07-18 22:18:13 0 d-------- C:\WINDOWS\system32\CatRoot
2008-07-18 22:18:07 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-07-18 22:18:07 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-07-18 22:18:07 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-07-18 22:18:07 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-07-18 22:17:45 0 d-------- C:\Documents and Settings
2008-07-18 22:17:44 0 d--hs---- C:\System Volume Information
2008-07-18 22:12:31 0 d-------- C:\WINDOWS
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\WinSxS
2008-07-18 22:12:31 0 dr------- C:\WINDOWS\Web
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\twain_32
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\wins
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\wbem
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\usmt
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\spool
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\ShellExt
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\Setup
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\ras
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\oobe
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\npp
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\mui
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\inetsrv
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\IME
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\icsxml
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\ias
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\export
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\drivers
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-07-18 22:12:31 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\dhcp
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\config
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\3076
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\2052
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\1054
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\1042
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\1041
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\1037
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\1033
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\1031
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\1028
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system32\1025
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\system
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\security
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Resources
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\repair
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Provisioning
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\PeerNet
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\pchealth
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\mui
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\msapps
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\msagent
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Media
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\java
2008-07-18 22:12:31 0 d--h----- C:\WINDOWS\inf
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\ime
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Help
2008-07-18 22:12:31 0 dr--s---- C:\WINDOWS\Fonts
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\ehome
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Driver Cache
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Debug
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Cursors
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Connection Wizard
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\Config
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\AppPatch
2008-07-18 22:12:31 0 d-------- C:\WINDOWS\addins
2008-07-18 14:54:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-18 14:54:22 0 d-------- C:\Program Files\GRETECH
2008-07-18 14:54:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-18 14:49:37 0 d-------- C:\WINDOWS\system32\Lang
2008-07-18 14:49:36 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-07-18 14:49:36 0 d-------- C:\Documents and Settings\*\Application Data\ATI
2008-07-18 14:46:18 0 d-------- C:\WINDOWS\system32\RTCOM
2008-07-18 14:44:37 4864 -ra------ C:\WINDOWS\system32\drivers\PortIo.sys <Not Verified; Windows (R) Codename Longhorn DDK provider; Windows (R) Codename Longhorn DDK driver>
2008-07-18 14:43:02 0 d-------- C:\Program Files\Common Files\ATI Technologies
2008-07-18 14:39:44 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-07-18 14:39:12 307200 -ra------ C:\WINDOWS\system32\atiiiexx.dll <Not Verified; ATI Technologies Inc.; ATI Display Driver Utilities>
2008-07-18 14:39:10 368640 -ra------ C:\WINDOWS\system32\ATIDEMGX.dll <Not Verified; Advanced Micro Devices, Inc.; Catalyst® Control Centre>
2008-07-18 14:39:09 3107788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-07-18 14:39:09 887724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-07-18 14:39:09 3107788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-07-18 14:39:09 165782 -ra------ C:\WINDOWS\system32\atiicdxx.dat
2008-07-18 14:35:46 0 d-------- C:\Program Files\ATI Technologies
2008-07-18 14:35:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-18 14:35:18 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-18 14:34:02 0 d-------- C:\Documents and Settings\*\Application Data\Identities
2008-07-18 14:33:44 0 dr------- C:\Documents and Settings\*\My Documents
2008-07-18 14:33:44 0 d--h----- C:\Documents and Settings\*\Local Settings
2008-07-18 14:33:44 0 dr------- C:\Documents and Settings\*\Favorites
2008-07-18 14:33:44 0 d-------- C:\Documents and Settings\*\Desktop
2008-07-18 14:33:44 0 d---s---- C:\Documents and Settings\*\Cookies
2008-07-18 14:33:44 0 d--h----- C:\Documents and Settings\*\Application Data
2008-07-18 14:33:44 0 d---s---- C:\Documents and Settings\*\Application Data\Microsoft
2008-07-18 14:33:43 0 d--h----- C:\Documents and Settings\*\Templates
2008-07-18 14:33:43 0 dr------- C:\Documents and Settings\*\Start Menu
2008-07-18 14:33:43 0 dr-h----- C:\Documents and Settings\*\SendTo
2008-07-18 14:33:43 0 dr-h----- C:\Documents and Settings\*\Recent
2008-07-18 14:33:43 0 d--h----- C:\Documents and Settings\*\PrintHood
2008-07-18 14:33:43 3932160 --ah----- C:\Documents and Settings\*\NTUSER.DAT
2008-07-18 14:33:43 0 d--h----- C:\Documents and Settings\*\NetHood
2008-07-18 14:32:53 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-07-18 14:32:51 0 d-------- C:\WINDOWS\Prefetch
2008-07-18 14:32:49 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-07-18 14:32:48 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-07-18 14:32:48 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-07-18 14:32:48 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-07-18 14:32:48 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-07-18 14:32:48 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-07-18 14:32:02 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-07-18 14:32:02 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-07-18 14:32:02 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-07-18 14:32:02 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-07-18 14:32:02 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-07-18 14:28:49 0 d-------- C:\WINDOWS\system32\xircom
2008-07-18 14:28:49 0 d-------- C:\Program Files\microsoft frontpage
2008-07-18 14:28:37 262144 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-07-18 14:27:27 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-07-18 14:27:17 0 dr------- C:\WINDOWS\Offline Web Pages
2008-07-18 14:27:17 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-07-18 14:27:07 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-18 14:26:45 0 d-------- C:\WINDOWS\system32\DirectX
2008-07-18 14:26:10 0 d---s---- C:\WINDOWS\Tasks
2008-07-18 14:26:09 0 d-------- C:\Program Files\Common Files\MSSoap
2008-07-18 14:26:06 0 d-------- C:\WINDOWS\srchasst
2008-07-18 14:26:05 0 d-------- C:\WINDOWS\system32\Macromed
2008-07-18 14:26:01 285696 --a------ C:\WINDOWS\system32\wuauclt1.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 14:25:56 0 d-------- C:\Program Files\Movie Maker
2008-07-18 14:25:48 0 d-------- C:\WINDOWS\system32\Restore
2008-07-18 14:25:42 321536 --a------ C:\WINDOWS\system32\mstask.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 14:25:08 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-18 14:24:54 0 d-------- C:\WINDOWS\Registration
2008-07-18 14:24:48 0 d-------- C:\Program Files\Online Services
2008-07-18 14:24:43 0 d-------- C:\Program Files\Messenger
2008-07-18 14:24:39 0 d-------- C:\Program Files\MSN Gaming Zone
2008-07-18 14:24:27 152064 --a------ C:\WINDOWS\system32\sndvol32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 14:24:18 117760 --a------ C:\WINDOWS\system32\calc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 14:23:54 180736 --a------ C:\WINDOWS\system32\sndrec32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 14:23:54 0 d-------- C:\Program Files\Windows NT
2008-07-18 14:23:53 439808 --a------ C:\WINDOWS\system32\mspaint.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 14:23:52 657408 --a------ C:\WINDOWS\system32\mstscax.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-18 14:23:51 0 d-------- C:\WINDOWS\system32\MsDtc
2008-07-18 14:23:49 0 d-------- C:\WINDOWS\system32\Com
2008-02-10 13:39:26 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-10 13:39:18 237568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-07 20:59:03 237568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-02-07 17:53:46 110592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll <Not Verified; ; OnlineScanner Language Library>
2008-02-04 12:48:04 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe <Not Verified; ; OnlineScannerUninstaller>
2008-01-22 09:38:04 2845696 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys <Not Verified; ATI Technologies Inc.; ATI Radeon WindowsNT Miniport Driver>
2008-01-22 08:43:42 272384 --a------ C:\WINDOWS\system32\ati2dvag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon WindowsNT Display Driver>
2008-01-22 08:36:44 9949184 --a------ C:\WINDOWS\system32\atioglx2.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-01-22 08:35:58 147456 --a------ C:\WINDOWS\system32\atipdlxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-22 08:35:48 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll <Not Verified; ATI Technologies, Inc.; ATI Driver Interface Component>
2008-01-22 08:35:42 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe <Not Verified; ATI Technologies, Inc.; ATI Default Resolution Update>
2008-01-22 08:35:34 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll <Not Verified; ATI Technologies, Inc.; ATI External Device Utility>
2008-01-22 08:35:20 122880 --a------ C:\WINDOWS\system32\ati2evxx.dll <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-01-22 08:34:06 512000 --a------ C:\WINDOWS\system32\ati2evxx.exe <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-01-22 08:33:16 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2008-01-22 08:25:36 3121920 --a------ C:\WINDOWS\system32\ati3duag.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon DirectX Universal Driver>
2008-01-22 08:15:00 1664256 --a------ C:\WINDOWS\system32\ativvaxx.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon Video Acceleration Universal Driver>
2008-01-22 08:04:26 46080 --a------ C:\WINDOWS\system32\amdpcom32.dll <Not Verified; Advanced Micro Devices, Inc.; Advanced Micro Devices, Inc. Radeon PCOM Universal Driver>
2008-01-22 08:01:10 385024 --a------ C:\WINDOWS\system32\atikvmag.dll <Not Verified; ATI Technologies Inc.; Virtual Command And Memory Manager>
2008-01-22 07:59:22 17408 --a------ C:\WINDOWS\system32\atitvo32.dll <Not Verified; ATI Technologies Inc.; ATI RageTheater/ImpacTV COM interface>
2008-01-22 07:58:36 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll <Not Verified; ATI Technologies Inc.; eRecord>
2008-01-22 07:58:02 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-01-22 07:57:16 163840 --a------ C:\WINDOWS\system32\atiok3x2.dll <Not Verified; ATI Technologies Inc.; Ring 0 x2 Component>
2008-01-22 07:53:52 503808 --a------ C:\WINDOWS\system32\ati2cqag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2007-08-08 17:03:25 0 -rahs---- C:\MSDOS.SYS
2007-08-08 17:03:25 0 -rahs---- C:\IO.SYS
2007-08-08 10:12:52 0 d-------- C:\Documents and Settings\Pen\Application Data\GRETECH
2007-08-07 20:51:08 0 d---s---- C:\Documents and Settings\Pen\UserData
2007-08-06 19:43:00 0 d-------- C:\Documents and Settings\Pen\Application Data\skypePM
2007-08-01 21:22:23 0 d-------- C:\Program Files\HyCam2
2007-07-30 04:34:12 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2007-07-30 04:34:12 0 d-------- C:\Documents and Settings\*\Application Data\skypePM
2007-07-30 04:32:29 0 d-------- C:\Documents and Settings\*\Application Data\Skype
2007-07-29 20:20:16 0 d-------- C:\Documents and Settings\Pen\Application Data\WinPatrol
2007-07-29 20:20:05 0 d-------- C:\Program Files\BillP Studios
2007-07-29 20:05:13 0 d-------- C:\Documents and Settings\Pen\Application Data\vlc
2007-07-29 18:54:58 0 d-------- C:\Documents and Settings\Pen\Application Data\SmartFTP
2007-07-29 18:54:38 0 d-------- C:\Program Files\SmartFTP Client
2007-07-29 18:54:13 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2007-07-29 12:19:07 30 -rahs---- C:\WINDOWS\pc-off.bat
2007-07-29 12:19:07 232105 -rahs---- C:\WINDOWS\password_viewer.exe
2007-07-29 06:36:00 0 drahs---- C:\autorun.inf
2007-07-28 23:57:02 0 d-------- C:\Program Files\NCH Software
2007-07-28 23:39:56 0 d-------- C:\Program Files\NCH Swift Sound
2007-07-28 23:36:09 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-07-28 08:27:27 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2007-07-28 08:27:27 314368 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2007-07-28 08:27:25 0 d-------- C:\Program Files\Magic Video Converter
2007-07-28 07:06:01 0 d-------- C:\Documents and Settings\Pen\Application Data\Skype
2007-07-28 07:05:50 0 d-------- C:\Program Files\Skype
2007-07-28 07:05:50 0 d-------- C:\Program Files\Common Files\Skype
2007-07-28 07:05:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-07-26 20:42:35 415232 --a------ C:\WINDOWS\system32\CF20178.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-26 20:38:48 415232 --a------ C:\WINDOWS\system32\CF19434.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-26 19:17:47 0 d-------- C:\Program Files\VirtualDub
2007-07-26 18:49:02 225355 --a------ C:\WINDOWS\system32\lnod32apiW.dll
2007-07-26 18:49:02 196683 --a------ C:\WINDOWS\system32\lnod32apiA.dll
2007-07-26 18:02:23 0 d-------- C:\Documents and Settings\Pen\Application Data\WinRAR
2007-07-26 17:55:53 0 d-------- C:\Program Files\Thomas Wright Consulting
2007-07-26 17:05:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-07-26 17:05:26 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-07-26 16:19:11 0 d-------- C:\Documents and Settings\Pen\Application Data\NCH Swift Sound
2007-07-26 11:11:55 415232 --a------ C:\WINDOWS\system32\CF6666.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-26 10:07:35 415232 --a------ C:\WINDOWS\system32\CF26822.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-26 09:57:50 415232 --a------ C:\WINDOWS\system32\CF24918.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-26 09:53:10 415232 --a------ C:\WINDOWS\system32\CF24007.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-25 13:51:11 415232 --a------ C:\WINDOWS\system32\CF17873.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-25 13:47:00 415232 --a------ C:\WINDOWS\system32\CF17053.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-25 13:41:37 415232 --a------ C:\WINDOWS\system32\CF15995.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-25 13:34:40 415232 --a------ C:\WINDOWS\system32\CF14516.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-24 13:45:26 415232 --a------ C:\WINDOWS\system32\CF29512.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-24 13:44:05 415232 --a------ C:\WINDOWS\system32\CF29251.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-24 00:49:54 0 d-------- C:\Documents and Settings\Pen\Application Data\IDM
2007-07-24 00:49:54 0 d-------- C:\Documents and Settings\Pen\Application Data\DMCache
2007-07-24 00:47:40 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-07-23 16:11:45 0 d-------- C:\Documents and Settings\*\Application Data\Nokia Multimedia Player
2007-07-23 16:03:13 0 d-------- C:\Documents and Settings\*\Phone Browser
2007-07-23 16:01:20 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-07-23 16:01:20 0 d-------- C:\Documents and Settings\*\Application Data\PC Suite
2007-07-23 15:08:04 0 d-------- C:\Program Files\Cucusoft
2007-07-23 02:39:53 0 d-------- C:\Documents and Settings\Pen\Application Data\Ahead
2007-07-23 01:35:30 0 d-------- C:\Documents and Settings\Pen\Application Data\LimeWire
2007-07-23 00:08:38 0 d-------- C:\Documents and Settings\Pen\Application Data\Macromedia
2007-07-22 23:17:55 0 d-------- C:\Documents and Settings\Pen\Application Data\Mozilla
2007-07-22 22:59:45 0 d-------- C:\Documents and Settings\Pen\Application Data\Malwarebytes
2007-07-22 22:58:19 0 d-------- C:\Documents and Settings\Pen\Application Data\AVGTOOLBAR
2007-07-22 22:56:56 0 d-------- C:\Documents and Settings\Pen\Application Data\Adobe
2007-07-22 22:56:55 0 d-------- C:\Documents and Settings\Pen\Application Data\ATI
2007-07-22 22:56:53 0 d-------- C:\Documents and Settings\Pen\Application Data\Comodo
2007-07-22 22:56:28 0 d-------- C:\Documents and Settings\Pen\Application Data\Identities
2007-07-22 22:56:12 0 d--h----- C:\Documents and Settings\Pen\Templates
2007-07-22 22:56:12 0 dr------- C:\Documents and Settings\Pen\Start Menu
2007-07-22 22:56:12 0 dr-h----- C:\Documents and Settings\Pen\SendTo
2007-07-22 22:56:12 0 d--hs---- C:\Documents and Settings\Pen\Recent
2007-07-22 22:56:12 0 d--h----- C:\Documents and Settings\Pen\PrintHood
2007-07-22 22:56:12 8388608 --ah----- C:\Documents and Settings\Pen\NTUSER.DAT
2007-07-22 22:56:12 0 d--h----- C:\Documents and Settings\Pen\NetHood
2007-07-22 22:56:12 0 d---s---- C:\Documents and Settings\Pen\My Documents
2007-07-22 22:56:12 0 d--h----- C:\Documents and Settings\Pen\Local Settings
2007-07-22 22:56:12 0 d---s---- C:\Documents and Settings\Pen\Favorites
2007-07-22 22:56:12 0 d-------- C:\Documents and Settings\Pen\Desktop
2007-07-22 22:56:12 0 d---s---- C:\Documents and Settings\Pen\Cookies
2007-07-22 22:56:12 0 d--h----- C:\Documents and Settings\Pen\Application Data
2007-07-22 03:04:47 0 d-------- C:\Documents and Settings\*\Application Data\Malwarebytes
2007-07-22 03:04:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2007-07-22 03:04:04 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2007-07-22 02:41:26 0 d-------- C:\Documents and Settings\*\Application Data\Comodo
2007-07-22 02:41:24 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-07-22 02:41:22 0 d-------- C:\Program Files\COMODO
2007-07-21 23:59:45 0 d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2007-07-21 22:53:34 0 d-------- C:\Program Files\EsetOnlineScanner
2007-07-21 03:06:17 0 d-------- C:\WINDOWS\Sun
2007-07-21 03:06:17 0 d-------- C:\Documents and Settings\*\Application Data\Sun
2007-07-21 01:49:12 0 d-------- C:\WINDOWS\ERUNT
2007-07-21 01:00:38 0 d-------- C:\Documents and Settings\*\Application Data\LimeWire
2007-07-21 00:59:54 0 d-------- C:\Program Files\Sun
2007-07-21 00:58:51 0 d-------- C:\Program Files\Java
2007-07-21 00:52:09 0 d-------- C:\Program Files\Common Files\Java
2007-07-19 22:56:36 0 d-------- C:\Documents and Settings\*\Application Data\WinRAR
2007-07-19 18:10:09 0 d-------- C:\Program Files\LimeWire
2007-07-19 17:53:26 0 d-------- C:\Program Files\EPSON
2007-07-19 17:53:03 65536 --a------ C:\WINDOWS\system32\EEBUtil.dll <Not Verified; SEIKO EPSON CORPORATION; Enhanced EPSON Bi-directional API>
2007-07-19 17:53:03 55808 --a------ C:\WINDOWS\system32\EEBSDKIF.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
2007-07-19 17:53:03 110592 --a------ C:\WINDOWS\system32\EEBDSCVR.dll <Not Verified; SEIKO EPSON CORPORATION; Enhanced EPSON Bi-directional API>
2007-07-19 17:53:03 131072 --a------ C:\WINDOWS\system32\EEBAPI.dll <Not Verified; SEIKO EPSON CORPORATION; Enhanced EPSON Bi-directional API>
2007-07-19 17:53:03 69632 --a------ C:\WINDOWS\system32\EBAPI.dll <Not Verified; SEIKO EPSON CORPORATION; Enhanced EPSON Bi-directional API>
2007-07-19 17:53:02 0 d-------- C:\Program Files\Common Files\EPSON
2007-07-19 12:54:07 0 d-------- C:\Program Files\SpywareGuard
2007-07-19 12:49:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-07-19 11:10:26 0 d-------- C:\Program Files\Trend Micro
2007-07-19 06:19:00 0 d-------- C:\Program Files\Panda Security
2007-07-19 04:25:10 0 d-------- C:\Documents and Settings\*\Application Data\TmpRecentIcons
2007-07-19 02:35:26 0 d--h----- C:\$AVG8.VAULT$
2007-07-18 21:09:44 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-18 20:42:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-07-18 20:09:09 0 --a------ C:\CONFIG.SYS
2007-07-18 20:09:09 0 --a------ C:\AUTOEXEC.BAT
2007-07-18 20:09:07 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-07-18 20:09:06 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-07-18 20:08:58 0 d-------- C:\Program Files\SpywareBlaster
2007-07-18 20:02:46 0 d-------- C:\Documents and Settings\*\Application Data\IDM
2007-07-18 20:02:46 0 d-------- C:\Documents and Settings\*\Application Data\DMCache
2007-07-18 20:02:42 0 d-------- C:\Program Files\Internet Download Manager
2007-07-18 19:57:51 0 d-------- C:\Documents and Settings\*\Application Data\Macromedia
2007-07-18 19:51:24 0 d-------- C:\WINDOWS\pss
2007-07-18 19:42:46 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-18 19:42:41 0 d-------- C:\Documents and Settings\*\Application Data\Mozilla
2007-07-18 19:40:23 0 d-------- C:\Program Files\Common Files\LightScribe
2007-07-18 19:39:39 0 d-------- C:\Documents and Settings\*\Application Data\Ahead
2007-07-18 19:37:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-07-18 19:37:15 0 d-------- C:\Program Files\Nero
2007-07-18 19:37:15 0 d-------- C:\Program Files\Common Files\Ahead
2007-07-18 19:36:30 0 d-------- C:\WINDOWS\RegisteredPackages
2007-07-18 16:24:06 0 d-------- C:\Documents and Settings\*\Application Data\GRETECH
2007-07-18 15:32:03 0 d-------- C:\Program Files\Microsoft Works
2007-07-18 15:31:53 0 d-------- C:\Program Files\MSBuild
2007-07-18 15:30:38 0 d-------- C:\Program Files\Microsoft.NET
2007-07-18 15:28:47 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-07-18 15:27:39 0 d-------- C:\WINDOWS\SHELLNEW
2007-07-18 15:26:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-07-18 15:26:25 0 dr-h----- C:\MSOCache
2007-07-18 15:18:47 0 d-------- C:\Program Files\Microsoft Student
2007-07-18 15:18:25 0 d-------- C:\Program Files\Learning Essentials
2007-07-18 15:10:45 0 d-------- C:\Program Files\VideoLAN
2007-07-18 15:09:56 0 d-------- C:\Program Files\Yahoo!
2007-07-18 15:08:56 0 d-------- C:\Program Files\Winamp
2007-07-18 15:08:27 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-07-18 15:08:23 0 d-------- C:\Program Files\CyberLink
2007-07-18 15:07:52 0 d-------- C:\Documents and Settings\*\Application Data\NCH Swift Sound
2007-07-18 15:06:29 0 d-------- C:\WINDOWS\ferrarie themes
2007-07-18 15:05:31 0 d-------- C:\Documents and Settings\*\Application Data\Adobe
2007-07-18 15:03:30 63385 --a------ C:\WINDOWS\BricoPackUninst.cmd
2007-07-18 15:01:58 6116 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-07-18 15:01:38 0 d-------- C:\WINDOWS\BricoPacks
2007-07-18 15:00:09 0 d-------- C:\WINDOWS\system32\drivers\Avg
2007-07-18 15:00:09 0 d-------- C:\Documents and Settings\*\Application Data\AVGTOOLBAR
2007-07-18 14:59:57 0 d-------- C:\Program Files\AVG
2007-07-18 14:59:57 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8


-- Find3M Report ---------------------------------------------------------------

2008-07-18 22:20:04 62 --ahs---- C:\Documents and Settings\Pen\Application Data\desktop.ini
2007-07-18 15:03:29 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\A system shutdown is in progress.]




-- End of Deckard's System Scanner: finished at 2007-08-10 09:18:21 ----------------------------------------------------------------------

Blade81
2008-09-11, 07:51
Hi

You posted outdated log from Deckard's system scanner. Please post a fresh hjt log taken with TrendMicro HijackThis.

ushpen25
2008-09-11, 14:19
Hello,

Here's the Log requested.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:08 PM, on 9/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [autoMe] wscript.exe "C:\WINDOWS\auto.vbs"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219782393078
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,C:\WINDOWS\system32\cssdll32.dll,avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9640 bytes

Blade81
2008-09-11, 18:05
Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

ushpen25
2008-09-12, 07:07
Hello,

Here's the HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:53 PM, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [autoMe] wscript.exe "C:\WINDOWS\auto.vbs"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219782393078
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9024 bytes

ushpen25
2008-09-12, 07:12
I guess i have to divide the Combofix Log, it always exceeds to limit on this forum to post. Anyway here it is.

ComboFix 08-09-10.04 - Pen 2008-09-11 15:44:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.488 [GMT -12:00]
Running from: C:\Documents and Settings\Pen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pen\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\sgykuqbv.ini
C:\WINDOWS\system32\tnspaesu.ini
C:\WINDOWS\system32\xidmbjqu.ini

----- BITS: Possible infected sites -----

http://au.download.windowsupdate.j+|Cv+@J:NGD_DQ{zcxLJS@L*EqWU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHM6VwoQZCDHMXun4j0n4j0n4j0n4j0n<bSYcxLJS@GD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cvte.com
.
((((((((((((((((((((((((( Files Created from 2008-08-12 to 2008-09-12 )))))))))))))))))))))))))))))))
.

2008-09-11 00:59 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-09-11 00:59 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-09-07 22:42 . 2008-09-07 22:42 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-09-07 17:50 . 2008-06-23 04:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-09-07 17:50 . 2008-06-23 04:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-09-07 17:50 . 2008-06-23 04:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-09-07 17:49 . 2008-06-23 04:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-07 17:49 . 2007-04-16 21:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-09-07 17:49 . 2007-03-07 17:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-09-07 17:49 . 2008-06-23 04:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-09-07 17:49 . 2008-06-23 04:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-09-07 17:49 . 2008-06-22 21:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-07 14:45 . 2008-09-07 14:45 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\SmartFTP
2008-09-07 00:20 . 2008-09-07 00:20 0 --a------ C:\WINDOWS\iplayer.INI
2008-09-07 00:15 . 2008-09-07 00:16 <DIR> d-------- C:\Program Files\InterActual
2008-09-03 15:42 . 2008-09-03 15:42 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-09-03 15:41 . 2008-09-03 15:41 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-09-02 03:03 . 2008-09-02 03:03 <DIR> d-------- C:\Deckard
2008-09-02 02:56 . 2008-09-02 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-02 00:49 . 2008-09-02 02:57 <DIR> d-------- C:\Documents and Settings\Pen\.housecall6.6
2008-09-01 03:36 . 2008-09-01 03:36 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Ahead
2008-09-01 03:17 . 2008-09-01 03:17 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-09-01 00:09 . 2008-09-11 10:28 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-01 00:08 . 2008-03-13 15:54 174,080 --a------ C:\WINDOWS\system\KeyGen.exe
2008-08-31 14:07 . 1996-10-15 18:01 298,496 --a------ C:\WINDOWS\uninst.exe
2008-08-31 00:46 . 2008-08-31 00:46 <DIR> d-------- C:\_OTMoveIt
2008-08-30 21:31 . 2008-08-30 21:31 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Skype
2008-08-30 20:58 . 2008-08-30 20:58 3,149 -rahs---- C:\WINDOWS\auto.vbs
2008-08-30 11:44 . 2008-09-11 11:40 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-30 11:44 . 2008-09-02 02:57 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\AVGTOOLBAR
2008-08-30 11:44 . 2008-08-30 11:44 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-30 11:44 . 2008-08-30 11:44 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-30 11:44 . 2008-08-30 11:44 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-30 11:44 . 2008-08-30 11:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-30 11:37 . 2008-08-30 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-30 01:26 . 2008-09-10 12:27 2,205 --a------ C:\WINDOWS\diagerr.xml
2008-08-30 01:26 . 2008-09-10 12:27 1,905 --a------ C:\WINDOWS\diagwrn.xml
2008-08-29 22:37 . 2008-08-29 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-29 22:36 . 2001-03-08 18:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2008-08-29 22:35 . 2003-03-18 20:14 499,712 --------- C:\WINDOWS\system32\msvcp71.dll
2008-08-29 22:35 . 2003-02-21 04:42 348,160 --------- C:\WINDOWS\system32\msvcr71.dll
2008-08-29 21:39 . 2008-08-29 21:42 4,829 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-08-29 20:42 . 2008-06-24 21:22 <DIR> d-------- C:\Program Files\TrueTransparency
2008-08-29 20:37 . 2008-08-29 20:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-29 20:34 . 2008-08-29 20:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-29 20:34 . 2008-08-29 20:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-28 09:42 . 2008-09-02 13:55 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\LimeWire
2008-08-28 09:40 . 2008-09-10 12:29 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\IDM
2008-08-28 09:40 . 2008-09-11 15:50 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\DMCache
2008-08-25 18:43 . 2008-08-25 18:43 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Malwarebytes
2008-08-25 11:58 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-25 11:58 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-25 11:58 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-25 11:56 . 2008-08-29 18:12 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Apple Computer
2008-08-25 09:55 . 2008-08-25 09:55 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Comodo
2008-08-25 09:55 . 2008-08-25 09:55 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\ATI
2008-08-25 09:54 . 2008-09-11 15:48 <DIR> d-------- C:\Documents and Settings\Pen
2008-08-25 09:38 . 2008-08-25 09:38 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-25 09:38 . 2008-08-25 09:38 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-25 09:38 . 2008-08-25 09:38 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-25 09:38 . 2008-08-25 09:38 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-25 09:35 . 2008-08-25 09:39 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\Program Files\iTunes
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\Program Files\iPod
2008-08-24 16:33 . 2008-08-24 16:33 <DIR> d-------- C:\Program Files\QuickTime
2008-08-24 16:33 . 2008-08-24 16:33 <DIR> d-------- C:\Program Files\Bonjour
2008-08-24 16:33 . 2008-08-24 16:33 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-24 16:33 . 2008-08-24 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-24 16:32 . 2008-08-24 16:32 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-24 16:32 . 2008-08-24 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-24 07:42 . 2008-08-24 07:42 <DIR> d-------- C:\Documents and Settings\Local Settings\Temp
2008-08-24 07:42 . 2008-08-24 07:42 <DIR> d-------- C:\Documents and Settings\Local Settings
2008-08-24 01:45 . 2008-04-13 12:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-24 01:44 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-24 01:43 . 2008-04-13 12:11 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2008-08-23 22:03 . 2008-08-23 22:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-08-23 18:14 . 2008-06-12 23:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-23 18:14 . 2008-06-12 23:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-23 06:50 . 2008-05-08 02:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-23 06:42 . 2008-04-11 07:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-22 11:57 . 2008-09-07 18:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 11:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 11:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-10 14:15 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 12:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-10 12:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 10:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-09 14:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-09 05:42 --------- d-----w C:\Program Files\Magic Video Converter
2008-09-08 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-02 13:04 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-08-30 10:35 --------- d-----w C:\Program Files\CyberLink
2008-08-30 09:42 52,529 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-08-27 07:41 --------- d-----w C:\Program Files\Internet Download Manager
2008-08-26 10:01 --------- d-----w C:\Program Files\AVG
2008-07-19 02:54 --------- d-----w C:\Program Files\GRETECH
2008-07-19 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-07-19 02:44 --------- d-----w C:\Program Files\ATI Technologies
2008-07-19 02:43 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-07-19 02:28 --------- d-----w C:\Program Files\microsoft frontpage
.

------- Sigcheck -------

2008-04-13 12:12 3195904 076dc8e559181061a5a5884cb1a67567 C:\WINDOWS\explorer.exe
2004-08-03 04:56 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2008-04-13 12:12 3195904 076dc8e559181061a5a5884cb1a67567 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2008-07-18 22:10 71368 fac8e43fa3aebee03c1f08f8173059d9 C:\WINDOWS\ServicePackFiles\i386\wuauclt.exe
2008-07-18 22:10 71368 fac8e43fa3aebee03c1f08f8173059d9 C:\WINDOWS\system32\wuauclt.exe
2008-07-18 22:10 53448 d316e28958873859b88d72cf47ad1ea5 C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\Pen\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 344064]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe [2006-02-05 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe [2002-09-30 131072]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Pen\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Pen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^Y'z Shadow.lnk]
path=C:\Documents and Settings\Pen\Start Menu\Programs\Startup\Y'z Shadow.lnk
backup=C:\WINDOWS\pss\Y'z Shadow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Pen\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^*^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\*\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 15:54 21718312 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 06:41 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-29 21:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoMe]
--a------ 2008-05-07 23:24 155648 C:\WINDOWS\system32\wscript.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-30 12936]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-18 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-07-22 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-07-22 24208]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-30 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d42c8e0-772a-11dd-b550-0019211ca709}]
\Shell\AutoRun\command - wscript.exe auto.vbs
\Shell\Open\Command - wscript.exe auto.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f05e7c3-3990-11dc-b457-0019211ca709}]
\Shell\AutoRun\command - wscript.exe auto.vbs
\Shell\Open\Command - wscript.exe auto.vbs
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Pen\Application Data\Mozilla\Firefox\Profiles\p5gzf895.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

ushpen25
2008-09-12, 07:15
Here's the other one.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 15:50:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Apple Mobile Device]
"ImagePath"="\"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ati HotKey Poller]
"ImagePath"="%SystemRoot%\system32\Ati2evxx.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ATI Smart]
"ImagePath"="C:\WINDOWS\system32\ati2sgag.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ati2mtag]
"ImagePath"="system32\DRIVERS\ati2mtag.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atierecord]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avg8wd]
"ImagePath"="C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgLdx86]
"ImagePath"="\SystemRoot\System32\Drivers\avgldx86.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgMfx86]
"ImagePath"="\SystemRoot\System32\Drivers\avgmfx86.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgRkx86]
"ImagePath"="System32\Drivers\avgrkx86.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgTdiX]
"ImagePath"="\SystemRoot\System32\Drivers\avgtdix.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]
"ServiceDll"="%systemroot%\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bonjour Service]
"ImagePath"="\"C:\Program Files\Bonjour\mDNSResponder.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\ComboFix\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE]
"ImagePath"="system32\DRIVERS\CCDECODE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cmdAgent]
"ImagePath"="\"C:\Program Files\COMODO\Firewall\cmdagent.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cmdGuard]
"ImagePath"="System32\DRIVERS\cmdguard.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cmdHlp]
"ImagePath"="System32\DRIVERS\cmdhlp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EpsonBidirectionalService]
"ImagePath"="C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="C:\WINDOWS\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FETNDIS]
"ImagePath"="system32\DRIVERS\fetnd5.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FLEXnet Licensing Service]
"ImagePath"="\"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM]
"ImagePath"="System32\Drivers\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inspect]
"ImagePath"="System32\DRIVERS\inspect.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntcAzAudAddService]
"ImagePath"="system32\drivers\RtkHDAud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\drivers\ip6fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service]
"ImagePath"="\"C:\Program Files\iPod\bin\iPodService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LightScribeService]
"ImagePath"="\"C:\Program Files\Common Files\LightScribe\LSSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Microsoft Office Groove Audit Service]
"ImagePath"="\"C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="C:\WINDOWS\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="C:\WINDOWS\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

ushpen25
2008-09-12, 07:20
Hello, I have a problem posting the combofix log, it always exceeds the limit, if i will the log it will be divided into 4 parts. I will just attached the log here.

Blade81
2008-09-12, 08:16
Hi


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.


LimeWire


I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Documents and Settings\Pen\Application Data\LimeWire
C:\Program Files\LimeWire


Empty Recycle Bin.

After that:

Launch Launch Malwarebytes' Anti-Malware and download update if available.
Select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

Then run ComboFix again and post its log & a fresh hjt log too.

ushpen25
2008-09-12, 15:31
Hello,

Here's the logs you'd requested. Combofix log, is attached below.

Malwarebytes' Anti-Malware 1.28
Database version: 1141
Windows 5.1.2600 Service Pack 3

9/12/2008 12:04:44 AM
mbam-log-2008-09-12 (00-04-44).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 172361
Time elapsed: 1 hour(s), 45 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{4A77197F-6DC4-43AC-B26B-A487D2297D9C}\RP74\A0077225.exe (Trojan.Horst) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4A77197F-6DC4-43AC-B26B-A487D2297D9C}\RP75\A0079379.exe (Trojan.Horst) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4A77197F-6DC4-43AC-B26B-A487D2297D9C}\RP76\A0080873.exe (Trojan.Horst) -> Quarantined and deleted successfully.
C:\WINDOWS\system\KeyGen.exe (Trojan.Horst) -> Quarantined and deleted successfully.

<b>Here's the HJT Log.</b>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:39 AM, on 9/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [autoMe] wscript.exe "C:\WINDOWS\auto.vbs"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219782393078
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8768 bytes

Blade81
2008-09-12, 17:07
Hi

Upload following files to http://www.virustotal.com and post back the results:
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe


Start hjt, do a system scan, check (if found):
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O4 - HKLM\..\Run: [autoMe] wscript.exe "C:\WINDOWS\auto.vbs"

Close browsers and fix checked.


Please delete following files replacing empty space with username you edited off (?).
C:\Documents and Settings\ \Start Menu\Programs\Startup\LimeWire On Startup.lnk

Do same with these folders:
C:\Documents and Settings\*\Application Data\LimeWire


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\auto.vbs
C:\Documents and Settings\Pen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

DirLook::
C:\Documents and Settings\á

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[-HKLM\~\startupfolder\C:^Documents and Settings^*^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoMe]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d42c8e0-772a-11dd-b550-0019211ca709}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f05e7c3-3990-11dc-b457-0019211ca709}]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) (scan whole 'my computer'). Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.

ushpen25
2008-09-13, 09:46
Hello,

Here are the requested logs and The other logs are attached below.

Wuauclt.exe Log

Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 -
Authentium 5.1.0.4 2008.09.12 -
Avast 4.8.1195.0 2008.09.12 -
AVG 8.0.0.161 2008.09.12 -
BitDefender 7.2 2008.09.13 -
CAT-QuickHeal 9.50 2008.09.12 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.13 -
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6087 2008.09.12 -
Ewido 4.0 2008.09.12 -
F-Prot 4.4.4.56 2008.09.12 -
F-Secure 8.0.14332.0 2008.09.13 Suspicious:W32/SCKeyLog!Gemini
Fortinet 3.113.0.0 2008.09.12 -
GData 19 2008.09.12 -
Ikarus T3.1.1.34.0 2008.09.13 -
K7AntiVirus 7.10.453 2008.09.12 -
Kaspersky 7.0.0.125 2008.09.12 -
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.13 -
NOD32v2 3439 2008.09.13 -
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.12 -
PCTools 4.4.2.0 2008.09.12 -
Prevx1 V2 2008.09.13 -
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 -
Sunbelt 3.1.1628.1 2008.09.12 -
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.080 2008.09.13 -
TrendMicro 8.700.0.1004 2008.09.12 -
VBA32 3.12.8.5 2008.09.12 -
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.12 -
Webwasher-Gateway 6.6.2 2008.09.13 -
Additional information
File size: 71368 bytes
MD5...: fac8e43fa3aebee03c1f08f8173059d9
SHA1..: 79fd71a11dcc7d5cb15eee9e3be0d758fbcbe9af
SHA256: 182e2eb05cec6c58f67aa6a8ad62ae08de79425f64bb6c0f6e9b70d6e8e5203a
SHA512: 2faa4eceb9e6fc24072cbd847860eaa3ec8b749b4bd9289e558a37fce57e9713
f3708763019b47a5cb01c73e5612be6aac4d7c66be2e29075f65f5ef4e7f90b9
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4042dd
timedatestamp.....: 0x48816313 (Sat Jul 19 03:44:19 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8c84 0x8e00 6.00 9079e1cf62cf93298b09b9c3840b6239
.data 0xa000 0xd54 0x400 5.81 aea75c550ab527cbfba56bc33d16ea93
.rsrc 0xb000 0x4d4e 0x4e00 5.78 278b983bd3e734a624a6096c1b111dec
.reloc 0x10000 0xc8a 0xe00 3.10 56fa4b399c6d09575836259c52cf6c40

( 6 imports )
> KERNEL32.dll: CreateFileW, CreateDirectoryW, GetFileAttributesW, ExpandEnvironmentStringsW, lstrlenW, CreateProcessW, VerSetConditionMask, VerifyVersionInfoW, LoadLibraryW, OutputDebugStringW, WriteFile, FlushFileBuffers, GetModuleFileNameW, InterlockedIncrement, InterlockedDecrement, GetSystemTime, GetLastError, SetLastError, GetFileSize, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, SetFilePointer, SetEndOfFile, ReleaseMutex, WaitForSingleObject, CreateMutexW, CloseHandle, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, RtlUnwind, GetStartupInfoW, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, GetSystemDirectoryW, LoadLibraryExW, GetDriveTypeW, GetVolumePathNameW, GetFileType, GetSystemInfo, GetModuleHandleW, CompareStringW, GetProcessHeap, HeapFree, HeapAlloc, GetCommandLineW, FreeLibrary, OpenEventW, GetProcAddress, WideCharToMultiByte, InterlockedExchange, Sleep, InterlockedCompareExchange
> msvcrt.dll: __dllonexit, _unlock, _controlfp, _terminate@@YAXXZ, free, malloc, memmove, memcpy, memset, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _lock, _cexit, __wgetmainargs, _vsnwprintf, _onexit, _exit
> ole32.dll: CoTaskMemFree, CoUninitialize, CoCreateInstance, CoInitialize, CoInitializeEx
> ADVAPI32.dll: AllocateAndInitializeSid, FreeSid, GetTokenInformation, DuplicateTokenEx, CheckTokenMembership, IsValidSid, CopySid, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, GetUserNameW, GetLengthSid, InitializeAcl, AddAccessAllowedAce, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOpenKeyExW, RegCloseKey
> OLEAUT32.dll: -, -
> SHLWAPI.dll: StrRChrW, -, PathStripToRootW, PathIsRelativeW, StrChrW, PathIsRootW, PathIsUNCW

Explorer.exe Log


Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 -
Authentium 5.1.0.4 2008.09.12 -
Avast 4.8.1195.0 2008.09.12 -
AVG 8.0.0.161 2008.09.12 -
BitDefender 7.2 2008.09.13 -
CAT-QuickHeal 9.50 2008.09.12 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.13 -
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6086 2008.09.12 -
Ewido 4.0 2008.09.12 -
F-Prot 4.4.4.56 2008.09.12 -
F-Secure 8.0.14332.0 2008.09.13 -
Fortinet 3.113.0.0 2008.09.12 -
GData 19 2008.09.12 -
Ikarus T3.1.1.34.0 2008.09.13 -
K7AntiVirus 7.10.453 2008.09.12 -
Kaspersky 7.0.0.125 2008.09.12 -
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.13 -
NOD32v2 3439 2008.09.13 -
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.12 -
PCTools 4.4.2.0 2008.09.12 -
Prevx1 V2 2008.09.13 -
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 -
Sunbelt 3.1.1628.1 2008.09.12 -
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.080 2008.09.13 -
TrendMicro 8.700.0.1004 2008.09.12 -
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.12 -
Webwasher-Gateway 6.6.2 2008.09.13 -
Additional information
File size: 3195904 bytes
MD5...: 076dc8e559181061a5a5884cb1a67567
SHA1..: 67f643fe5fbe1120ef95df07747d000d59d3acfa
SHA256: b9a06b6ca2548bebec55040d11cd5701cf2592c3781236e9eb3c7026006d0082
SHA512: 2a5211018c2c0bc3a8498375405acc8f3d83cbce7d564fefc6e90be7dd3f3c5f
a9f8bf819136c93e18c44fe155eea75849c1c7e4931090a20dab49aabf3a9efa
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x101a55f
timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809
.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359
.rsrc 0x48000 0x2c204b 0x2c2200 5.65 f3d579f74a0dda6b8780ed27866a7c4e
.reloc 0x30b000 0x374c 0x3800 6.78 ec335057489badbf6d8142b57175fd91

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )

Kaspersky Online Scan Log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 12, 2008 20:39:26
Records in database: 1220364
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 91445
Threat name: 4
Infected objects: 25
Suspicious objects: 1
Duration of the scan: 01:45:30


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\auto.vbs.vir Suspicious: Type_Script 1
C:\_OTMoveIt\MovedFiles\09022008_001209\WINDOWS\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09022008_001209\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09022008_001219\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09022008_001221\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09022008_001222\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09022008_001224\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09022008_001306\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09022008_001331\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09022008_001901\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09092008_181709\WINDOWS\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_181709\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09092008_181715\WINDOWS\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_181715\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09092008_181718\WINDOWS\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_181718\WINDOWS\pc-off.bat Infected: Trojan.BAT.Shutdown.bi 1
C:\_OTMoveIt\MovedFiles\09092008_181910\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_181936\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_181944\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_181946\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_182051\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_182054\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_182056\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_182100\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
C:\_OTMoveIt\MovedFiles\09092008_182215\password_viewer.exe Infected: IM-Worm.Win32.Sohanad.hp 1
D:\Musics\far behinf candle box.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1

The selected area was scanned.

Blade81
2008-09-13, 12:06
Hi

Looks like you didn't remove C:\Documents and Settings\**insert your username here**\Application Data\LimeWire folder as instructed. Please do so now.



You seem to have OTMoveIT2 installed. Please follow these instructions:

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) (do this only if you have removed OTMoveIt2.exe file from your hard drive).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



D:\Musics\far behinf candle box.mp3
C:\Documents and Settings\Pen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
HKLM\~\startupfolder\C:^Documents and Settings^*^Start Menu^Programs^Startup^LimeWire On Startup.lnk


Return to OTMoveIt2, right click in the
Paste Standard List of Files/Folders to Move
window (under the light blue bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Then continue with following:

Creating & executing batch file
-------------------------------

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
dir /s C:\Documents and Settings\á >DirLook.txt
notepad DirLook.txt

Double-click on fixes.bat file to execute it. DirLook.txt will open in notepad. Post back the contents (in an attachment if the list is very long).


Post a fresh hjt log and let me know how's the system running.


PS. I want to see all above meantioned logs (except contents of DirLook.txt file if it's long) to be posted without using attachments. You may use several posts if needed.

ushpen25
2008-09-14, 02:59
Hello,

I have a little problem deleting the Limewire Folder. I can't seem find the folder in the specific area. I do believe that i already deleted the Limewire folder as instructed. I also did a Search procedure to make it sure that there is nothing limewire folder nor file left in every partition in my hard drive.

Blade81
2008-09-14, 14:08
Hi

Skip over that step then :)

ushpen25
2008-09-15, 04:47
Hello,

The Dirlook.txt is empty after i run the fixes.bat. Anyway heres the OTmoveit2 result.

D:\Musics\far behinf candle box.mp3 moved successfully.
File/Folder C:\Documents and Settings\Pen\Start Menu\Programs\Startup\LimeWire On Startup.lnk not found.
File/Folder C:\WINDOWS\pss\LimeWire On Startup.lnkStartup not found.
< HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^LimeWire On Startup.lnk >
Registry key HKEY_LOCAL_MACHINE\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^LimeWire On Startup.lnk\\ not found.
< HKLM\~\startupfolder\C:^Documents and Settings^*^Start Menu^Programs^Startup^LimeWire On Startup.lnk >
Registry key HKEY_LOCAL_MACHINE\~\startupfolder\C:^Documents and Settings^*^Start Menu^Programs^Startup^LimeWire On Startup.lnk\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09132008_114012

ushpen25
2008-09-15, 07:00
Oh i forgot the HJT log. Here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:43 PM, on 9/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219782393078
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8856 bytes

ushpen25
2008-09-15, 07:04
And here's the previous HJT log from the attachment and the Combofix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:51 PM, on 9/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219782393078
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8797 bytes

ushpen25
2008-09-15, 07:05
Combofix Log.

ComboFix 08-09-10.04 - Pen 2008-09-12 13:47:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.483 [GMT -12:00]
Running from: C:\Documents and Settings\Pen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pen\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\auto.vbs

.
((((((((((((((((((((((((( Files Created from 2008-08-13 to 2008-09-13 )))))))))))))))))))))))))))))))
.

2008-09-11 15:57 . 2008-09-11 15:57 <DIR> d-------- C:\Documents and Settings\á
2008-09-11 00:59 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-09-11 00:59 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-09-07 22:42 . 2008-09-07 22:42 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-09-07 17:50 . 2008-06-23 04:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-09-07 17:50 . 2008-06-23 04:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-09-07 17:50 . 2008-06-23 04:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-09-07 17:49 . 2008-06-23 04:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-07 17:49 . 2007-04-16 21:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-09-07 17:49 . 2007-03-07 17:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-09-07 17:49 . 2008-06-23 04:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-09-07 17:49 . 2008-06-23 04:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-09-07 17:49 . 2008-06-22 21:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-07 14:45 . 2008-09-07 14:45 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\SmartFTP
2008-09-07 00:20 . 2008-09-07 00:20 0 --a------ C:\WINDOWS\iplayer.INI
2008-09-07 00:15 . 2008-09-07 00:16 <DIR> d-------- C:\Program Files\InterActual
2008-09-03 15:43 . 2008-09-03 15:43 <DIR> d-------- C:\Documents and Settings\*\Application Data\SmartFTP
2008-09-03 15:42 . 2008-09-03 15:42 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-09-03 15:41 . 2008-09-03 15:41 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-09-03 14:16 . 2008-09-03 14:16 <DIR> d-------- C:\Documents and Settings\*\Application Data\dvdcss
2008-09-02 03:03 . 2008-09-02 03:03 <DIR> d-------- C:\Deckard
2008-09-02 02:56 . 2008-09-02 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-02 00:49 . 2008-09-02 02:57 <DIR> d-------- C:\Documents and Settings\Pen\.housecall6.6
2008-09-01 03:36 . 2008-09-01 03:36 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Ahead
2008-09-01 03:17 . 2008-09-01 03:17 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-09-01 00:09 . 2008-09-11 23:11 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-31 14:07 . 1996-10-15 18:01 298,496 --a------ C:\WINDOWS\uninst.exe
2008-08-31 14:06 . 2008-08-31 14:06 <DIR> d-------- C:\Documents and Settings\*\WINDOWS
2008-08-31 14:06 . 2008-08-31 14:06 <DIR> d-------- C:\Documents and Settings\*\WINDOWS
2008-08-31 00:46 . 2008-08-31 00:46 <DIR> d-------- C:\_OTMoveIt
2008-08-30 21:31 . 2008-08-30 21:31 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Skype
2008-08-30 17:53 . 2008-08-30 17:53 <DIR> d-------- C:\Documents and Settings\*\Application Data\CyberLink
2008-08-30 15:40 . 2008-09-02 22:08 <DIR> d-------- C:\Documents and Settings\*\Application Data\AVGTOOLBAR
2008-08-30 11:44 . 2008-09-12 09:17 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-30 11:44 . 2008-09-02 02:57 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\AVGTOOLBAR
2008-08-30 11:44 . 2008-08-30 11:44 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-30 11:44 . 2008-08-30 11:44 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-30 11:44 . 2008-08-30 11:44 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-30 11:44 . 2008-08-30 11:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-30 11:37 . 2008-08-30 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-30 01:26 . 2008-09-10 12:27 2,205 --a------ C:\WINDOWS\diagerr.xml
2008-08-30 01:26 . 2008-09-10 12:27 1,905 --a------ C:\WINDOWS\diagwrn.xml
2008-08-29 22:37 . 2008-08-29 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-29 22:36 . 2001-03-08 18:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2008-08-29 22:35 . 2003-03-18 20:14 499,712 --------- C:\WINDOWS\system32\msvcp71.dll
2008-08-29 22:35 . 2003-02-21 04:42 348,160 --------- C:\WINDOWS\system32\msvcr71.dll
2008-08-29 21:39 . 2008-08-29 21:42 4,829 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-08-29 20:42 . 2008-06-24 21:22 <DIR> d-------- C:\Program Files\TrueTransparency
2008-08-29 20:37 . 2008-08-29 20:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-29 20:34 . 2008-08-29 20:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-29 20:34 . 2008-08-29 20:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-28 09:40 . 2008-09-10 12:29 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\IDM
2008-08-28 09:40 . 2008-09-12 13:50 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\DMCache
2008-08-25 18:43 . 2008-08-25 18:43 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Malwarebytes
2008-08-25 11:58 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-25 11:58 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-25 11:58 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-25 11:56 . 2008-08-29 18:12 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Apple Computer
2008-08-25 09:55 . 2008-08-25 09:55 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\Comodo
2008-08-25 09:55 . 2008-08-25 09:55 <DIR> d-------- C:\Documents and Settings\Pen\Application Data\ATI
2008-08-25 09:54 . 2008-09-12 03:23 <DIR> d-------- C:\Documents and Settings\Pen
2008-08-25 09:38 . 2008-08-25 09:38 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-25 09:38 . 2008-08-25 09:38 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-25 09:38 . 2008-08-25 09:38 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-25 09:38 . 2008-08-25 09:38 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-25 09:35 . 2008-08-25 09:39 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\Program Files\iTunes
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\Program Files\iPod
2008-08-24 16:33 . 2008-08-24 16:33 <DIR> d-------- C:\Program Files\QuickTime
2008-08-24 16:33 . 2008-08-24 16:33 <DIR> d-------- C:\Program Files\Bonjour
2008-08-24 16:33 . 2008-08-24 16:33 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-24 16:33 . 2008-08-24 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-24 16:32 . 2008-08-24 16:32 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-24 16:32 . 2008-08-24 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-24 07:42 . 2008-08-24 07:42 <DIR> d-------- C:\Documents and Settings\Local Settings\Temp
2008-08-24 07:42 . 2008-08-24 07:42 <DIR> d-------- C:\Documents and Settings\Local Settings
2008-08-24 01:45 . 2008-04-13 12:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-24 01:44 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-24 01:43 . 2008-04-13 12:11 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2008-08-23 22:03 . 2008-08-23 22:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-08-23 18:14 . 2008-06-12 23:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-23 18:14 . 2008-06-12 23:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-23 06:50 . 2008-05-08 02:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-23 06:42 . 2008-04-11 07:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-22 11:57 . 2008-09-07 18:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-13 01:17 4,456,448 ----a-w C:\Documents and Settings\*\ntuser.dat
2008-09-13 01:17 4,456,448 ----a-w C:\Documents and Settings\*\ntuser.dat
2008-09-13 00:25 --------- d-----w C:\Documents and Settings\*\Application Data\Skype
2008-09-12 20:25 --------- d-----w C:\Documents and Settings\*\Application Data\skypePM
2008-09-12 20:21 --------- d-----w C:\Documents and Settings\*\Application Data\DMCache
2008-09-11 19:35 --------- d-s---w C:\Documents and Settings\*\Application Data\Microsoft
2008-09-11 11:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 11:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-10 14:15 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 12:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-10 12:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 10:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-09 14:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-09 05:42 --------- d-----w C:\Program Files\Magic Video Converter
2008-09-09 00:48 --------- d-----w C:\Documents and Settings\*\Application Data\LimeWire
2008-09-08 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 03:43 --------- d-----w C:\Documents and Settings\*\Application Data\SmartFTP
2008-09-04 03:35 --------- d-----w C:\Documents and Settings\*\Application Data\Adobe
2008-09-04 02:16 --------- d-----w C:\Documents and Settings\*\Application Data\dvdcss
2008-09-03 10:08 --------- d-----w C:\Documents and Settings\*\Application Data\AVGTOOLBAR
2008-09-02 13:04 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-08-31 05:53 --------- d-----w C:\Documents and Settings\*\Application Data\CyberLink
2008-08-30 10:35 --------- d-----w C:\Program Files\CyberLink
2008-08-30 09:42 52,529 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-08-30 09:42 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-08-29 23:29 --------- d-----w C:\Documents and Settings\*\Application Data\IDM
2008-08-27 07:41 --------- d-----w C:\Program Files\Internet Download Manager
2008-08-26 10:01 --------- d-----w C:\Program Files\AVG
2008-07-19 10:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 10:10 71,368 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 10:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 10:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 10:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 10:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 10:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 10:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:54 --------- d-----w C:\Program Files\GRETECH
2008-07-19 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-07-19 02:49 --------- d-----w C:\Documents and Settings\*\Application Data\ATI
2008-07-19 02:44 --------- d-----w C:\Program Files\ATI Technologies
2008-07-19 02:43 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-07-19 02:34 --------- d-----w C:\Documents and Settings\*\Application Data\Identities
2008-07-19 02:28 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-09 14:34 206,256 ----a-w C:\WINDOWS\system32\idmmbc.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 06:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

ushpen25
2008-09-15, 07:05
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\á ----



------- Sigcheck -------

2008-04-13 12:12 3195904 076dc8e559181061a5a5884cb1a67567 C:\WINDOWS\explorer.exe
2004-08-03 04:56 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2008-04-13 12:12 3195904 076dc8e559181061a5a5884cb1a67567 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2008-07-18 22:10 71368 fac8e43fa3aebee03c1f08f8173059d9 C:\WINDOWS\ServicePackFiles\i386\wuauclt.exe
2008-07-18 22:10 71368 fac8e43fa3aebee03c1f08f8173059d9 C:\WINDOWS\system32\wuauclt.exe
2008-07-18 22:10 53448 d316e28958873859b88d72cf47ad1ea5 C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"RocketDock"="C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [2006-05-14 344064]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-15 931248]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-22 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-09 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-07-22 1655552]
"BigDog303"="C:\WINDOWS\VM303_STI.EXE" [2005-10-25 61440]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-15 C:\WINDOWS\SkyTel.exe]

C:\Documents and Settings\ÿ\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-28 360448]

C:\Documents and Settings\Pen\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 344064]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe [2006-02-05 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe [2002-09-30 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Pen\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^Y'z Shadow.lnk]
path=C:\Documents and Settings\Pen\Start Menu\Programs\Startup\Y'z Shadow.lnk
backup=C:\WINDOWS\pss\Y'z Shadow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Pen^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Pen\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^*^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\*\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 15:54 21718312 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 06:41 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-29 21:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-30 12936]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-18 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-07-22 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-07-22 24208]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-30 76040]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-12 13:50:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-12 13:52:37
ComboFix-quarantined-files.txt 2008-09-13 01:52:11
ComboFix2.txt 2008-09-12 12:22:55
ComboFix3.txt 2008-09-12 03:57:32

Pre-Run: 20,814,221,312 bytes free
Post-Run: 20,799,160,320 bytes free

274 --- E O F --- 2008-09-10 10:56:49

Blade81
2008-09-15, 11:32
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK


Next we remove all used tools.



Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

Blade81
2008-09-23, 18:27
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.