PDA

View Full Version : W32.IRCbot.Gen removal problem then cannot reboot my computer normally



GUMPY
2009-11-20, 17:21
hey guys, my Symantec Antivirus detected this trojan (W32.IRCbot.Gen) in my WindowsXP\System32. I followed instructions laid down by Norton:
1) Turn off Systems Restore
2) Update my NAV
3) Do a full scan
I scanned with NAV/Spybot/ Malwarebytes but was unable to remove the virus.
Hence, I shut down my computer and tried to go through step 3) via safe mode. Same problem but this time much worse because now when my computer starts on up, theres these five options on my screen.

it says -Safe Mode
-Safe Mode with Networking
-Safe Mode with Command Prompt

-Last known Good Configuration (your most recent settings that worked)
-Start Windows Normally.

I've clicked on last know good configuration or start windows normall and after several seconds where it looked like it was gonna work, it just goes back to the same screen. Normal Windows can't open. However, I was only able to open via safe mode.

What in the world do I need to do to get my computer up and running normally again?

Please help me!

peku006
2009-11-25, 07:19
Hi GUMPY

Please see the forum FAQ which details how to produce a HJT log and copy paste it into a new topic.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

peku006

GUMPY
2009-11-25, 18:19
Hi GUMPY

Please see the forum FAQ which details how to produce a HJT log and copy paste it into a new topic.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

peku006


This is my Hijack log. Thank you for your time and effort.
Gumpy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:18 AM, on 11/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: AmsServer
O2 - BHO: (no name) - {000009D5-2161-4196-9F87-D1FEFBDE1CAf} - C:\WINDOWS\system32\qestlkdp.dll
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F92CCA65-3301-4C6B-88B5-95ED581FF3DA} - c:\windows\system32\svjfjqa.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [FLV Downloader] C:\Program Files\Moyea\YouTube FLV Downloader\FLVDownloader.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: dsawxfot - C:\WINDOWS\SYSTEM32\svjfjqa.dll
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7933 bytes

peku006
2009-11-25, 18:51
Hi GUMPY

1 - Download and Run ComboFix
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you
Please include the C:\ComboFix.txt in your next reply for further review.

2 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)

Thanks peku006

GUMPY
2009-11-26, 02:19
Dear Peku006:

Thank you very much for your help.

A few other points you should know:
1) I cannot access internet from the computer in safemode with networking. There is something wrong with internet access program perhaps as part of the overall problem.
2) therefore, I am using my second (working) computer to write to you.
3) I recently install daemon tools Pro. Perhaps this may have something to do with it. It kept giving an error saying it would not run without Windows 2000 with SPTD 1.43 or higher and asks me to turn off kernel debugger. It worked last week before my computer crashed. Could it have a virus in it or is it an innocent victim due to the trojan.vundo.h?
4) I do not have the original Windows installation disc for my computer because it was installed by retailers when I bought my computer from them. Therefore, I will have to use a borrowed windows XP installation disc from a friend or download a pirated one. The retailers would not give it to me.

Here is the combofix log (I could not download restore console from microsoft because the affected computer could not access internet as I mentioned before). Nevertheless, the combofix completed its analysis and gave me the log. Thank you once again.

ComboFix 09-11-25.03 - Owner 11/26/2009 6:59.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.330 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sosuo.col
c:\windows\system32\clauth1.dll
c:\windows\system32\clauth2.dll
c:\windows\system32\iexp_log.txt
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\svjfjqa.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDEFKLNA
-------\Service_tdefklna


((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-25 16:08 . 2009-11-25 16:08 -------- d-----w- c:\program files\Trend Micro
2009-11-25 16:07 . 2009-11-25 16:08 -------- d-----w- c:\program files\ERUNT
2009-11-23 16:42 . 2009-11-23 16:42 -------- d-----w- c:\program files\NETVIGATOR
2009-11-23 16:42 . 2000-12-08 13:59 122880 ----a-w- c:\windows\UnGins.exe
2009-11-23 16:42 . 2009-11-23 16:42 -------- d-----w- C:\Temp
2009-11-23 15:59 . 2009-11-23 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-11-23 15:59 . 2009-11-23 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-11-22 10:01 . 2009-11-22 10:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-20 14:41 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-20 14:41 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 11:39 . 2009-11-20 11:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-20 11:12 . 2009-11-20 11:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-11-20 11:12 . 2009-11-20 11:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-19 23:32 . 2007-10-17 16:16 79688 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-11-19 23:32 . 2007-10-17 16:16 29000 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-11-19 23:32 . 2007-10-17 16:15 62280 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-11-19 23:32 . 2007-10-17 16:14 41288 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-11-19 23:32 . 2009-11-19 23:32 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-11-19 23:32 . 2005-09-23 00:29 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-11-19 13:51 . 2009-11-19 13:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-19 13:50 . 2009-11-19 13:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2009-11-19 13:32 . 2009-11-25 22:53 -------- d-----w- c:\program files\Spyware Doctor
2009-11-19 13:31 . 2009-11-19 14:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-19 13:00 . 2009-11-19 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-19 13:00 . 2009-11-19 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-11-19 13:00 . 2009-11-19 13:00 -------- d-----w- c:\program files\Yahoo!
2009-11-14 16:56 . 2009-11-14 17:00 -------- d-----w- c:\program files\SPSSEval
2009-11-12 13:38 . 2008-05-02 02:41 3493888 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2009-11-11 12:03 . 2009-11-11 12:03 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2009-11-11 11:54 . 2009-11-11 11:54 -------- d-----w- c:\program files\Sierra Online
2009-11-09 09:53 . 2009-11-09 09:53 -------- d-----w- c:\program files\Ubisoft
2009-11-05 22:56 . 2009-11-05 22:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Sports Interactive
2009-11-05 22:46 . 2009-11-05 22:46 -------- d-----w- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 22:54 . 2008-10-16 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-11-20 12:36 . 2008-11-05 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-20 00:13 . 2008-10-16 23:09 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-19 13:00 . 2008-10-16 22:40 -------- d-----w- c:\program files\CCleaner
2009-11-19 09:56 . 2008-11-05 16:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-17 05:25 . 2008-10-14 23:00 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-14 17:11 . 2008-10-14 22:19 30784 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 12:15 . 2008-10-14 22:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-11 12:03 . 2009-10-14 14:12 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-26 13:37 . 2009-09-28 23:33 -------- d-----w- c:\program files\GameSpy Arcade
2009-10-26 06:17 . 2009-10-24 06:01 -------- d-----w- c:\program files\Temporary Game file
2009-10-25 17:17 . 2009-10-24 22:57 -------- d-----w- c:\program files\Zombie Shooter
2009-10-24 22:56 . 2009-10-24 22:56 -------- d-----w- c:\program files\ReflexiveArcade
2009-10-24 13:56 . 2009-10-24 13:52 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-10-24 13:56 . 2009-10-24 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-10-24 13:55 . 2009-10-24 13:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Pro
2009-10-17 05:06 . 2008-10-26 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-17 04:00 . 2009-10-17 04:00 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-17 03:27 . 2009-10-17 03:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-17 01:10 . 2009-10-17 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-10-17 01:10 . 2009-10-16 16:32 -------- d-----w- c:\program files\Electronic Arts
2009-10-16 16:32 . 2009-10-16 16:32 662 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-10-16 16:32 . 2008-10-14 22:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-16 14:32 . 2009-10-16 14:32 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-10-16 14:27 . 2009-10-16 14:27 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-10-14 13:19 . 2009-07-06 12:59 -------- d-----w- c:\program files\MagicISO
2009-10-14 13:19 . 2009-10-14 13:19 3067375 ----a-w- c:\program files\Setup_MagicISO.exe
2009-10-14 13:08 . 2009-10-14 13:08 -------- d-----w- c:\program files\MagicDisc
2009-10-14 13:08 . 2009-10-14 13:08 1352435 ----a-w- c:\program files\setup_magicdisc.exe
2009-10-05 07:42 . 2008-10-14 22:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-05 07:38 . 2009-10-05 07:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-05 07:34 . 2009-10-05 07:34 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-09-28 23:26 . 2009-09-28 23:23 -------- d-----w- c:\program files\Halo
2009-09-28 15:26 . 2009-09-28 15:26 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2008-07-19 22:08 . 2008-10-16 22:40 266544 ----a-w- c:\program files\uTorrent.exe
2005-05-14 00:12 . 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 18:13 . 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2009-09-15 15:05 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47 . 2009-09-15 15:05 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-15 15:05 216064 --sh--r- c:\windows\system32\nbDX.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Shareaza"="c:\program files\Shareaza\Shareaza.exe" [2008-10-01 5723136]
"FLV Downloader"="c:\program files\Moyea\YouTube FLV Downloader\FLVDownloader.exe" [2009-05-27 3644928]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-12-14 413696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-10-14 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDAudBus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S??d, ?駤e???d g??▊?tr?l???!!! !!! !]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Funshion Online\\Funshion\\Funshion.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\AVIXE pen drive2 stuff\\TuDienHND\\3rdparty\\jre\\bin\\jre.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:shareaza

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/28/2009 11:26 PM 685816]
S1 jqi0d17;jqi0d17;c:\windows\system32\drivers\jqi0d17.sys --> c:\windows\system32\drivers\jqi0d17.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/13/2004 6:18 AM 169192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [11/20/2009 7:32 AM 311112]
SUnknown AppToService_TuDienHND;AppToService_TuDienHND; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hk.yahoo.com/?p=us
IE: 妏蚚厙珜捃濘狟婥
IE: 妏蚚厙珜捃濘狟婥窒蟈諉
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
.
- - - - ORPHANS REMOVED - - - -

BHO-{F92CCA65-3301-4C6B-88B5-95ED581FF3DA} - c:\windows\system32\svjfjqa.dll
SafeBoot-drmkaud
SafeBoot-AudioEndpointBuilder
SafeBoot-HdAudAddService
SafeBoot-MMCSS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 07:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8231F2F6]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8586f28
\Driver\ACPI -> ACPI.sys @ 0xf83f7cb8
\Driver\atapi -> atapi.sys @ 0xf8389852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf8295bb0
PacketIndicateHandler -> NDIS.sys @ 0xf82a2a21
SendHandler -> NDIS.sys @ 0xf828087b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppToService_TuDienHND]
"ImagePath"="c:\documents and settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe /sys \"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND/3rdparty/jre/bin/jrew.exe\" /Arguments:\"-mx64m -cp vietdict.jar vietdict.server.vietdictserver\" /Directory:\"c:/documents and settings/owner/my documents/avixe pen drive2 stuff/tudienhnd\" /Name:\"tudienhnd\" /Startup:A"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bf,61,9c,87,c7,11,f9,a3,3d,3a,b8,09,f4,ba,38,70,93,f8,3b,56,bb,78,30,
ae,94,f6,6f,9a,93,9a,c4,bf,d2,f6,37,ec,4e,59,19,69,b8,c8,c2,4c,02,0f,44,1b,\
"??"=hex:6a,d4,43,5c,8e,72,8a,6a,02,82,58,4c,bd,6d,7e,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(672)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
.
Completion time: 2009-11-26 07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 23:56

Pre-Run: 45,339,598,848 bytes free
Post-Run: 45,275,926,528 bytes free

- - End Of File - - 3751DF7ADCFEAA44EAFD3DC99392B84B

peku006
2009-11-26, 12:17
Hi GUMPY

Have you tried Manually restoring the Internet connection (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) ?
(bottom in the page)

your "2000 with SPTD 1.43 problem" ..... read this (http://icelava.net/forums/thread/1509.aspx)

"download a pirated one" :nono: not recommended



Please download TDSSKiller.rar (http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.secureblog.info%2Farticles%2F597.html&sl=auto&tl=en) and save it to your desktop.
Extract the rar file to your desktop.
Double click on TDSSKiller.exe to run it.
When it finished press any key to continue.
If needed reboot the computer.


Go to Start => Run and copy/paste the following line and click OK.

cmd /c mbr.exe -t >log.txt&start log.txt

A log file opens. Please post the content to your reply.

peku006

GUMPY
2009-11-26, 15:32
Dear Peku006:

1) About internet:
I tried your suggestions and followed the steps manually connecting internet with repairs etc, but didn't work. Got is error message:

"Cannot load remote access connection manager service. Error 711: a configuration error on this computer is preventing the connection"

2) About SPDT.sys problem. I deleted the C:\Windows\System32\SPDT.sys file. I was not able to locate any other SPDT...sys files in registry although I'm not sure how to look for it in that registry jungle.

3) The TDDSKiller.log file is as follows:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8231C2F6]<<
kernel: MBR read successfully
user & kernel MBR OK

Thank you very much once again. :)
Sincerely,
Gumpy

GUMPY
2009-11-26, 16:07
Dear Peku006:

I have to really thank you because whatever you did during the diagnostic phase of your help, my computer was bootable back to normal windows.

I think the culprit was Daemon tool's SPTD.sys file which prevented normal activation of windows when I restarted my computer; strangely it only allowed me to enter safe mode. However, I was not able to connect to the internet via safe mode plus networking.

My computer isn't the same it used to be though. Now there are 2 internet connection icons at the bottom right of my taskbar when I connect to internet (the twin computer monitor icon which comes up when one is connected to internet with the 2 tiny blue screens).

System restore was already automatically enabled when I restarted successfully in Windows mode.

I do notice the biggest change was my computer was running pretty slowly. Also, the "Switch off Kernel Debugger message related to SPTD.sys" was still on because I had not disabled Daemon tools at startup. So I went and disabled it. Ran Malware scan again and found no more virus.

I am very very happy. Do you suggest any further action?

Sincerely
Gumpy

peku006
2009-11-26, 16:35
Hi Gumpy

For general slowness, see here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)

Can you get to the internet now ?

we can search SPDT.sys registry entries.....by doing so

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:regfind
SPDT.sys


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

peku006

GUMPY
2009-11-27, 02:04
Dear Peku006:
Thank you once again.
Yes, I can access the net thanks to you.

Something new occurs each time I reboot and restart windows; it now displays a logon asking for a password before windows would open. Before the crash, windows opened automatically without any need for logon password. Anyway, it is not a big problem because the default is no password so luckily I just click enter and the computer accepts. How to revert back to previous state?

Another thing which changed is whenever I press crt+alt+del to generate Task manager, it would switch to a grey control panel of options where I have to select task mgr, whereas before the crash it automatically enters into task mgr without need to select that option. I know other computers normally do that. How do I revert back to the old way?

I had performed system look and it found nothing so it must be clean:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 07:58 on 27/11/2009 by Owner (Administrator - Elevation successful)

========== regfind ==========

Searching for "SPDT.sys"
No data found.

-=End Of File=-

Well I learned valuable lessons this time. In the future I will 1) never turn off system restore without obtaining an expert opinion from you and 2) search forums for any problems with programs such as daemon tools BEFORE I install it.
Gumpy

peku006
2009-11-27, 11:06
Hi Gumpy

those your problems do not appear due to malware, we clean your computer first and then the other problems :yes:

1 - Clean temp files


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

Thanks peku006

GUMPY
2009-11-28, 12:55
Dear Peku006:

Here is the info you requested; it seems there are viruses which ESET was able to detect but not my other malware program or Norton AV:

1. the Eset online scannner report


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b8d99be4b0c0134188afb1288150b96a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-28 09:42:51
# local_time=2009-11-28 05:42:51 (+0800, China Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 221526 221526 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=53011
# found=4
# cleaned=0
# scan_time=14517
C:\Program Files\0FF6FB7D\Thunder.exe Win32/TrojanDropper.Delf.NMX trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\svjfjqa.dll.vir a variant of Win32/Kryptik.BDF trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\qestlkdp.dll a variant of Win32/Kryptik.BDF trojan 00000000000000000000000000000000 I
${Memory} a variant of Win32/Kryptik.BDF trojan 00000000000000000000000000000000 I


2. a fresh HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:40 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jrew.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {000009D5-2161-4196-9F87-D1FEFBDE1CAf} - C:\WINDOWS\system32\qestlkdp.dll
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9C50A9AF-1506-44A1-958A-873DA3977D0C} - c:\windows\system32\ldjvdsm.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3E8348-D9F6-42BF-A07B-C98609F62123}: NameServer = 203.198.23.208 205.252.144.126
O20 - Winlogon Notify: dsawxfot - C:\WINDOWS\SYSTEM32\ldjvdsm.dll
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8492 bytes


Thank you once again.
Gumpy

peku006
2009-11-28, 14:00
Hi GUMPY

I'd like you to check some files for Viruses.

Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)

C:\Program Files\0FF6FB7D\Thunder.exe
C:\WINDOWS\system32\qestlkdp.dll

Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.
Repeat for all files on the list, and post me the details please

Thanks peku006

GUMPY
2009-11-28, 16:47
Dear Peku006:

Scans done using Jotti's for C:\Program Files\0FF6FB7D\Thunder.exe

Scanners
2009-11-27 Found nothing 2009-11-28 Found nothing
2009-11-28 Trojan-Dropper.Delf!IK 2009-11-28 Trojan-Dropper.Delf
2009-11-28 Win32:Trojan-gen 2009-11-28 Found nothing
2009-11-28 Found nothing 2009-11-28 Win32/TrojanDropper.Delf.NMX
2009-11-27 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-27 Found nothing
2009-11-28 Trojan.Bifrose-8757 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-28 Found nothing
2009-11-28 Found nothing 2009-11-27 Found nothing
2009-11-27 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing

And for C:\WINDOWS\system32\qestlkdp.dll

Scanners
2009-11-27 Found nothing 2009-11-28 Found nothing
2009-11-28 Trojan-Spy.Win32.BZub!IK 2009-11-28 Trojan-Spy.Win32.BZub
2009-11-28 Found nothing 2009-11-28 Found nothing
2009-11-28 Win32/Heur 2009-11-28 Win32/Kryptik.BDF
2009-11-27 TR/Crypt.XPACK.Gen 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-28 Mal/BHO-C
2009-11-28 Trojan.Packed.196 2009-11-27 Found nothing
2009-11-27 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing



Seems like I've got trojans and other viruses.

Thank you once again.
Sincerely,
Gumpy

peku006
2009-11-28, 17:55
Hi GUMPY

Download and run OTM

Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.

Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.

:Files
C:\Program Files\0FF6FB7D\Thunder.exe
C:\WINDOWS\system32\qestlkdp.dll




Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

How's the computer running now? what kind of problems you have ?

Thanks peku006

GUMPY
2009-11-28, 19:29
Dear Peku006:

Thank you for your help.
Here is the log after moving the files.

========== FILES ==========
C:\Program Files\0FF6FB7D\Thunder.exe moved successfully.
File/Folder C:\WINDOWS\system32\qestlkdp.dll not found.

OTM by OldTimer - Version 3.1.2.0 log created on 11292009_012601

The main problems:
1. Slow running speed of computer.
2. How to get rid of logon for windows pane whenever I start my computer or reboot?

Thank you
Sincerely
Gumpy

peku006
2009-11-29, 10:06
Hi Gumpy

How to turn on automatic logon in Windows XP (http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=7&y=13)

System Still Slow?
You may wish to try StartupLite. (http://www.malwarebytes.org/startuplite.php) Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware (http://www.bleepingcomputer.com/forums/index.php?showtopic=87058&view=findpost&p=487112)

Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

Thanks peku006

GUMPY
2009-11-29, 14:11
Dear Peku006:

Thank you for your advice. I have installed and run startuplite. Will reboot later to see if the speed picks up
I'll try to follow the instructions to switching off logon or at least make it automatically logon on startup.

Here is the Checkup.text file

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Spyware Doctor 5.1
Spybot - Search & Destroy
CCleaner
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1.3
Adobe Reader Chinese Traditional Fonts
``````````````````````````````
Process Check:
objlist.exe by Laurent
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````


Thank you
Sincerely
Gumpy

Here is the

peku006
2009-11-29, 15:05
Hi GUMPY

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.

Go to Java Site (http://java.sun.com/javase/downloads/index.jsp)
Click to Download Java SE Runtime Environment (JRE) 6 Update 17
In Platform box choose Windows.
Check the box to Accept License Agreement and click Continue.
Click on Windows Offline Installation, click on the link under it which says "jre-6u17-windows-i586-p.exe" and save the downloaded file to your desktop.
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer


Please reply with

a fresh HijackThis log

How's the computer running now?

Thanks peku006

GUMPY
2009-12-06, 05:06
Dear Peku006:
Sorry for my delayed reply. I have been busy at work.

I upgraded my Java to 17th version.

Also tried your recommendations for editing registry to enable autologon at start of Windows but it only worked once then on the 3rd startup, it asks for logon again. Why?

Anyway, I've done another Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:36 AM, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jrew.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {000009D5-2161-4196-9F87-D1FEFBDE1CAf} - C:\WINDOWS\system32\qestlkdp.dll (file missing)
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9C50A9AF-1506-44A1-958A-873DA3977D0C} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F92CCA65-3301-4C6B-88B5-95ED581FF3DA} - c:\windows\system32\svjfjqa.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3E8348-D9F6-42BF-A07B-C98609F62123}: NameServer = 203.198.23.208 205.252.144.126
O20 - Winlogon Notify: dsawxfot - svjfjqa.dll (file missing)
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7954 bytes


The computer is running more smoothly now thanks to your help.

Sincerely
Gumpy

peku006
2009-12-07, 18:01
Hi GUMPY

Download and run OTS

Download OTS (http://oldtimer.geekstogo.com/OTS.exe) by Oldtimer to your Desktop and double-click on it to extract the files.

NOTE: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Click the Scan All Users checkbox on the toolbar.
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Close Notepad (saving the change if necessry).




Thanks peku006

GUMPY
2009-12-08, 01:56
Dear Peku006:

My text is said to be too long (64539 characters) so I have cut it into 2 parts this will be the first part:

[code]
OTS logfile created on: 12/8/2009 7:04:55 AM - Run 1
OTS by OldTimer - Version 3.1.8.8 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.23 Mb Total Physical Memory | 332.18 Mb Available Physical Memory | 66.01% Memory free
1.20 Gb Paging File | 0.84 Gb Available in Paging File | 69.71% Paging File free
Paging file location(s): C:\pagefile.sys 754 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 54.43 Gb Free Space | 36.52% Space Free | Partition Type: NTFS
Drive D: | 4.15 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-GMHV9JQLQ
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days

[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2009/12/08 07:03:39 | 00,532,992 | ---- | M] (OldTimer Tools)
jusched.exe -> C:\Program Files\Java\jre6\bin\jusched.exe -> [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.)
jqs.exe -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.)
wscntfy.exe -> C:\WINDOWS\system32\wscntfy.exe -> [2008/04/14 20:42:42 | 00,013,824 | ---- | M] (Microsoft Corporation)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 20:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation)
stacsv.exe -> c:\Program Files\IDT\ECSXPV_5762_010208\WDM\stacsv.exe -> [2007/12/14 12:27:34 | 00,212,992 | ---- | M] (IDT, Inc.)
sttray.exe -> C:\Program Files\IDT\WDM\sttray.exe -> [2007/12/14 12:26:40 | 00,413,696 | ---- | M] (IDT, Inc.)
vptray.exe -> C:\Program Files\Symantec AntiVirus\VPTray.exe -> [2004/03/13 06:18:32 | 00,124,128 | ---- | M] (Symantec Corporation)
rtvscan.exe -> C:\Program Files\Symantec AntiVirus\Rtvscan.exe -> [2004/03/13 06:17:46 | 01,221,864 | ---- | M] (Symantec Corporation)
defwatch.exe -> C:\Program Files\Symantec AntiVirus\DefWatch.exe -> [2004/03/13 06:17:10 | 00,029,928 | ---- | M] (Symantec Corporation)
ccsetmgr.exe -> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -> [2004/03/01 07:44:54 | 00,242,808 | ---- | M] (Symantec Corporation)
ccevtmgr.exe -> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -> [2004/03/01 07:44:48 | 00,255,096 | ---- | M] (Symantec Corporation)
ccapp.exe -> C:\Program Files\Common Files\Symantec Shared\ccApp.exe -> [2004/03/01 07:44:46 | 00,066,680 | ---- | M] (Symantec Corporation)
jrew.exe -> C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jrew.exe -> [2003/04/04 09:54:26 | 00,012,800 | ---- | M] ()
apptoservice.exe -> C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe -> [1999/09/14 03:47:08 | 00,045,056 | ---- | M] (Basta Computing )

[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2009/12/08 07:03:39 | 00,532,992 | ---- | M] (OldTimer Tools)

[Win32 Services - Safe List]
(sdCoreService) PC Tools Security Service [Auto | Stopped] -> -> File not found
(sdAuxService) PC Tools Auxiliary Service [Auto | Stopped] -> -> File not found
(JavaQuickStarterService) Java Quick Starter [Auto | Running] -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.)
(STacSV) Audio Service [Auto | Running] -> c:\Program Files\IDT\ECSXPV_5762_010208\WDM\stacsv.exe -> [2007/12/14 12:27:34 | 00,212,992 | ---- | M] (IDT, Inc.)
(usnjsvc) Messenger Sharing Folders USN Journal Reader service [On_Demand | Stopped] -> C:\Program Files\MSN Messenger\usnsvc.exe -> [2007/01/20 03:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation)
(NBService) NBService [On_Demand | Stopped] -> C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -> [2006/11/11 10:18:02 | 00,774,144 | ---- | M] (Nero AG)
(IDriverT) InstallDriver Table Manager [On_Demand | Stopped] -> C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -> [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation)
(SavRoam) SavRoam [On_Demand | Stopped] -> C:\Program Files\Symantec AntiVirus\SavRoam.exe -> [2004/03/13 06:18:06 | 00,169,192 | ---- | M] (symantec)
(Symantec AntiVirus) Symantec AntiVirus [Auto | Running] -> C:\Program Files\Symantec AntiVirus\Rtvscan.exe -> [2004/03/13 06:17:46 | 01,221,864 | ---- | M] (Symantec Corporation)
(DefWatch) Symantec AntiVirus Definition Watcher [Auto | Running] -> C:\Program Files\Symantec AntiVirus\DefWatch.exe -> [2004/03/13 06:17:10 | 00,029,928 | ---- | M] (Symantec Corporation)
(SNDSrvc) Symantec Network Drivers Service [On_Demand | Stopped] -> C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -> [2004/03/12 05:58:32 | 00,193,760 | ---- | M] (Symantec Corporation)
(ccSetMgr) Symantec Settings Manager [Auto | Running] -> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -> [2004/03/01 07:44:54 | 00,242,808 | ---- | M] (Symantec Corporation)
(ccPwdSvc) Symantec Password Validation [On_Demand | Stopped] -> C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -> [2004/03/01 07:44:52 | 00,087,160 | ---- | M] (Symantec Corporation)
(ccEvtMgr) Symantec Event Manager [Auto | Running] -> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -> [2004/03/01 07:44:48 | 00,255,096 | ---- | M] (Symantec Corporation)
(AppToService_TuDienHND) tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A [Auto | Running] -> C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe -> [1999/09/14 03:47:08 | 00,045,056 | ---- | M] (Basta Computing )

[Driver Services - Safe List]
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091125.004\NAVEX15.SYS -> [2009/11/25 17:00:00 | 01,323,568 | ---- | M] (Symantec Corporation)
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091125.004\NAVENG.SYS -> [2009/11/25 17:00:00 | 00,084,912 | ---- | M] (Symantec Corporation)
(mcdbus) Driver for MagicISO SCSI Host Controller [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\mcdbus.sys -> [2009/02/24 18:42:14 | 00,116,736 | ---- | M] (MagicISO, Inc.)
(NwlnkIpx) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\nwlnkipx.sys -> [2008/04/14 15:26:08 | 00,088,320 | ---- | M] (Microsoft Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\secdrv.sys -> [2008/04/14 13:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\hdaudbus.sys -> [2008/04/14 13:06:06 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(ialm) ialm [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\igxpmp32.sys -> [2007/12/19 11:32:12 | 05,854,688 | R--- | M] (Intel Corporation)
(STHDA) IDT High Definition Audio CODEC [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sthda.sys -> [2007/12/14 12:28:20 | 01,270,872 | ---- | M] (IDT, Inc.)
(RTL8023xp) Realtek 10/100/1000 PCI NIC Family NDIS XP Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\Rtnicxp.sys -> [2007/07/12 11:49:16 | 00,096,384 | R--- | M] (Realtek Semiconductor Corporation )
(sfcure01) StarForce Cure Driver (version 1.x) [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\sfcure01.sys -> [2005/09/08 04:02:40 | 00,003,072 | ---- | M] ()
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\rtl8139.sys -> [2004/08/04 13:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(SYMTDI) SYMTDI [Kernel | System | Running] -> C:\WINDOWS\System32\Drivers\SYMTDI.SYS -> [2004/03/12 05:58:10 | 00,263,616 | ---- | M] (Symantec Corporation)
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -> [2004/03/12 05:58:08 | 00,016,288 | ---- | M] (Symantec Corporation)
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> C:\Program Files\Symantec\SYMEVENT.SYS -> [2004/03/05 14:46:46 | 00,082,832 | ---- | M] (Symantec Corporation)
(SAVRT) SAVRT [Kernel | System | Running] -> C:\Program Files\Symantec AntiVirus\savrt.sys -> [2004/02/10 06:43:56 | 00,301,200 | R--- | M] (Symantec Corporation)
(SAVRTPEL) SAVRTPEL [Kernel | Auto | Running] -> C:\Program Files\Symantec AntiVirus\Savrtpel.sys -> [2004/02/10 06:43:56 | 00,037,008 | R--- | M] (Symantec Corporation)
(NwlnkNb) NWLink NetBIOS [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\nwlnknb.sys -> [2001/08/23 20:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation)
(NwlnkSpx) NWLink SPX/SPXII Protocol [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\nwlnkspx.sys -> [2001/08/23 20:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ptilink.sys -> [2001/08/23 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: Main\\"XMLHTTP_UUID_Default" -> D5 09 00 00 61 21 96 41 9F 87 D1 FE FB DE 1C AF [binary data] ->
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: Main\\"XMLHTTP_UUID_Default" -> D5 09 00 00 61 21 96 41 9F 87 D1 FE FB DE 1C AF [binary data] ->
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> D5 09 00 00 61 21 96 41 9F 87 D1 FE FB DE 1C AF [binary data] ->
HKEY_USERS\S-1-5-19\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> D5 09 00 00 61 21 96 41 9F 87 D1 FE FB DE 1C AF [binary data] ->
HKEY_USERS\S-1-5-20\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\] > -> ->
HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\: Main\\"Start Page" -> http://hk.yahoo.com/?p=us ->
HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\: Main\\"XMLHTTP_UUID_Default" -> D5 09 00 00 61 21 96 41 9F 87 D1 FE FB DE 1C AF [binary data] ->
HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2008/07/28 18:47:40 | 00,882,416 | ---- | M] (Yahoo! Inc.)
HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\: "ProxyEnable" -> 0 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> ->
< FireFox Extensions [User Folders] > ->
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts ->
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{000009D5-2161-4196-9F87-D1FEFBDE1CAf} [HKLM] -> C:\WINDOWS\System32\qestlkdp.dll [Reg Error: Value error.] -> File not found
{00000AAA-A363-466E-BEF5-9BB68697AA7F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{01443AEC-0FD1-40fd-9C87-E93D1494C233} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [&Yahoo! Toolbar Helper] -> [2008/07/28 18:47:40 | 00,882,416 | ---- | M] (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2009/02/27 12:07:32 | 00,061,816 | ---- | M] (Adobe Systems Incorporated)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe PDF Link Helper] -> [2009/02/27 12:07:26 | 00,075,128 | ---- | M] (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{9C50A9AF-1506-44A1-958A-873DA3977D0C} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/10/11 04:17:29 | 00,041,760 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2009/10/11 04:17:12 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
{F92CCA65-3301-4C6B-88B5-95ED581FF3DA} [HKLM] -> C:\WINDOWS\System32\svjfjqa.dll [] -> File not found
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} [HKLM] -> C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [SingleInstance Class] -> [2008/07/28 18:47:42 | 00,160,496 | ---- | M] (Yahoo! Inc)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2008/07/28 18:47:40 | 00,882,416 | ---- | M] (Yahoo! Inc.)
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\] > -> HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Adobe Reader Speed Launcher" -> C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"] -> [2009/02/27 17:10:28 | 00,035,696 | ---- | M] (Adobe Systems Incorporated)
"ccApp" -> C:\Program Files\Common Files\Symantec Shared\ccApp.exe ["C:\Program Files\Common Files\Symantec Shared\ccApp.exe"] -> [2004/03/01 07:44:46 | 00,066,680 | ---- | M] (Symantec Corporation)
"SDTray" -> C:\Program Files\Spyware Doctor\SDTrayApp.exe ["C:\Program Files\Spyware Doctor\SDTrayApp.exe"] -> File not found
"SunJavaUpdateSched" -> C:\Program Files\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.)
"SysTrayApp" -> C:\Program Files\IDT\WDM\sttray.exe [%ProgramFiles%\IDT\WDM\sttray.exe] -> [2007/12/14 12:26:40 | 00,413,696 | ---- | M] (IDT, Inc.)
"vptray" -> C:\Program Files\Symantec AntiVirus\VPTray.exe [C:\PROGRA~1\SYMANT~1\VPTray.exe] -> [2004/03/13 06:18:32 | 00,124,128 | ---- | M] (Symantec Corporation)
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE -> [1999/02/18 20:05:56 | 00,065,588 | ---- | M] (Microsoft Corporation)
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup ->
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> C:\Program Files\ERUNT\AUTOBACK.EXE -> [2005/10/20 12:04:08 | 00,038,912 | ---- | M] ()
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" -> [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003] > -> HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\] > -> HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\ ->
ʹÓÃÍøҳѸÀ×ÏÂÔØ -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
ʹÓÃÍøҳѸÀ×ÏÂÔØÈ«²¿Á´½Ó -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\] > -> HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}" [HKLM] -> [Reg Error: Value error.] -> File not found
CmdMapping\\"{962EFB8E-2683-42d4-AC74-AAA4C759B9C6}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6337 domain(s) found. ->
58 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6336 domain(s) found. ->
57 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6336 domain(s) found. ->
57 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\] > -> HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6336 domain(s) found. ->
57 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\] > -> HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{11260943-421B-11D0-8EAC-0000C07D88CF} [HKLM] -> http://www.ipix.com/viewers/ipixx.cab [iPIX ActiveX Control] ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} [HKLM] -> http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab [MSN Photo Upload Tool] ->
{7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> Reg Error: Value error. [Reg Error: Key error.] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Key error.] ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{9166CDAD-553D-4FC6-8ED0-498245B2B4EE}\\DhcpNameServer -> 0.0.0.0 (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 20:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
dsawxfot -> -> File not found
igfxcui -> C:\WINDOWS\System32\igfxdev.dll -> [2007/12/19 11:07:04 | 00,208,896 | R--- | M] (Intel Corporation)
NavLogon -> C:\WINDOWS\system32\NavLogon.dll -> [2004/03/13 06:17:24 | 00,083,176 | ---- | M] (Symantec Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"C:\Program Files\MSN Messenger\livecall.exe" -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> [2007/01/05 07:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX02.984\Splinter Cell Pandora Tomorrow\pandora.exe" -> C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX02.984\Splinter Cell Pandora Tomorrow\pandora.exe [C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX02.984\Splinter Cell Pandora Tomorrow\pandora.exe:*:Enabled:pandora] -> File not found
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX46.921\Splinter Cell Pandora Tomorrow\pandora.exe" -> C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX46.921\Splinter Cell Pandora Tomorrow\pandora.exe [C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX46.921\Splinter Cell Pandora Tomorrow\pandora.exe:*:Enabled:pandora] -> File not found
"C:\Documents and Settings\Owner\Local Settings\Temp\xlnp\XLNetSetup.exe" -> C:\Documents and Settings\Owner\Local Settings\Temp\xlnp\XLNetSetup.exe [C:\Documents and Settings\Owner\Local Settings\Temp\xlnp\XLNetSetup.exe:*:Enabled:Thunder Net Setup Program] -> File not found
"C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jre.exe" -> C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jre.exe [C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jre.exe:*:Enabled:jre] -> [2003/04/04 09:54:26 | 00,012,288 | ---- | M] ()
"C:\games\RedFaction\RedFaction.exe" -> C:\games\RedFaction\RedFaction.exe [C:\games\RedFaction\RedFaction.exe:*:Enabled:Red Faction Launcher] -> File not found
"C:\games\RedFaction\rf.exe" -> C:\games\RedFaction\rf.exe [C:\games\RedFaction\rf.exe:*:Enabled:Red Faction] -> File not found
"C:\Program Files\Electronic Arts\EADM\Core.exe" -> C:\Program Files\Electronic Arts\EADM\Core.exe [C:\Program Files\Electronic Arts\EADM\Core.exe:*:Disabled:EA Download Manager] -> File not found
"C:\Program Files\Funshion Online\Funshion\Funshion.exe" -> C:\Program Files\Funshion Online\Funshion\Funshion.exe [C:\Program Files\Funshion Online\Funshion\Funshion.exe:*:Enabled:Funshion] -> [2009/11/04 11:22:50 | 03,302,128 | ---- | M] (Funshion Online Technologies Ltd.)
"C:\Program Files\GameSpy Arcade\Aphex.exe" -> C:\Program Files\GameSpy Arcade\Aphex.exe [C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade] -> File not found
"C:\Program Files\Kolekcja Klasyki\Splinter Cell Pandora Tomorrow\Pandora.exe" -> C:\Program Files\Kolekcja Klasyki\Splinter Cell Pandora Tomorrow\Pandora.exe [C:\Program Files\Kolekcja Klasyki\Splinter Cell Pandora Tomorrow\Pandora.exe:*:Enabled:Pandora] -> File not found
"C:\Program Files\MSN Messenger\livecall.exe" -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> [2007/01/05 07:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe" -> C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe [C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe:*:Enabled:Shareaza] -> File not found
"C:\Program Files\Thunder Network\SoftManager\Program\XLSoftmgr.exe" -> C:\Program Files\Thunder Network\SoftManager\Program\XLSoftmgr.exe [C:\Program Files\Thunder Network\SoftManager\Program\XLSoftmgr.exe:*:Enabled:迅雷软件助手] -> File not found
"C:\Program Files\Ubisoft\Splinter Cell Pandora Tomorrow\pandora.exe" -> C:\Program Files\Ubisoft\Splinter Cell Pandora Tomorrow\pandora.exe [C:\Program Files\Ubisoft\Splinter Cell Pandora Tomorrow\pandora.exe:*:Enabled:pandora] -> File not found
"C:\Program Files\uTorrent\uTorrent.exe" -> C:\Program Files\uTorrent\uTorrent.exe [C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent] -> [2009/10/16 17:53:32 | 00,289,072 | ---- | M] (BitTorrent, Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> [System32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > -> ->
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2008/10/15 05:52:12 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
\E
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell
\E\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun
\E\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command
\E\Shell\AutoRun\command\\"" -> E:\setup.exe [E:\setup.exe] -> File not found
\G
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\Shell
\G\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\Shell\AutoRun
\G\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\Shell\AutoRun\command
\G\Shell\AutoRun\command\\"" -> G:\LaunchU3.exe [G:\LaunchU3.exe -a] -> File not found
\{054d65db-a261-11dd-936d-0021978387c3}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{054d65db-a261-11dd-936d-0021978387c3}\Shell\AutoRun\command
\{054d65db-a261-11dd-936d-0021978387c3}\Shell\AutoRun\command\\"" -> [RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe] -> File not found
\{054d65db-a261-11dd-936d-0021978387c3}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{054d65db-a261-11dd-936d-0021978387c3}\Shell\open\command
\{054d65db-a261-11dd-936d-0021978387c3}\Shell\open\command\\"" -> [RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe] -> File not found
\{324a0dbb-9aec-11dd-9365-0021978387c3}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{324a0dbb-9aec-11dd-9365-0021978387c3}\Shell
\{324a0dbb-9aec-11dd-9365-0021978387c3}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{324a0dbb-9aec-11dd-9365-0021978387c3}\Shell\AutoRun
\{324a0dbb-9aec-11dd-9365-0021978387c3}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
\{719c8b8b-a67f-11dd-9370-0021978387c3}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{719c8b8b-a67f-11dd-9370-0021978387c3}\Shell\AutoRun\command
\{719c8b8b-a67f-11dd-9370-0021978387c3}\Shell\AutoRun\command\\"" -> [RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe] -> File not found
\{719c8b8b-a67f-11dd-9370-0021978387c3}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{719c8b8b-a67f-11dd-9370-0021978387c3}\Shell\open\command
\{719c8b8b-a67f-11dd-9370-0021978387c3}\Shell\open\command\\"" -> [RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe] -> File not found
\{a650e583-ce1b-11dd-938b-0021978387c3}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a650e583-ce1b-11dd-938b-0021978387c3}\Shell
\{a650e583-ce1b-11dd-938b-0021978387c3}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a650e583-ce1b-11dd-938b-0021978387c3}\Shell\AutoRun
\{a650e583-ce1b-11dd-938b-0021978387c3}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a650e583-ce1b-11dd-938b-0021978387c3}\Shell\AutoRun\command
\{a650e583-ce1b-11dd-938b-0021978387c3}\Shell\AutoRun\command\\"" -> G:\LaunchU3.exe [G:\LaunchU3.exe -a] -> File not found
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->

I will send you the remaining log following this email

Thank you
Gumpy

GUMPY
2009-12-08, 01:58
Dear Peku006:

Here is the second half of the log


[Files/Folders - Created Within 30 Days]
OTS.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2009/12/08 07:03:13 | 00,532,992 | ---- | C] (OldTimer Tools)
Cache -> C:\Cache -> [2009/12/06 23:52:32 | 00,000,000 | ---D | C]
javaws.exe -> C:\WINDOWS\System32\javaws.exe -> [2009/12/06 10:53:33 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.)
javaw.exe -> C:\WINDOWS\System32\javaw.exe -> [2009/12/06 10:53:33 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.)
java.exe -> C:\WINDOWS\System32\java.exe -> [2009/12/06 10:53:33 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.)
_OTM -> C:\_OTM -> [2009/11/29 01:24:55 | 00,000,000 | ---D | C]
OTM.exe -> C:\Documents and Settings\Owner\Desktop\OTM.exe -> [2009/11/29 01:22:46 | 00,422,912 | ---- | C] (OldTimer Tools)
cmdcons -> C:\cmdcons -> [2009/11/28 23:00:24 | 00,000,000 | RHSD | C]
SESAME STREET Fun Songs -> C:\Documents and Settings\Owner\Desktop\SESAME STREET Fun Songs -> [2009/11/28 18:59:05 | 00,000,000 | ---D | C]
ESET -> C:\Program Files\ESET -> [2009/11/28 13:22:30 | 00,000,000 | ---D | C]
TFC.exe -> C:\Documents and Settings\Owner\Desktop\TFC.exe -> [2009/11/28 12:53:40 | 00,341,504 | ---- | C] (OldTimer Tools)
pss -> C:\WINDOWS\pss -> [2009/11/26 21:49:03 | 00,000,000 | ---D | C]
temp -> C:\WINDOWS\temp -> [2009/11/26 07:57:18 | 00,000,000 | ---D | C]
SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2009/11/26 06:56:09 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2009/11/26 06:56:09 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2009/11/26 06:56:09 | 00,136,704 | ---- | C] (SteelWerX)
NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2009/11/26 06:56:09 | 00,031,232 | ---- | C] (NirSoft)
Qoobox -> C:\Qoobox -> [2009/11/26 06:55:03 | 00,000,000 | ---D | C]
Trend Micro -> C:\Program Files\Trend Micro -> [2009/11/26 00:08:51 | 00,000,000 | ---D | C]
ERDNT -> C:\WINDOWS\ERDNT -> [2009/11/26 00:08:41 | 00,000,000 | ---D | C]
ERUNT -> C:\Program Files\ERUNT -> [2009/11/26 00:07:59 | 00,000,000 | ---D | C]
NETVIGATOR -> C:\Program Files\NETVIGATOR -> [2009/11/24 00:42:30 | 00,000,000 | ---D | C]
Temp -> C:\Temp -> [2009/11/24 00:42:24 | 00,000,000 | ---D | C]
MSN6 -> C:\Documents and Settings\Owner\Application Data\MSN6 -> [2009/11/23 23:59:39 | 00,000,000 | ---D | C]
MSN6 -> C:\Documents and Settings\All Users\Application Data\MSN6 -> [2009/11/23 23:59:39 | 00,000,000 | ---D | C]
setup.pss -> C:\WINDOWS\setup.pss -> [2009/11/22 17:46:25 | 00,000,000 | ---D | C]
CSC -> C:\WINDOWS\CSC -> [2009/11/20 22:58:36 | 00,000,000 | -HSD | C]
Malwarebytes -> C:\Documents and Settings\Owner\Application Data\Malwarebytes -> [2009/11/20 22:41:26 | 00,000,000 | ---D | C]
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2009/11/20 22:41:18 | 00,038,224 | ---- | C] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2009/11/20 22:41:15 | 00,019,160 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2009/11/20 22:41:15 | 00,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2009/11/20 22:41:15 | 00,000,000 | ---D | C]
msvcr80.dll -> C:\WINDOWS\System32\msvcr80.dll -> [2009/11/20 07:32:10 | 00,626,688 | ---- | C] (Microsoft Corporation)
Threat Expert -> C:\Documents and Settings\Owner\Local Settings\Application Data\Threat Expert -> [2009/11/19 21:50:11 | 00,000,000 | ---D | C]
TEMP -> C:\Documents and Settings\All Users\Application Data\TEMP -> [2009/11/19 21:31:57 | 00,000,000 | ---D | C]
Recent -> C:\Documents and Settings\Owner\Recent -> [2009/11/19 21:09:16 | 00,000,000 | RH-D | C]
Yahoo! Companion -> C:\Documents and Settings\All Users\Application Data\Yahoo! Companion -> [2009/11/19 21:00:18 | 00,000,000 | ---D | C]
Yahoo! -> C:\Documents and Settings\Owner\Application Data\Yahoo! -> [2009/11/19 21:00:18 | 00,000,000 | ---D | C]
Yahoo! -> C:\Program Files\Yahoo! -> [2009/11/19 21:00:12 | 00,000,000 | ---D | C]
ccsetup225.exe -> C:\Documents and Settings\Owner\Desktop\ccsetup225.exe -> [2009/11/19 20:59:33 | 03,310,608 | ---- | C] (Piriform Ltd)
SPSSEval -> C:\Program Files\SPSSEval -> [2009/11/15 00:56:00 | 00,000,000 | ---D | C]
SecuROM -> C:\Documents and Settings\Owner\Application Data\SecuROM -> [2009/11/11 20:03:52 | 00,000,000 | RH-D | C]
Sierra Online -> C:\Program Files\Sierra Online -> [2009/11/11 19:54:53 | 00,000,000 | ---D | C]
Ubisoft -> C:\Program Files\Ubisoft -> [2009/11/09 17:53:51 | 00,000,000 | ---D | C]
1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp ->

[Files/Folders - Modified Within 30 Days]
OTS.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2009/12/08 07:03:39 | 00,532,992 | ---- | M] (OldTimer Tools)
NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2009/12/08 07:00:04 | 00,000,116 | ---- | M] ()
ntuser.dat -> C:\Documents and Settings\Owner\ntuser.dat -> [2009/12/08 06:59:28 | 09,699,328 | ---- | M] ()
funshion.ini -> C:\Documents and Settings\Owner\funshion.ini -> [2009/12/07 21:09:48 | 00,003,044 | ---- | M] ()
sqmnoopt10.sqm -> C:\sqmnoopt10.sqm -> [2009/12/07 20:09:34 | 00,000,244 | -H-- | M] ()
sqmdata10.sqm -> C:\sqmdata10.sqm -> [2009/12/07 20:09:34 | 00,000,232 | -H-- | M] ()
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2009/12/07 19:09:32 | 00,002,206 | ---- | M] ()
SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2009/12/07 19:09:01 | 00,000,006 | -H-- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2009/12/07 19:08:57 | 00,002,048 | --S- | M] ()
ntuser.ini -> C:\Documents and Settings\Owner\ntuser.ini -> [2009/12/06 23:56:19 | 00,000,278 | -HS- | M] ()
sqmnoopt09.sqm -> C:\sqmnoopt09.sqm -> [2009/12/06 23:56:04 | 00,000,244 | -H-- | M] ()
sqmdata09.sqm -> C:\sqmdata09.sqm -> [2009/12/06 23:56:04 | 00,000,232 | -H-- | M] ()
sqmnoopt08.sqm -> C:\sqmnoopt08.sqm -> [2009/12/06 23:53:30 | 00,000,244 | -H-- | M] ()
sqmdata08.sqm -> C:\sqmdata08.sqm -> [2009/12/06 23:53:30 | 00,000,232 | -H-- | M] ()
sqmnoopt07.sqm -> C:\sqmnoopt07.sqm -> [2009/12/05 08:17:17 | 00,000,244 | -H-- | M] ()
sqmdata07.sqm -> C:\sqmdata07.sqm -> [2009/12/05 08:17:17 | 00,000,232 | -H-- | M] ()
sqmnoopt06.sqm -> C:\sqmnoopt06.sqm -> [2009/12/05 08:17:07 | 00,000,244 | -H-- | M] ()
sqmdata06.sqm -> C:\sqmdata06.sqm -> [2009/12/05 08:17:07 | 00,000,232 | -H-- | M] ()
sqmnoopt05.sqm -> C:\sqmnoopt05.sqm -> [2009/12/05 08:16:54 | 00,000,244 | -H-- | M] ()
sqmdata05.sqm -> C:\sqmdata05.sqm -> [2009/12/05 08:16:54 | 00,000,232 | -H-- | M] ()
sqmnoopt04.sqm -> C:\sqmnoopt04.sqm -> [2009/12/05 08:16:47 | 00,000,244 | -H-- | M] ()
sqmdata04.sqm -> C:\sqmdata04.sqm -> [2009/12/05 08:16:47 | 00,000,232 | -H-- | M] ()
09-Dec-Saturday_Duty_Roster(1).xls -> C:\Documents and Settings\Owner\Desktop\09-Dec-Saturday_Duty_Roster(1).xls -> [2009/12/05 08:12:47 | 00,022,528 | ---- | M] ()
V__THE_FINAL_BATTLE__1984__TV_Miniseries__DVDRip_.torrent -> C:\Documents and Settings\Owner\Desktop\V__THE_FINAL_BATTLE__1984__TV_Miniseries__DVDRip_.torrent -> [2009/12/04 20:30:40 | 00,012,582 | ---- | M] ()
V_The_Original_Miniseries__1983__DVDRip.torrent -> C:\Documents and Settings\Owner\Desktop\V_The_Original_Miniseries__1983__DVDRip.torrent -> [2009/12/04 20:29:47 | 00,017,069 | ---- | M] ()
V_The_Original_Mini_Series_1983_WS_DVDRip_XviD_UKi.torrent -> C:\Documents and Settings\Owner\Desktop\V_The_Original_Mini_Series_1983_WS_DVDRip_XviD_UKi.torrent -> [2009/12/04 20:28:05 | 00,014,866 | ---- | M] ()
o{SUMOTorrent.com}o_V_THE_FINAL_BATTLE_(1984)_TV_Miniseries_(DVDRip)_ST3031721.torrent -> C:\Documents and Settings\Owner\Desktop\o{SUMOTorrent.com}o_V_THE_FINAL_BATTLE_(1984)_TV_Miniseries_(DVDRip)_ST3031721.torrent -> [2009/12/04 20:25:39 | 00,012,635 | ---- | M] ()
V_(1983)_e_V_-_The_Final_Battle_(1984)_legendas_em_portugu__s.4601535.TPB.torrent -> C:\Documents and Settings\Owner\Desktop\V_(1983)_e_V_-_The_Final_Battle_(1984)_legendas_em_portugu__s.4601535.TPB.torrent -> [2009/12/04 20:22:39 | 00,018,891 | ---- | M] ()
sqmnoopt03.sqm -> C:\sqmnoopt03.sqm -> [2009/12/03 22:32:53 | 00,000,244 | -H-- | M] ()
sqmdata03.sqm -> C:\sqmdata03.sqm -> [2009/12/03 22:32:53 | 00,000,232 | -H-- | M] ()
sqmnoopt02.sqm -> C:\sqmnoopt02.sqm -> [2009/12/03 20:47:30 | 00,000,244 | -H-- | M] ()
sqmdata02.sqm -> C:\sqmdata02.sqm -> [2009/12/03 20:47:30 | 00,000,232 | -H-- | M] ()
sqmnoopt01.sqm -> C:\sqmnoopt01.sqm -> [2009/12/03 20:47:18 | 00,000,244 | -H-- | M] ()
sqmdata01.sqm -> C:\sqmdata01.sqm -> [2009/12/03 20:47:18 | 00,000,232 | -H-- | M] ()
sqmnoopt00.sqm -> C:\sqmnoopt00.sqm -> [2009/12/03 20:46:59 | 00,000,244 | -H-- | M] ()
sqmdata00.sqm -> C:\sqmdata00.sqm -> [2009/12/03 20:46:59 | 00,000,232 | -H-- | M] ()
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation)
IconCache.db -> C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db -> [2009/12/03 00:33:43 | 06,388,430 | -H-- | M] ()
funshion.ini -> C:\WINDOWS\System32\funshion.ini -> [2009/12/02 23:07:02 | 00,002,356 | ---- | M] ()
Funshion.lnk -> C:\Documents and Settings\All Users\Desktop\Funshion.lnk -> [2009/12/02 23:07:01 | 00,001,826 | ---- | M] ()
Pop Game Corpora.lnk -> C:\Documents and Settings\All Users\Desktop\Pop Game Corpora.lnk -> [2009/12/02 23:07:01 | 00,001,591 | ---- | M] ()
funshionplugin2.INI -> C:\WINDOWS\funshionplugin2.INI -> [2009/12/02 20:50:31 | 00,000,028 | ---- | M] ()
ntuser.bak -> C:\Documents and Settings\Owner\ntuser.bak -> [2009/12/02 19:10:35 | 09,682,944 | ---- | M] ()
1259587280331-integrated.jnlp -> C:\Documents and Settings\Owner\Desktop\1259587280331-integrated.jnlp -> [2009/11/30 21:21:29 | 00,001,947 | ---- | M] ()
ERUNT AutoBackup.lnk -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2009/11/29 21:47:31 | 00,000,767 | ---- | M] ()
NTREGOPT.lnk -> C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk -> [2009/11/29 21:47:28 | 00,000,611 | ---- | M] ()
ERUNT.lnk -> C:\Documents and Settings\Owner\Desktop\ERUNT.lnk -> [2009/11/29 21:47:28 | 00,000,592 | ---- | M] ()
atapi.sys -> C:\WINDOWS\System32\dllcache\atapi.sys -> [2009/11/29 20:49:45 | 00,096,512 | ---- | M] (Microsoft Corporation)
OTM.exe -> C:\Documents and Settings\Owner\Desktop\OTM.exe -> [2009/11/29 01:23:47 | 00,422,912 | ---- | M] (OldTimer Tools)
system.ini -> C:\WINDOWS\system.ini -> [2009/11/29 00:56:48 | 00,000,227 | ---- | M] ()
hosts -> C:\WINDOWS\System32\drivers\etc\hosts -> [2009/11/29 00:56:01 | 00,000,027 | ---- | M] ()
boot.ini -> C:\boot.ini -> [2009/11/28 23:00:34 | 00,000,281 | RHS- | M] ()
ComboFix.exe -> C:\Documents and Settings\Owner\Desktop\ComboFix.exe -> [2009/11/28 22:50:48 | 03,578,697 | R--- | M] ()
TFC.exe -> C:\Documents and Settings\Owner\Desktop\TFC.exe -> [2009/11/28 12:53:46 | 00,341,504 | ---- | M] (OldTimer Tools)
sqmnoopt19.sqm -> C:\sqmnoopt19.sqm -> [2009/11/26 22:28:20 | 00,000,244 | -H-- | M] ()
sqmdata19.sqm -> C:\sqmdata19.sqm -> [2009/11/26 22:28:20 | 00,000,232 | -H-- | M] ()
imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2009/11/26 22:16:04 | 00,001,393 | ---- | M] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2009/11/26 21:10:31 | 00,243,712 | ---- | M] ()
HijackThis.lnk -> C:\Documents and Settings\Owner\Desktop\HijackThis.lnk -> [2009/11/26 00:08:51 | 00,001,734 | ---- | M] ()
NETVIGATOR BROADBAND.lnk -> C:\Documents and Settings\Owner\Desktop\NETVIGATOR BROADBAND.lnk -> [2009/11/24 00:42:30 | 00,000,865 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/11/20 22:41:21 | 00,000,696 | ---- | M] ()
muzika.xm -> C:\WINDOWS\System32\muzika.xm -> [2009/11/20 07:34:00 | 00,051,355 | ---- | M] ()
PerfStringBackup.INI -> C:\WINDOWS\System32\PerfStringBackup.INI -> [2009/11/20 07:33:59 | 00,356,120 | ---- | M] ()
perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2009/11/20 07:33:59 | 00,311,604 | ---- | M] ()
perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2009/11/20 07:33:59 | 00,039,992 | ---- | M] ()
cc_20091119_211035 Registry backup.reg -> C:\Documents and Settings\Owner\My Documents\cc_20091119_211035 Registry backup.reg -> [2009/11/19 21:10:58 | 00,226,396 | ---- | M] ()
CCleaner.lnk -> C:\Documents and Settings\Owner\Desktop\CCleaner.lnk -> [2009/11/19 21:00:07 | 00,001,548 | ---- | M] ()
ccsetup225.exe -> C:\Documents and Settings\Owner\Desktop\ccsetup225.exe -> [2009/11/19 20:59:42 | 03,310,608 | ---- | M] (Piriform Ltd)
I want to turn off Windows.doc -> C:\Documents and Settings\Owner\My Documents\I want to turn off Windows.doc -> [2009/11/19 18:03:20 | 00,024,576 | ---- | M] ()
Microsoft Word.lnk -> C:\Documents and Settings\Owner\Desktop\Microsoft Word.lnk -> [2009/11/19 18:02:36 | 00,002,473 | ---- | M] ()
sqmnoopt18.sqm -> C:\sqmnoopt18.sqm -> [2009/11/18 22:16:51 | 00,000,244 | -H-- | M] ()
sqmdata18.sqm -> C:\sqmdata18.sqm -> [2009/11/18 22:16:51 | 00,000,232 | -H-- | M] ()
STEVEYONG200910.doc -> C:\Documents and Settings\Owner\My Documents\STEVEYONG200910.doc -> [2009/11/18 22:15:50 | 00,034,816 | ---- | M] ()
STEVEYONG200911.doc -> C:\Documents and Settings\Owner\My Documents\STEVEYONG200911.doc -> [2009/11/18 22:15:22 | 00,035,328 | ---- | M] ()
sqmnoopt17.sqm -> C:\sqmnoopt17.sqm -> [2009/11/18 22:12:30 | 00,000,244 | -H-- | M] ()
sqmdata17.sqm -> C:\sqmdata17.sqm -> [2009/11/18 22:12:30 | 00,000,232 | -H-- | M] ()
sqmnoopt16.sqm -> C:\sqmnoopt16.sqm -> [2009/11/18 22:08:38 | 00,000,244 | -H-- | M] ()
sqmdata16.sqm -> C:\sqmdata16.sqm -> [2009/11/18 22:08:38 | 00,000,232 | -H-- | M] ()
sqmdata15.sqm -> C:\sqmdata15.sqm -> [2009/11/18 22:08:19 | 00,000,232 | -H-- | M] ()
sqmnoopt15.sqm -> C:\sqmnoopt15.sqm -> [2009/11/18 22:08:18 | 00,000,244 | -H-- | M] ()
sqmnoopt14.sqm -> C:\sqmnoopt14.sqm -> [2009/11/17 22:45:24 | 00,000,244 | -H-- | M] ()
sqmdata14.sqm -> C:\sqmdata14.sqm -> [2009/11/17 22:45:24 | 00,000,232 | -H-- | M] ()
FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2009/11/17 13:23:30 | 00,139,648 | ---- | M] ()
sqmnoopt13.sqm -> C:\sqmnoopt13.sqm -> [2009/11/16 21:04:46 | 00,000,244 | -H-- | M] ()
sqmdata13.sqm -> C:\sqmdata13.sqm -> [2009/11/16 21:04:46 | 00,000,232 | -H-- | M] ()
sqmnoopt12.sqm -> C:\sqmnoopt12.sqm -> [2009/11/16 21:03:35 | 00,000,244 | -H-- | M] ()
sqmdata12.sqm -> C:\sqmdata12.sqm -> [2009/11/16 21:03:35 | 00,000,232 | -H-- | M] ()
GDIPFONTCACHEV1.DAT -> C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2009/11/15 01:11:17 | 00,030,784 | ---- | M] ()
ssprs.tgz -> C:\WINDOWS\System32\ssprs.tgz -> [2009/11/15 01:00:11 | 00,000,000 | ---- | M] ()
nsprs.tgz -> C:\WINDOWS\System32\nsprs.tgz -> [2009/11/15 01:00:11 | 00,000,000 | ---- | M] ()
sqmnoopt11.sqm -> C:\sqmnoopt11.sqm -> [2009/11/14 17:18:59 | 00,000,244 | -H-- | M] ()
sqmdata11.sqm -> C:\sqmdata11.sqm -> [2009/11/14 17:18:59 | 00,000,232 | -H-- | M] ()
[isoHunt] History books.torrent -> C:\Documents and Settings\Owner\Desktop\[isoHunt] History books.torrent -> [2009/11/14 16:29:15 | 00,024,237 | ---- | M] ()
Law Abiding Citizen (2009).dvd-HQ-Xvid.btz.torrent -> C:\Documents and Settings\Owner\My Documents\Law Abiding Citizen (2009).dvd-HQ-Xvid.btz.torrent -> [2009/11/14 12:23:09 | 00,222,980 | ---- | M] ()
CME program for Jan-Jun 2010 SCAN8566_000.pdf -> C:\Documents and Settings\Owner\My Documents\CME program for Jan-Jun 2010 SCAN8566_000.pdf -> [2009/11/14 11:11:20 | 00,062,321 | ---- | M] ()
PEV.exe -> C:\WINDOWS\PEV.exe -> [2009/11/14 01:47:57 | 00,260,608 | ---- | M] ()
CmdLineExt.dll -> C:\WINDOWS\System32\CmdLineExt.dll -> [2009/11/11 20:03:51 | 00,107,888 | ---- | M] (Sony DADC Austria AG.)
TERESA TANG.doc -> C:\Documents and Settings\Owner\Desktop\TERESA TANG.doc -> [2009/11/10 22:12:26 | 00,152,576 | ---- | M] ()
hosts.20091119-203640.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20091119-203640.backup -> [2009/11/10 06:47:51 | 00,350,753 | R--- | M] ()
5 C:\Documents and Settings\Owner\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\temp\*.tmp ->
5 C:\Documents and Settings\Owner\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\temp\*.tmp ->
5 C:\Documents and Settings\Owner\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\temp\*.tmp ->
1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp ->
1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp ->

[Files - No Company Name]
astroboy.1980s.27.the.robot.stuntman-dvdrip.xvid.avi -> C:\Documents and Settings\Owner\Desktop\astroboy.1980s.27.the.robot.stuntman-dvdrip.xvid.avi -> [2009/12/06 19:31:01 | 17,821,4912 | ---- | C] ()
astroboy.1980s.28.the.great.meltdown-dvdrip.xvid.[merchant].avi -> C:\Documents and Settings\Owner\Desktop\astroboy.1980s.28.the.great.meltdown-dvdrip.xvid.[merchant].avi -> [2009/12/06 19:30:36 | 17,822,9248 | ---- | C] ()
astroboy.1980s.29.urans.twin-dvdrip.xvid.[merchant].avi -> C:\Documents and Settings\Owner\Desktop\astroboy.1980s.29.urans.twin-dvdrip.xvid.[merchant].avi -> [2009/12/06 19:30:30 | 17,821,9008 | ---- | C] ()
astroboy.1980s.25.the.robot.vikings-dvdrip.xvid.[merchant].avi -> C:\Documents and Settings\Owner\Desktop\astroboy.1980s.25.the.robot.vikings-dvdrip.xvid.[merchant].avi -> [2009/12/06 19:30:21 | 17,824,3584 | ---- | C] ()
09-Dec-Saturday_Duty_Roster(1).xls -> C:\Documents and Settings\Owner\Desktop\09-Dec-Saturday_Duty_Roster(1).xls -> [2009/12/05 08:12:45 | 00,022,528 | ---- | C] ()
V__THE_FINAL_BATTLE__1984__TV_Miniseries__DVDRip_.torrent -> C:\Documents and Settings\Owner\Desktop\V__THE_FINAL_BATTLE__1984__TV_Miniseries__DVDRip_.torrent -> [2009/12/04 20:30:39 | 00,012,582 | ---- | C] ()
V_The_Original_Mini_Series_1983_WS_DVDRip_XviD_UKi.torrent -> C:\Documents and Settings\Owner\Desktop\V_The_Original_Mini_Series_1983_WS_DVDRip_XviD_UKi.torrent -> [2009/12/04 20:27:45 | 00,014,866 | ---- | C] ()
o{SUMOTorrent.com}o_V_THE_FINAL_BATTLE_(1984)_TV_Miniseries_(DVDRip)_ST3031721.torrent -> C:\Documents and Settings\Owner\Desktop\o{SUMOTorrent.com}o_V_THE_FINAL_BATTLE_(1984)_TV_Miniseries_(DVDRip)_ST3031721.torrent -> [2009/12/04 20:25:37 | 00,012,635 | ---- | C] ()
V_(1983)_e_V_-_The_Final_Battle_(1984)_legendas_em_portugu__s.4601535.TPB.torrent -> C:\Documents and Settings\Owner\Desktop\V_(1983)_e_V_-_The_Final_Battle_(1984)_legendas_em_portugu__s.4601535.TPB.torrent -> [2009/12/04 20:22:33 | 00,018,891 | ---- | C] ()
V_The_Original_Miniseries__1983__DVDRip.torrent -> C:\Documents and Settings\Owner\Desktop\V_The_Original_Miniseries__1983__DVDRip.torrent -> [2009/12/04 20:20:43 | 00,017,069 | ---- | C] ()
Funshion.lnk -> C:\Documents and Settings\All Users\Desktop\Funshion.lnk -> [2009/12/02 23:07:01 | 00,001,826 | ---- | C] ()
Pop Game Corpora.lnk -> C:\Documents and Settings\All Users\Desktop\Pop Game Corpora.lnk -> [2009/12/02 23:07:01 | 00,001,591 | ---- | C] ()
1259587280331-integrated.jnlp -> C:\Documents and Settings\Owner\Desktop\1259587280331-integrated.jnlp -> [2009/11/30 21:21:27 | 00,001,947 | ---- | C] ()
NTREGOPT.lnk -> C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk -> [2009/11/29 21:47:28 | 00,000,611 | ---- | C] ()
Boot.bak -> C:\Boot.bak -> [2009/11/28 23:00:34 | 00,000,211 | ---- | C] ()
cmldr -> C:\cmldr -> [2009/11/28 23:00:27 | 00,260,272 | ---- | C] ()
9C50A9AF-1506-44A1-958A-873DA3977D0C.txt -> C:\Documents and Settings\Owner\Local Settings\Application Data\9C50A9AF-1506-44A1-958A-873DA3977D0C.txt -> [2009/11/28 13:47:51 | 00,003,898 | ---- | C] ()
PEV.exe -> C:\WINDOWS\PEV.exe -> [2009/11/26 06:56:09 | 00,260,608 | ---- | C] ()
sed.exe -> C:\WINDOWS\sed.exe -> [2009/11/26 06:56:09 | 00,098,816 | ---- | C] ()
grep.exe -> C:\WINDOWS\grep.exe -> [2009/11/26 06:56:09 | 00,080,412 | ---- | C] ()
MBR.exe -> C:\WINDOWS\MBR.exe -> [2009/11/26 06:56:09 | 00,077,312 | ---- | C] ()
zip.exe -> C:\WINDOWS\zip.exe -> [2009/11/26 06:56:09 | 00,068,096 | ---- | C] ()
ComboFix.exe -> C:\Documents and Settings\Owner\Desktop\ComboFix.exe -> [2009/11/26 06:54:27 | 03,578,697 | R--- | C] ()
HijackThis.lnk -> C:\Documents and Settings\Owner\Desktop\HijackThis.lnk -> [2009/11/26 00:08:51 | 00,001,734 | ---- | C] ()
ERUNT AutoBackup.lnk -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2009/11/26 00:08:17 | 00,000,767 | ---- | C] ()
ERUNT.lnk -> C:\Documents and Settings\Owner\Desktop\ERUNT.lnk -> [2009/11/26 00:08:00 | 00,000,592 | ---- | C] ()
UnGins.exe -> C:\WINDOWS\UnGins.exe -> [2009/11/24 00:42:30 | 00,122,880 | ---- | C] ()
NETVIGATOR BROADBAND.lnk -> C:\Documents and Settings\Owner\Desktop\NETVIGATOR BROADBAND.lnk -> [2009/11/24 00:42:30 | 00,000,865 | ---- | C] ()
imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2009/11/23 23:50:17 | 00,001,393 | ---- | C] ()
Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/11/20 22:41:21 | 00,000,696 | ---- | C] ()
muzika.xm -> C:\WINDOWS\System32\muzika.xm -> [2009/11/20 07:34:00 | 00,051,355 | ---- | C] ()
cc_20091119_211035 Registry backup.reg -> C:\Documents and Settings\Owner\My Documents\cc_20091119_211035 Registry backup.reg -> [2009/11/19 21:10:48 | 00,226,396 | ---- | C] ()
I want to turn off Windows.doc -> C:\Documents and Settings\Owner\My Documents\I want to turn off Windows.doc -> [2009/11/19 18:03:20 | 00,024,576 | ---- | C] ()
F92CCA65-3301-4C6B-88B5-95ED581FF3DA.txt -> C:\Documents and Settings\Owner\Local Settings\Application Data\F92CCA65-3301-4C6B-88B5-95ED581FF3DA.txt -> [2009/11/19 04:49:27 | 00,003,898 | ---- | C] ()
STEVEYONG200910.doc -> C:\Documents and Settings\Owner\My Documents\STEVEYONG200910.doc -> [2009/11/18 22:15:47 | 00,034,816 | ---- | C] ()
STEVEYONG200911.doc -> C:\Documents and Settings\Owner\My Documents\STEVEYONG200911.doc -> [2009/11/18 22:15:21 | 00,035,328 | ---- | C] ()
ssprs.tgz -> C:\WINDOWS\System32\ssprs.tgz -> [2009/11/15 01:00:11 | 00,000,000 | ---- | C] ()
nsprs.tgz -> C:\WINDOWS\System32\nsprs.tgz -> [2009/11/15 01:00:11 | 00,000,000 | ---- | C] ()
[isoHunt] History books.torrent -> C:\Documents and Settings\Owner\Desktop\[isoHunt] History books.torrent -> [2009/11/14 16:29:00 | 00,024,237 | ---- | C] ()
Law Abiding Citizen (2009).dvd-HQ-Xvid.btz.torrent -> C:\Documents and Settings\Owner\My Documents\Law Abiding Citizen (2009).dvd-HQ-Xvid.btz.torrent -> [2009/11/14 12:22:57 | 00,222,980 | ---- | C] ()
CME program for Jan-Jun 2010 SCAN8566_000.pdf -> C:\Documents and Settings\Owner\My Documents\CME program for Jan-Jun 2010 SCAN8566_000.pdf -> [2009/11/14 11:11:09 | 00,062,321 | ---- | C] ()
sfcure01.sys -> C:\WINDOWS\System32\drivers\sfcure01.sys -> [2009/10/17 14:21:10 | 00,003,072 | ---- | C] ()
BASSMOD.dll -> C:\WINDOWS\System32\BASSMOD.dll -> [2009/10/17 13:59:24 | 00,034,308 | ---- | C] ()
nsis_loader.dll -> C:\WINDOWS\System32\nsis_loader.dll -> [2009/02/04 17:50:32 | 00,024,576 | ---- | C] ()
funshionplugin2.INI -> C:\WINDOWS\funshionplugin2.INI -> [2009/01/08 21:47:51 | 00,000,028 | ---- | C] ()
PhotoSnapViewer.INI -> C:\WINDOWS\PhotoSnapViewer.INI -> [2008/12/25 11:47:58 | 00,000,151 | ---- | C] ()
ipixActivex.ini -> C:\WINDOWS\ipixActivex.ini -> [2008/11/04 08:15:45 | 00,000,037 | ---- | C] ()
NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2008/10/17 06:50:16 | 00,000,116 | ---- | C] ()
VPC32.INI -> C:\WINDOWS\VPC32.INI -> [2008/10/17 06:23:40 | 00,000,000 | ---- | C] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2008/10/15 06:24:53 | 00,000,376 | ---- | C] ()
igfxCoIn_v4906.dll -> C:\WINDOWS\System32\igfxCoIn_v4906.dll -> [2008/10/15 06:24:26 | 00,147,456 | R--- | C] ()
physxcudart_20.dll -> C:\WINDOWS\System32\physxcudart_20.dll -> [2008/10/07 09:13:30 | 00,197,912 | ---- | C] ()
AgCPanelTraditionalChinese.dll -> C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll -> [2008/10/07 09:13:22 | 00,058,648 | ---- | C] ()
AgCPanelSwedish.dll -> C:\WINDOWS\System32\AgCPanelSwedish.dll -> [2008/10/07 09:13:20 | 00,058,648 | ---- | C] ()
AgCPanelSpanish.dll -> C:\WINDOWS\System32\AgCPanelSpanish.dll -> [2008/10/07 09:13:20 | 00,058,648 | ---- | C] ()
AgCPanelSimplifiedChinese.dll -> C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll -> [2008/10/07 09:13:20 | 00,058,648 | ---- | C] ()
AgCPanelPortugese.dll -> C:\WINDOWS\System32\AgCPanelPortugese.dll -> [2008/10/07 09:13:20 | 00,058,648 | ---- | C] ()
AgCPanelKorean.dll -> C:\WINDOWS\System32\AgCPanelKorean.dll -> [2008/10/07 09:13:20 | 00,058,648 | ---- | C] ()
AgCPanelJapanese.dll -> C:\WINDOWS\System32\AgCPanelJapanese.dll -> [2008/10/07 09:13:20 | 00,058,648 | ---- | C] ()
AgCPanelGerman.dll -> C:\WINDOWS\System32\AgCPanelGerman.dll -> [2008/10/07 09:13:20 | 00,058,648 | ---- | C] ()
AgCPanelFrench.dll -> C:\WINDOWS\System32\AgCPanelFrench.dll -> [2008/10/07 09:13:20 | 00,058,648 | ---- | C] ()
xlive.dll.cat -> C:\WINDOWS\System32\xlive.dll.cat -> [2007/04/17 15:34:40 | 00,135,716 | ---- | C] ()
funshion.ini -> C:\WINDOWS\System32\funshion.ini -> [2007/03/14 10:29:00 | 00,002,356 | ---- | C] ()
xvidcore.dll -> C:\WINDOWS\System32\xvidcore.dll -> [2006/07/18 00:00:00 | 00,761,856 | ---- | C] ()
xvidvfw.dll -> C:\WINDOWS\System32\xvidvfw.dll -> [2006/07/18 00:00:00 | 00,180,224 | ---- | C] ()
ff_vfw.dll -> C:\WINDOWS\System32\ff_vfw.dll -> [2006/05/26 21:29:14 | 00,005,120 | ---- | C] ()
ff_vfw.dll.manifest -> C:\WINDOWS\System32\ff_vfw.dll.manifest -> [2006/04/03 20:26:36 | 00,000,547 | ---- | C] ()
Smab.dll -> C:\WINDOWS\System32\Smab.dll -> [2005/12/23 11:23:08 | 00,399,360 | ---- | C] ()
AVSredirect.dll -> C:\WINDOWS\System32\AVSredirect.dll -> [2005/07/15 03:31:20 | 00,027,648 | ---- | C] ()
cygz.dll -> C:\WINDOWS\System32\cygz.dll -> [2005/06/22 13:37:42 | 00,045,568 | RHS- | C] ()
nitobprt.dll -> C:\WINDOWS\System32\nitobprt.dll -> [2001/08/23 20:00:00 | 00,147,968 | ---- | C] ()
MSRTEDIT.DLL -> C:\WINDOWS\System32\MSRTEDIT.DLL -> [1999/01/23 18:46:58 | 00,065,536 | ---- | C] ()

[Files/Folders - Unicode - All]
C:\Documents and Settings\Owner\My Documents\????.torrent -> C:\Documents and Settings\Owner\My Documents\绝代双骄.torrent -> [2009/04/08 19:22:22 | 00,094,681 | ---- | C] ()
C:\Documents and Settings\Owner\My Documents\????.torrent -> C:\Documents and Settings\Owner\My Documents\绝代双骄.torrent -> [2009/04/08 19:22:24 | 00,094,681 | ---- | M] ()
C:\Documents and Settings\Owner\Desktop\Yahoo!?? - ??.url -> C:\Documents and Settings\Owner\Desktop\Yahoo!字典 - 瀏覽.url -> [2009/10/18 10:19:11 | 00,000,268 | ---- | C] ()
C:\Documents and Settings\Owner\Desktop\Yahoo!?? - ??.url -> C:\Documents and Settings\Owner\Desktop\Yahoo!字典 - 瀏覽.url -> [2009/10/18 10:19:11 | 00,000,268 | ---- | M] ()
C:\Documents and Settings\Owner\Desktop\????.rmvb -> C:\Documents and Settings\Owner\Desktop\末日病毒.rmvb -> [2009/12/02 20:51:16 | 33,503,6742 | ---- | C] ()
C:\Documents and Settings\Owner\Desktop\????4.rmvb -> C:\Documents and Settings\Owner\Desktop\死神来了4.rmvb -> [2009/12/02 20:52:07 | 34,061,6246 | ---- | C] ()
C:\Documents and Settings\Owner\Desktop\????.rmvb -> C:\Documents and Settings\Owner\Desktop\战火围城.rmvb -> [2009/12/02 20:52:22 | 35,344,0218 | ---- | C] ()
C:\Documents and Settings\Owner\Desktop\????.rmvb -> C:\Documents and Settings\Owner\Desktop\世界之巅.rmvb -> [2009/12/02 20:53:55 | 34,867,0493 | ---- | C] ()
C:\Documents and Settings\Owner\Desktop\????.rmvb -> C:\Documents and Settings\Owner\Desktop\战火围城.rmvb -> [2009/12/02 21:48:27 | 35,344,0218 | ---- | M] ()
C:\Documents and Settings\Owner\Desktop\????.rmvb -> C:\Documents and Settings\Owner\Desktop\世界之巅.rmvb -> [2009/12/02 21:57:47 | 34,867,0493 | ---- | M] ()
C:\Documents and Settings\Owner\Desktop\????4.rmvb -> C:\Documents and Settings\Owner\Desktop\死神来了4.rmvb -> [2009/12/02 22:28:48 | 34,061,6246 | ---- | M] ()
C:\Documents and Settings\Owner\Desktop\????.rmvb -> C:\Documents and Settings\Owner\Desktop\末日病毒.rmvb -> [2009/12/03 21:28:36 | 33,503,6742 | ---- | M] ()

[Alternate Data Streams]
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 16 bytes -> C:\Documents and Settings\Owner\My Documents\Shareaza Downloads:Shareaza.GUID
< End of report >
[/code]


Thank you
Gumpy

peku006
2009-12-08, 10:15
Hi Gumpy

Re-Run the ComboFix

Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

GUMPY
2009-12-08, 14:43
Dear Peku006:

My Combofix log:

ComboFix 09-12-07.07 - Owner 12/08/2009 20:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.168 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\svjfjqa.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDEFKLNA
-------\Service_tdefklna


((((((((((((((((((((((((( Files Created from 2009-11-08 to 2009-12-08 )))))))))))))))))))))))))))))))
.

2009-12-06 15:52 . 2009-12-06 15:52 -------- d-----w- C:\Cache
2009-12-06 15:47 . 2009-12-06 15:47 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-06 02:52 . 2009-12-06 02:52 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 17:24 . 2009-11-28 17:24 -------- d-----w- C:\_OTM
2009-11-28 05:22 . 2009-11-28 05:22 -------- d-----w- c:\program files\ESET
2009-11-26 14:36 . 2009-12-06 02:51 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-25 16:08 . 2009-11-25 16:08 -------- d-----w- c:\program files\Trend Micro
2009-11-25 16:07 . 2009-11-29 13:47 -------- d-----w- c:\program files\ERUNT
2009-11-23 16:42 . 2009-11-23 16:42 -------- d-----w- c:\program files\NETVIGATOR
2009-11-23 16:42 . 2000-12-08 13:59 122880 ----a-w- c:\windows\UnGins.exe
2009-11-23 16:42 . 2009-12-07 15:34 -------- d-----w- C:\Temp
2009-11-23 15:59 . 2009-11-23 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-11-23 15:59 . 2009-11-23 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-11-22 10:01 . 2009-11-22 10:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-20 14:41 . 2009-12-03 08:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-20 14:41 . 2009-12-06 15:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 14:41 . 2009-12-03 08:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-20 11:39 . 2009-11-20 11:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-20 11:12 . 2009-11-20 11:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-11-20 11:12 . 2009-11-20 11:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-19 23:32 . 2005-09-23 00:29 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-11-19 13:51 . 2009-11-19 13:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-19 13:50 . 2009-11-19 13:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2009-11-19 13:31 . 2009-11-19 14:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-19 13:00 . 2009-11-19 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-19 13:00 . 2009-11-19 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-11-19 13:00 . 2009-11-19 13:00 -------- d-----w- c:\program files\Yahoo!
2009-11-14 16:56 . 2009-11-14 17:00 -------- d-----w- c:\program files\SPSSEval
2009-11-12 13:38 . 2008-05-02 02:41 3493888 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2009-11-11 12:03 . 2009-11-11 12:03 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2009-11-11 11:54 . 2009-11-11 11:54 -------- d-----w- c:\program files\Sierra Online
2009-11-09 09:53 . 2009-11-09 09:53 -------- d-----w- c:\program files\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-08 12:32 . 2008-10-14 23:00 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-07 23:03 . 2008-10-16 23:09 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-12-06 15:40 . 2008-10-16 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-12-06 02:53 . 2009-05-26 23:40 -------- d-----w- c:\program files\Java
2009-11-29 12:49 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-28 17:26 . 2009-04-18 05:03 -------- d-----w- c:\program files\0FF6FB7D
2009-11-20 12:36 . 2008-11-05 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-19 13:00 . 2008-10-16 22:40 -------- d-----w- c:\program files\CCleaner
2009-11-19 09:56 . 2008-11-05 16:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 17:11 . 2008-10-14 22:19 30784 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 12:15 . 2008-10-14 22:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-11 12:03 . 2009-10-14 14:12 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-05 22:56 . 2009-11-05 22:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Sports Interactive
2009-10-26 13:37 . 2009-09-28 23:33 -------- d-----w- c:\program files\GameSpy Arcade
2009-10-26 06:17 . 2009-10-24 06:01 -------- d-----w- c:\program files\Temporary Game file
2009-10-25 17:17 . 2009-10-24 22:57 -------- d-----w- c:\program files\Zombie Shooter
2009-10-24 22:56 . 2009-10-24 22:56 -------- d-----w- c:\program files\ReflexiveArcade
2009-10-24 13:56 . 2009-10-24 13:52 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-10-24 13:56 . 2009-10-24 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-10-24 13:55 . 2009-10-24 13:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Pro
2009-10-17 05:06 . 2008-10-26 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-17 04:00 . 2009-10-17 04:00 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-17 03:27 . 2009-10-17 03:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-17 01:10 . 2009-10-17 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-10-17 01:10 . 2009-10-16 16:32 -------- d-----w- c:\program files\Electronic Arts
2009-10-16 16:32 . 2009-10-16 16:32 662 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-10-16 16:32 . 2008-10-14 22:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-16 14:32 . 2009-10-16 14:32 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-10-16 14:27 . 2009-10-16 14:27 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-10-14 13:19 . 2009-07-06 12:59 -------- d-----w- c:\program files\MagicISO
2009-10-14 13:19 . 2009-10-14 13:19 3067375 ----a-w- c:\program files\Setup_MagicISO.exe
2009-10-14 13:08 . 2009-10-14 13:08 -------- d-----w- c:\program files\MagicDisc
2009-10-14 13:08 . 2009-10-14 13:08 1352435 ----a-w- c:\program files\setup_magicdisc.exe
2009-10-10 20:17 . 2009-05-26 23:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 07:34 . 2009-10-05 07:34 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-07-19 22:08 . 2008-10-16 22:40 266544 ----a-w- c:\program files\uTorrent.exe
2005-05-14 00:12 . 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 18:13 . 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2009-09-15 15:05 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47 . 2009-09-15 15:05 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-15 15:05 216064 --sh--r- c:\windows\system32\nbDX.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000009D5-2161-4196-9F87-D1FEFBDE1CAf}]
c:\windows\system32\qestlkdp.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F92CCA65-3301-4C6B-88B5-95ED581FF3DA}]
c:\windows\system32\svjfjqa.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-12-14 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDAudBus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S?û?d, ?ìdeô ??d gª?è ¢o?tr?l?è?š !!! !!! !]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-17 02:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLV Downloader]
2009-05-27 08:37 3644928 ----a-w- c:\program files\Moyea\YouTube FLV Downloader\FLVDownloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
2008-10-01 04:00 5723136 ----a-w- c:\program files\Shareaza\Shareaza.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 08:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Funshion Online\\Funshion\\Funshion.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\AVIXE pen drive2 stuff\\TuDienHND\\3rdparty\\jre\\bin\\jre.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:shareaza

S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S1 jqi0d17;jqi0d17;c:\windows\system32\drivers\jqi0d17.sys --> c:\windows\system32\drivers\jqi0d17.sys [?]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe --> c:\program files\Spyware Doctor\svcntaux.exe [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/13/2004 6:18 AM 169192]
SUnknown AppToService_TuDienHND;AppToService_TuDienHND; [x]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hk.yahoo.com/?p=us
IE: ʹÓÃÍøҳѸÀ×ÏÂÔØ
IE: ʹÓÃÍøҳѸÀ×ÏÂÔØÈ«²¿Á´½Ó
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
.
- - - - ORPHANS REMOVED - - - -

BHO-{9C50A9AF-1506-44A1-958A-873DA3977D0C} - (no file)
HKLM-Run-SDTray - c:\program files\Spyware Doctor\SDTrayApp.exe
MSConfigStartUp-CTFMON - (no file)
AddRemove-Spyware Doctor - c:\program files\Spyware Doctor\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppToService_TuDienHND]
"ImagePath"="c:\documents and settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe /sys \"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND/3rdparty/jre/bin/jrew.exe\" /Arguments:\"-mx64m -cp vietdict.jar vietdict.server.vietdictserver\" /Directory:\"c:/documents and settings/owner/my documents/avixe pen drive2 stuff/tudienhnd\" /Name:\"tudienhnd\" /Startup:A"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bf,61,9c,87,c7,11,f9,a3,3d,3a,b8,09,f4,ba,38,70,93,f8,3b,56,bb,78,30,
ae,94,f6,6f,9a,93,9a,c4,bf,d2,f6,37,ec,4e,59,19,69,b8,c8,c2,4c,02,0f,44,1b,\
"??"=hex:6a,d4,43,5c,8e,72,8a,6a,02,82,58,4c,bd,6d,7e,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(784)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-08 20:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-08 12:37
ComboFix2.txt 2009-11-28 17:03
ComboFix3.txt 2009-11-25 23:57

Pre-Run: 57,669,140,480 bytes free
Post-Run: 57,781,407,744 bytes free

- - End Of File - - 0CF4301AC94CE22460B283AE19DDCA23

Thank you
Gumpy

GUMPY
2009-12-08, 14:45
Dear Peku006:

This is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:01 PM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {000009D5-2161-4196-9F87-D1FEFBDE1CAf} - C:\WINDOWS\system32\qestlkdp.dll (file missing)
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F92CCA65-3301-4C6B-88B5-95ED581FF3DA} - c:\windows\system32\svjfjqa.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3E8348-D9F6-42BF-A07B-C98609F62123}: NameServer = 203.198.23.208 205.252.144.126
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7576 bytes

Thank you.
Gumpy

peku006
2009-12-08, 15:43
Hi GUMPY

1 - Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


O2 - BHO: (no name) - {000009D5-2161-4196-9F87-D1FEFBDE1CAf} - C:\WINDOWS\system32\qestlkdp.dll (file missing)
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F92CCA65-3301-4C6B-88B5-95ED581FF3DA} - c:\windows\system32\svjfjqa.dll (file missing)


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

2 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:


File::
c:\windows\meta4.exe
c:\windows\system32\qestlkdp.dll
c:\windows\system32\svjfjqa.dll
c:\windows\system32\drivers\jqi0d17.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000009D5-2161-4196-9F87-D1FEFBDE1CAf}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F92CCA65-3301-4C6B-88B5-95ED581FF3DA}]

Driver::
jqi0d17



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006

GUMPY
2009-12-09, 14:57
Dear Peku006:

This is the CFScript.txt:
ComboFix 09-12-08.04 - Owner 12/09/2009 20:39:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.193 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\windows\meta4.exe"
"c:\windows\system32\drivers\jqi0d17.sys"
"c:\windows\system32\qestlkdp.dll"
"c:\windows\system32\svjfjqa.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\meta4.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_jqi0d17


((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-06 15:52 . 2009-12-06 15:52 -------- d-----w- C:\Cache
2009-12-06 15:47 . 2009-12-06 15:47 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-06 02:52 . 2009-12-06 02:52 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 17:24 . 2009-11-28 17:24 -------- d-----w- C:\_OTM
2009-11-28 05:22 . 2009-11-28 05:22 -------- d-----w- c:\program files\ESET
2009-11-26 14:36 . 2009-12-06 02:51 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-25 16:08 . 2009-11-25 16:08 -------- d-----w- c:\program files\Trend Micro
2009-11-25 16:07 . 2009-11-29 13:47 -------- d-----w- c:\program files\ERUNT
2009-11-23 16:42 . 2009-11-23 16:42 -------- d-----w- c:\program files\NETVIGATOR
2009-11-23 16:42 . 2000-12-08 13:59 122880 ----a-w- c:\windows\UnGins.exe
2009-11-23 16:42 . 2009-12-07 15:34 -------- d-----w- C:\Temp
2009-11-23 15:59 . 2009-11-23 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-11-23 15:59 . 2009-11-23 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-11-22 10:01 . 2009-11-22 10:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-20 14:41 . 2009-12-03 08:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-20 14:41 . 2009-12-06 15:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 14:41 . 2009-12-03 08:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-20 11:39 . 2009-11-20 11:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-20 11:12 . 2009-11-20 11:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-11-20 11:12 . 2009-11-20 11:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-19 23:32 . 2005-09-23 00:29 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-11-19 13:51 . 2009-11-19 13:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-19 13:50 . 2009-11-19 13:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2009-11-19 13:31 . 2009-11-19 14:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-19 13:00 . 2009-11-19 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-19 13:00 . 2009-11-19 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-11-19 13:00 . 2009-11-19 13:00 -------- d-----w- c:\program files\Yahoo!
2009-11-14 16:56 . 2009-11-14 17:00 -------- d-----w- c:\program files\SPSSEval
2009-11-12 13:38 . 2008-05-02 02:41 3493888 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2009-11-11 12:03 . 2009-11-11 12:03 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2009-11-11 11:54 . 2009-11-11 11:54 -------- d-----w- c:\program files\Sierra Online

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 12:46 . 2008-10-14 23:00 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-07 23:03 . 2008-10-16 23:09 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-12-06 15:40 . 2008-10-16 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-12-06 02:53 . 2009-05-26 23:40 -------- d-----w- c:\program files\Java
2009-11-29 12:49 . 2001-08-23 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-28 17:26 . 2009-04-18 05:03 -------- d-----w- c:\program files\0FF6FB7D
2009-11-20 12:36 . 2008-11-05 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-19 13:00 . 2008-10-16 22:40 -------- d-----w- c:\program files\CCleaner
2009-11-19 09:56 . 2008-11-05 16:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 17:11 . 2008-10-14 22:19 30784 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 12:15 . 2008-10-14 22:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-11 12:03 . 2009-10-14 14:12 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-09 09:53 . 2009-11-09 09:53 -------- d-----w- c:\program files\Ubisoft
2009-11-05 22:56 . 2009-11-05 22:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Sports Interactive
2009-10-26 13:37 . 2009-09-28 23:33 -------- d-----w- c:\program files\GameSpy Arcade
2009-10-26 06:17 . 2009-10-24 06:01 -------- d-----w- c:\program files\Temporary Game file
2009-10-25 17:17 . 2009-10-24 22:57 -------- d-----w- c:\program files\Zombie Shooter
2009-10-24 22:56 . 2009-10-24 22:56 -------- d-----w- c:\program files\ReflexiveArcade
2009-10-24 13:56 . 2009-10-24 13:52 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-10-24 13:56 . 2009-10-24 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-10-24 13:55 . 2009-10-24 13:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Pro
2009-10-17 05:06 . 2008-10-26 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-17 04:00 . 2009-10-17 04:00 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-17 03:27 . 2009-10-17 03:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-17 01:10 . 2009-10-17 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-10-17 01:10 . 2009-10-16 16:32 -------- d-----w- c:\program files\Electronic Arts
2009-10-16 16:32 . 2009-10-16 16:32 662 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-10-16 16:32 . 2008-10-14 22:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-16 14:32 . 2009-10-16 14:32 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-10-16 14:27 . 2009-10-16 14:27 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-10-14 13:19 . 2009-07-06 12:59 -------- d-----w- c:\program files\MagicISO
2009-10-14 13:19 . 2009-10-14 13:19 3067375 ----a-w- c:\program files\Setup_MagicISO.exe
2009-10-14 13:08 . 2009-10-14 13:08 -------- d-----w- c:\program files\MagicDisc
2009-10-14 13:08 . 2009-10-14 13:08 1352435 ----a-w- c:\program files\setup_magicdisc.exe
2009-10-10 20:17 . 2009-05-26 23:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 07:34 . 2009-10-05 07:34 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-07-19 22:08 . 2008-10-16 22:40 266544 ----a-w- c:\program files\uTorrent.exe
2005-10-24 18:13 . 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2009-09-15 15:05 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47 . 2009-09-15 15:05 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-15 15:05 216064 --sh--r- c:\windows\system32\nbDX.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-12-08_12.32.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-09 12:46 . 2009-12-09 12:46 16384 c:\windows\temp\Perflib_Perfdata_1fc.dat
+ 2007-03-14 02:29 . 2007-03-14 02:29 24576 c:\windows\system32\fscheck.dll
+ 2009-12-09 08:36 . 2009-12-09 08:36 245760 c:\windows\ERDNT\AutoBackup\12-9-2009\Users\00000002\UsrClass.dat
+ 2009-12-09 08:36 . 2005-10-20 04:02 163328 c:\windows\ERDNT\AutoBackup\12-9-2009\ERDNT.EXE
+ 2009-12-09 08:36 . 2009-12-09 08:36 9539584 c:\windows\ERDNT\AutoBackup\12-9-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-12-14 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDAudBus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S?û?d, ?ìdeô ??d gª?è ¢o?tr?l?è?š !!! !!! !]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-17 02:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLV Downloader]
2009-05-27 08:37 3644928 ----a-w- c:\program files\Moyea\YouTube FLV Downloader\FLVDownloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
2008-10-01 04:00 5723136 ----a-w- c:\program files\Shareaza\Shareaza.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 08:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Funshion Online\\Funshion\\Funshion.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\AVIXE pen drive2 stuff\\TuDienHND\\3rdparty\\jre\\bin\\jre.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:shareaza

RUnknown AppToService_TuDienHND;AppToService_TuDienHND; [x]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe --> c:\program files\Spyware Doctor\svcntaux.exe [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/13/2004 6:18 AM 169192]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hk.yahoo.com/?p=us
IE: ʹÓÃÍøҳѸÀ×ÏÂÔØ
IE: ʹÓÃÍøҳѸÀ×ÏÂÔØÈ«²¿Á´½Ó
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
TCP: {8A3E8348-D9F6-42BF-A07B-C98609F62123} = 203.198.23.208 205.252.144.126
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 20:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppToService_TuDienHND]
"ImagePath"="c:\documents and settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe /sys \"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND/3rdparty/jre/bin/jrew.exe\" /Arguments:\"-mx64m -cp vietdict.jar vietdict.server.vietdictserver\" /Directory:\"c:/documents and settings/owner/my documents/avixe pen drive2 stuff/tudienhnd\" /Name:\"tudienhnd\" /Startup:A"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bf,61,9c,87,c7,11,f9,a3,3d,3a,b8,09,f4,ba,38,70,93,f8,3b,56,bb,78,30,
ae,94,f6,6f,9a,93,9a,c4,bf,d2,f6,37,ec,4e,59,19,69,b8,c8,c2,4c,02,0f,44,1b,\
"??"=hex:6a,d4,43,5c,8e,72,8a,6a,02,82,58,4c,bd,6d,7e,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\documents and settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\documents and settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jrew.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-09 20:51:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-09 12:51
ComboFix2.txt 2009-12-08 12:37
ComboFix3.txt 2009-11-28 17:03
ComboFix4.txt 2009-11-25 23:57

Pre-Run: 53,927,849,984 bytes free
Post-Run: 53,913,120,768 bytes free

- - End Of File - - C0C23B9FA3F7EC21B4C6321A6F2FAF7D

The hijackthis will follow later.
Thanks
Gumpy

GUMPY
2009-12-09, 14:58
Dear Peku006:

The Hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:47 PM, on 12/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jrew.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3E8348-D9F6-42BF-A07B-C98609F62123}: NameServer = 203.198.23.208 205.252.144.126
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7129 bytes

Thank very much.
Gumpy

peku006
2009-12-09, 17:00
Hi GUMPY

good job :bigthumb:

How's the computer running now? Any problems?

GUMPY
2009-12-10, 16:44
Dear Peku006:

Thanks to you the computer is running smoothly.
However, I tried and failed to enable autologon when Windows startup
eveytime I turn on the computer, before my desktop appears, a logon to windows panel will appear asking for ID and PW.
My default ID is Owner, but there is no PW. All I do is click on OK or Enter and Windows starts.
Please teach me step by step how to activate Autologon. I tried the Microsoft's instructions playing around with Regedit but the computer did not allow autologon.

Thank you once again
Gumpy

peku006
2009-12-10, 19:23
Hi GUMPY

Click Start, Run and type CONTROL USERPASSWORDS2, and click Ok. Select the user account from the list (the account to which you want to automatically logon). Uncheck Users must enter a user name and password to use this computer option, and click Ok. Type the user account password and complete the process.


Or here

http://www.kellys-korner-xp.com/win_xp_passwords.htm

post back if it helped.

Thanks peku006[/

GUMPY
2009-12-20, 09:33
Dear Peku006:
New problem. Backdoor.Tidserv!inf Not even Symantec antivirus can remove.
I need your help again.

atapi.sys.vir Backdoor.Tidserv!inf File Left alone OWNER-GMHV9JQLQ Owner C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ Infected C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ Clean virus from file Quarantine infected file Manual scan The file was left unchanged.
atapi.sys.vir Backdoor.Tidserv!inf File Left alone OWNER-GMHV9JQLQ Owner C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ Infected C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
atapi.sys.vir Backdoor.Tidserv!inf File Left alone OWNER-GMHV9JQLQ Owner C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ Infected C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:52 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jrew.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3E8348-D9F6-42BF-A07B-C98609F62123}: NameServer = 203.198.23.208 205.252.144.126
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7261 bytes


Thank you
Gumpy

peku006
2009-12-20, 09:52
Hi GUMPY

they are in combofix "quarantine-folder" (C:\Qoobox), they are no active and we will remove it later

all the logs look good , how's the computer running now?, any problems?

Thanks peku006

GUMPY
2009-12-20, 15:13
Dear Peku006:
Thank you very much. The computer is running normally.
I haven't tried the autologon yet that you mentioned because I'm not sure which option to choose from the website.
Seems all of them apply to me.

Gumpy

peku006
2009-12-20, 15:43
Hi GUMPY

I am sorry that I can not help you with "autologon- problem"
This page might help you

what the tech (http://forums.whatthetech.com/forums.html)

windows (http://forums.whatthetech.com/Microsoft_Windows_f119.html&)- problems with operating systems and windows problems
all other software (http://forums.whatthetech.com/Other_software_f124.html&)- problems with all other software




Your log now appears to be clean. Congratulations! :yahoo:

To remove all of the tools we used and the files and folders they created do the following:

Delete TDSSKiller , SystemLook and SecurityCheck from your desktop.

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Here are some things that I think are worth having a look at if you don't already know a bout them:.

Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.


Happy safe surfing! :bigthumb:

peku006
2009-12-26, 12:05
As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)