Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Can't get rid of PWS.LDPinchIE

  1. #11
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hiya

    Okay let's see what we have there. Please post a fresh HijackThis log...
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  2. #12
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default New HijackThis log

    Here's the log after a fresh boot.

    -----------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:18:05 PM, on 6/3/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\games\steam\steam.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Spybot\TeaTimer.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 5544 bytes

  3. #13
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Ok this is going to look like a replay but something came back....

    We will begin with ComboFix. (again )

    Please download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  4. #14
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default

    Here's my logs.
    Steve

    ---------------------------


    ComboFix 09-06-07.02 - Steve 06/07/2009 16:38.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT -5:00]
    Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
    .

    2009-06-07 01:51 . 1999-03-23 05:00 401484 ----a-w- c:\windows\system32\msvcrtd.dll
    2009-06-03 23:03 . 2009-06-03 23:03 -------- d-----w- c:\program files\GameTap Web Player
    2009-06-03 23:03 . 2009-06-03 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\GameTap Web Player
    2009-06-03 23:03 . 2009-05-06 00:05 462848 ----a-w- c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
    2009-06-01 17:53 . 2009-06-01 17:53 390664 ----a-w- c:\documents and settings\Steve\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
    2009-05-24 15:36 . 2009-05-24 15:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2009-05-20 05:32 . 2009-05-20 05:32 -------- d-----w- c:\program files\Trend Micro
    2009-05-20 04:30 . 2009-05-20 04:31 -------- d-----w- c:\program files\RegBackup ERUNT
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
    2009-05-19 02:47 . 2009-04-06 20:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-05-19 02:47 . 2009-04-06 20:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-05-19 02:46 . 2009-05-19 02:46 -------- d-----w- c:\documents and settings\Steve\Application Data\Safer Networking
    2009-05-19 02:24 . 2009-05-19 02:45 -------- d-----w- c:\program files\Safer Networking
    2009-05-19 00:42 . 2009-05-19 00:42 -------- d-----w- c:\program files\ProcessExplorer
    2009-05-17 21:35 . 2009-05-17 21:35 -------- d--h--w- c:\windows\system32\GroupPolicy
    2009-05-17 21:35 . 2009-05-17 21:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-05-16 21:48 . 2009-05-16 21:57 -------- d-----w- c:\windows\SxsCaPendDel
    2009-05-15 22:01 . 2008-04-14 05:42 26112 ----a-w- c:\windows\system32\USERINIT.EXE
    2009-05-13 22:17 . 2009-05-13 22:17 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
    2009-05-13 21:53 . 2009-05-14 00:55 -------- d-----w- c:\documents and settings\Steve\Application Data\ptidle
    2009-05-13 20:41 . 2009-05-13 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SimCity Societies
    2009-05-12 02:57 . 2009-05-12 02:57 -------- d-----w- c:\windows\system32\KB905474
    2009-05-12 02:57 . 2009-03-11 03:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
    2009-05-12 02:57 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
    2009-05-11 00:06 . 2009-05-11 00:28 98304 ----a-w- c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEClient.dll
    2009-05-11 00:06 . 2009-05-11 00:06 -------- d-----w- c:\documents and settings\Steve\Application Data\Soldat
    2009-05-11 00:06 . 2009-03-29 00:52 94208 ----a-w- c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEServer.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-07 21:23 . 2009-03-29 22:46 -------- d-----w- c:\program files\Mozilla Sunbird
    2009-06-07 01:52 . 2005-01-30 21:40 246 ----a-w- c:\windows\PowerReg.dat
    2009-06-07 01:50 . 2004-07-25 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-06-05 16:42 . 2007-06-17 22:30 98304 ----a-w- c:\windows\System32CmdLineExt.dll
    2009-06-04 23:06 . 2007-03-13 20:38 64 ----a-w- c:\windows\popcinfot.dat
    2009-06-03 22:24 . 2004-09-22 14:40 84592 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-28 13:48 . 2009-02-01 02:50 -------- d-----w- c:\program files\Spybot
    2009-05-27 23:37 . 2008-08-07 00:46 -------- d-----w- c:\documents and settings\Steve\Application Data\OpenOffice.org2
    2009-05-27 23:36 . 2008-08-16 13:46 1 ----a-w- c:\documents and settings\Steve\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-05-27 23:35 . 2008-01-25 01:18 -------- d-----w- c:\program files\MSECACHE
    2009-05-20 01:46 . 2009-03-08 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2009-05-13 13:31 . 2008-12-13 16:32 -------- d-----w- c:\program files\Stardock Games
    2009-05-10 19:58 . 2009-04-30 21:25 -------- d-----w- c:\documents and settings\Steve\Application Data\Mumble
    2009-05-04 23:10 . 2009-05-04 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Ironclad Games
    2009-05-03 18:08 . 2009-03-08 22:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-05-03 18:08 . 2009-03-08 22:46 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-05-03 18:08 . 2009-03-08 22:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-05-03 18:08 . 2009-03-08 22:46 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-04-27 03:19 . 2008-02-12 19:09 -------- d-----w- c:\documents and settings\Steve\Application Data\WTablet
    2009-04-25 20:20 . 2009-02-17 18:36 -------- d-----w- c:\documents and settings\Steve\Application Data\Winamp
    2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w- c:\windows\system32\xlive.dll
    2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
    2009-04-19 16:07 . 2007-09-15 21:17 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
    2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut11_12BC79CA813840C5870CC7F821C0C143.exe
    2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut1_12BC79CA813840C5870CC7F821C0C143.exe
    2009-04-14 23:29 . 2009-04-14 23:29 10134 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\ARPPRODUCTICON.exe
    2009-03-30 22:54 . 2009-03-17 22:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2009-03-25 23:10 . 2007-09-15 21:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2009-03-25 23:10 . 2007-09-15 21:17 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2009-03-21 21:31 . 2004-07-29 01:10 80058 ----a-w- c:\windows\War3Unin.dat
    2009-03-10 17:09 . 2004-07-26 22:15 1725 ----a-w- c:\windows\eReg.dat
    2008-03-23 19:04 . 2008-03-23 19:04 0 ----a-w- c:\program files\temp01
    2005-04-16 16:11 . 2005-04-16 16:11 0 ----a-w- c:\program files\error.dat
    2003-12-18 17:33 . 2004-11-01 00:44 20102 ----a-w- c:\program files\Readme.txt
    2003-09-03 13:46 . 2004-11-01 00:44 10960 ----a-w- c:\program files\EULA.txt
    2003-07-29 06:15 . 2009-02-06 03:54 307200 ----a-w- c:\program files\internet explorer\plugins\djvu0407.dll
    2003-07-29 06:15 . 2009-02-06 03:54 303104 ----a-w- c:\program files\internet explorer\plugins\djvu0409.dll
    2003-07-29 06:15 . 2009-02-06 03:54 311296 ----a-w- c:\program files\internet explorer\plugins\djvu040c.dll
    2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w- c:\program files\internet explorer\plugins\djvu0411.dll
    2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w- c:\program files\internet explorer\plugins\djvu0412.dll
    2003-07-29 06:15 . 2009-02-06 03:54 290816 ----a-w- c:\program files\internet explorer\plugins\djvu0804.dll
    2003-07-29 06:15 . 2009-02-06 03:54 122880 ----a-w- c:\program files\internet explorer\plugins\DjVuCntl.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-05-22_00.25.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-08-10 22:19 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
    - 2007-08-10 22:19 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
    + 2009-05-27 23:36 . 2009-05-27 23:36 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    + 2009-06-03 22:25 . 2009-06-03 22:25 56320 c:\windows\assembly\NativeImages_v2.0.50727_32\Stardock.Central.Se#\5385eb9f34ad209ba7ea87cac00e1a64\Stardock.Central.Security.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 81920 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Uninstall\bcb8554f6f9d1fac5114830ff6c1d4bc\Sd.Uninstall.ni.dll
    + 2004-07-24 18:01 . 2009-05-28 11:56 296456 c:\windows\system32\FNTCACHE.DAT
    + 2009-06-03 22:25 . 2009-06-03 22:25 284672 c:\windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\1a7da1bd1409cb8aae83d12985e91785\VistaBridgeLibrary.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 485888 c:\windows\assembly\NativeImages_v2.0.50727_32\VDialog\b9f93ab4e871202f08bacb2eea45619f\VDialog.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd\b763c29a1b5ab7f3a4db1563af682177\Sd.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 422912 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Web\c71283976332f42816bf8eef4862aa2a\Sd.Web.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 155648 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.UI\3e7f2d58806d187d104688c6646cf0f4\Sd.UI.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 804352 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Irc\91e6d500574d1ef15828dcdbc154e44e\Sd.Irc.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 296960 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.InstallManager\3b63000c351829ab07838317ca9a3643\Sd.InstallManager.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 564224 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common.XmlSerial#\ae0f4540e4c7dbed2820722ac3eed7da\Sd.Common.XmlSerializers.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 788480 c:\windows\assembly\NativeImages_v2.0.50727_32\sd.central.cvp.serv#\b6e8a38d3cfc48123b5715b7cd18b6e1\sd.central.cvp.server.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 128512 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive\8101eb83b90821af4b7c6eab2024a41f\Sd.Central.Archive.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 345600 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive.#\aca17957fd7012185f82679a35a18b0f\Sd.Central.Archive.XmlSerializers.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 326144 c:\windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\523977d5edec6266fcc0c7588e361cd5\MyDock.Util.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 100864 c:\windows\assembly\NativeImages_v2.0.50727_32\Interop.IWshRuntime#\b57a1fe2527d40aae9b62b10f57be9b8\Interop.IWshRuntimeLibrary.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 726016 c:\windows\assembly\NativeImages_v2.0.50727_32\ICSharpCode.SharpZi#\5c1a3278ff6412107322a65dee39790d\ICSharpCode.SharpZipLib.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 1308160 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common\d0463aaf422bc51e171f0cad7a6775e1\Sd.Common.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 6175232 c:\windows\assembly\NativeImages_v2.0.50727_32\Impulse\162b482fdd3a7302192bf6d202561efd\Impulse.ni.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="d:\games\steam\steam.exe" [2009-05-22 1217784]
    "Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1052672]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
    "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

    c:\documents and settings\Steve\Start Menu\Programs\Startup\
    AWC.lnk - g:\awc (auto wallpaper changer)\AWC.exe [2009-4-1 1261568]
    ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-5-4 356352]
    Mozilla Sunbird.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-29 6354540]
    Shortcut to Ut3 Map TO DOs.lnk - c:\documents and settings\Steve\Desktop\TO DO.txt [2008-8-13 6087]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-14 528384]
    Spybot - Search & Destroy.lnk - c:\program files\Spybot\SpybotSD.exe [2009-1-31 5365592]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-05-03 18:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=ctwdm32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^ImpulseNow.lnk]
    path=c:\documents and settings\Steve\Start Menu\Programs\Startup\ImpulseNow.lnk
    backup=c:\windows\pss\ImpulseNow.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Ventrilo Server.lnk]
    path=c:\documents and settings\Steve\Start Menu\Programs\Startup\Ventrilo Server.lnk
    backup=c:\windows\pss\Ventrilo Server.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "DGPN"=2 (0x2)
    "TabletServiceWacom"=2 (0x2)
    "PnkBstrB"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "Brother XP spl Service"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Games\\Steam\\SteamApps\\battlebotv82\\counter-strike source\\hl2.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo Server\\ventrilo_srv.exe"=
    "d:\\Games\\WarHammer 40,000 Dawn of War\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "d:\\Games\\Earth 2160\\Earth2160_NO_SSE.exe"=
    "d:\\Games\\Earth 2160\\Earth2160_SSE.exe"=
    "d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Games\\World in Conflict\\wic.exe"=
    "d:\\Games\\World in Conflict\\wic_online.exe"=
    "d:\\Games\\World in Conflict\\wic_ds.exe"=
    "d:\\Games\\Quake Wars - Enemy Territory\\etqwded.exe"=
    "d:\\Games\\Quake Wars - Enemy Territory\\etqw.exe"=
    "d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
    "c:\\Games\\Sid Meier's Railroads!\\RailRoads.exe"=
    "d:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "g:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
    "g:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
    "g:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\brothers in arms earned in blood\\System\\EiB.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\prince of persia the warrior within\\PrinceOfPersia.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\roboblitz\\Binaries\\RoboLaunch.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter\\graw.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon\\GhostRecon.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter 2\\graw2.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\multiwinia\\multiwinia.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\wallace and gromit demo\\WallaceGromitDemo.exe"=
    "g:\\Games\\Spellforce 2 - Shadow Wars\\spellforce2.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
    "d:\\Games\\Sins of a Solar Empire\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2009 5:46 PM 325896]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2009 5:46 PM 108552]
    R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/8/2009 5:45 PM 908568]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/8/2009 5:45 PM 298776]
    R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/14/2006 4:50 PM 2368]
    S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2/10/2008 1:49 PM 23040]
    S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
    S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/12/2008 2:08 PM 1373480]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder

    2005-08-07 c:\windows\Tasks\cleanup-test.job
    - d:\data\cleanup.bat [2004-09-07 02:12]

    2009-05-04 c:\windows\Tasks\cleanup.job
    - d:\data\cleanup.bat [2004-09-07 02:12]

    2009-05-12 c:\windows\Tasks\DataOnly.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

    2009-06-07 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.wrinsiders.com/Teens/?RP=SignIn
    FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\
    FF - prefs.js: browser.startup.homepage - file:///d:/Data/HomePage/index.html
    FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
    FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
    FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
    FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-06-07 16:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "????????????????????????"=hex:63,a2,df,ea,77,f0,95,25,eb,6c,dc,66,29,e5,12,1d,
    2c,29,70,2c,5c,5c,25,f7,2c,2c,5c,d1,25,c3,2e,2e,00,00,00,00,00,00,00,00,00,\
    "???n"=hex:67,c5,3f,af,2f,06,f4,bd,6a,bc,3c,06,c9,a8,f3,94,cf,fc,28,65,23,1f,
    51,a4,66,c3,ff,fd,10,6b,09,b0,09,00,c0,46,db,0a,6f,85,96,63,1a,e5,64,d4,d7,\
    "?????"=hex:9b,9d,a9,7e,82,9e,bf,2c,e9,55,17,f0,77,5c,30,60
    "???n"=hex:ca,7f,b1,85,35,af,19,95,9b,a8,37,7a,99,ab,d7,56,38,b0,d3,96,72,26,
    af,0f,16,9e,d6,36,d2,33,4f,56,ef,d6,90,a9,11,dc,dd,ab,e0,b9,e6,2f,ab,b3,26,\
    "??"=hex:1b,ee,fb,ee,5e,a8,db,76,e9,8e,a8,56,0f,22,bd,59,a7,f5,31,8b,68,3d,0d,
    66,8f,a9,af,3a,cd,97,dd,26,b6,8f,e0,00,53,f0,17,e0,33,21,7c,c4,ec,bb,45,d6,\
    "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

    [HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\License information*]
    "datasecu"=hex:60,0d,47,33,43,d6,05,78,97,20,41,75,fe,20,a2,c4,e6,c4,14,cd,72,
    bc,80,4a,7f,c2,b8,b7,b8,67,45,6b,87,24,7d,2b,e6,ac,26,26,0f,b6,9f,85,ba,26,\
    "rkeysecu"=hex:65,d6,a2,52,b5,22,4b,f2,49,55,2b,25,75,bf,64,56
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(780)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(2304)
    c:\program files\Logitech\SetPoint\GameHook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\MSVCP71.dll
    c:\windows\system32\msi.dll
    .
    Completion time: 2009-06-07 16:41
    ComboFix-quarantined-files.txt 2009-06-07 21:41
    ComboFix2.txt 2009-05-22 23:57
    ComboFix3.txt 2009-05-22 00:28

    Pre-Run: 12,837,810,176 bytes free
    Post-Run: 12,909,498,368 bytes free

    Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    294 --- E O F --- 2009-05-23 02:53

    -------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:48:50 PM, on 6/7/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 4928 bytes

    -------------------------

  5. #15
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Okey...

    Backup Your Registry with ERUNT:
    • Download erunt.zip to your Desktop from here:
      http://aumha.org/downloads/erunt.zip
    • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
    • Inside the new folder, double-click ERUNT.exe to start the program
    • OK all the prompts to back up your registry to the default location.
    Note: to restore your registry, go to the backup folder and start ERDNT.exe


    Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]

    Make sure there are NO blank lines before REGEDIT4
    Make sure there IS one blank line at the end of the file.

    Save the document to your desktop as Fix.reg and filetype: All Files
    Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

    Then uninstall all previous versions of Malwarebytes' Anti-Malware (MBAM).

    Restart the pc.

    • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
    • Double click on mbam-setup.exe to install it.
    • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      • Update Malwarebytes' Anti-Malware
        Launch Malwarebytes' Anti-Malware
    • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
    • Select the Scanner tab. Click on Perform full scan, then click on Scan.
    • Leave the default options as it is and click on Start Scan.
    • When done, you will be prompted. Click OK, then click on Show Results.
    • Checked (ticked) all items and click on Remove Selected.
    • After it has removed the items, Notepad will open. Please post this log in your next reply along with a fresh HijackThis log. You can also find the log in the Logs tab. The bottom most log is the latest.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  6. #16
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default

    Malwarebytes' Anti-Malware 1.37
    Database version: 2259
    Windows 5.1.2600 Service Pack 3

    6/10/2009 6:44:19 PM
    mbam-log-2009-06-10 (18-44-19).txt

    Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
    Objects scanned: 752702
    Time elapsed: 2 hour(s), 23 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 1
    Files Infected: 12

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\Steve\Application Data\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Qoobox\quarantine\C\WINDOWS\system32\afnoinkdsfe.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{2d1bca4f-b413-410a-8075-a3efb933ae76}\RP205\A0064886.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{2d1bca4f-b413-410a-8075-a3efb933ae76}\RP205\A0064887.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210613.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210614.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210615.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210616.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210789.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.

    -----------------------------------------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:52:34 PM, on 6/10/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    D:\games\steam\steam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 4964 bytes
    ---------------------------------

  7. #17
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Okay looks good now. How is the pc running now? Any symptoms?
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  8. #18
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default Still not quite right

    It seems ok except sometimes google searches return links to different phishing sites. The most frequent one today is claiming to be sucleaner.com. However, clicking on the google link a second time properly goes to the site.

    Here's my current hijackthis log:
    Steve
    ================================

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:19:01 PM, on 6/15/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\games\steam\steam.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    G:\Programs\Mumble\mumble.exe
    G:\Programs\Mumble\dbus-daemon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\calc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 4754 bytes

  9. #19
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Ok in that case we'll do some digging...

    Please run a GMER Rootkit scan:

    Download GMER's application from here:
    http://www.gmer.net/gmer.zip

    Unzip it and start the GMER.exe
    Click the Rootkit tab and click the Scan button.

    Once done, click the Copy button.
    This will copy the results to your clipboard.
    Paste the results in your next reply.

    Warning ! Please, do not select the "Show all" checkbox during the scan.

    If you're having problems with running GMER.exe, try it in safe mode.
    This tools works in safe mode. Other rootkitrevealers don't.

    Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners.
    • Save it to the desktop.
    • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
    • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
    • Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.

    *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  10. #20
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default

    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-06-21 19:27:34
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]
    SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
    SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
    SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
    SSDT sptd.sys ZwQueryKey [0xB9EC4418]
    SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
    SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]

    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
    .text USBPORT.SYS!DllUnload B8DB48AC 5 Bytes JMP 8AB596E0

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 0403A68D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
    .text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 0403A615 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
    .text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 0403A711 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
    .text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 0403A63D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
    .text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 0403A6B8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
    .text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 0403A662 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
    .text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 0403A6E3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
    .text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 0403A5ED C:\Program Files\Winamp\Plugins\gen_jumpex.dll

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8AD591E8
    Device \FileSystem\Udfs \UdfsCdRom 8AB8B410
    Device \FileSystem\Udfs \UdfsDisk 8AB8B410

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\usbohci \Device\USBPDO-0 8AB571E8
    Device \Driver\usbohci \Device\USBPDO-1 8AB571E8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ADCA1E8
    Device \Driver\dmio \Device\DmControl\DmConfig 8ADCA1E8
    Device \Driver\dmio \Device\DmControl\DmPnP 8ADCA1E8
    Device \Driver\dmio \Device\DmControl\DmInfo 8ADCA1E8
    Device \Driver\usbohci \Device\USBPDO-2 8AB571E8
    Device \Driver\usbohci \Device\USBPDO-3 8AB571E8
    Device \Driver\usbohci \Device\USBPDO-4 8AB571E8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{C4E33733-79B1-408C-A9B5-239AFA3EF59B} 8951A1E8

    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\prodrv06 \Device\ProDrv06 E2459938
    Device \Driver\usbehci \Device\USBPDO-5 8AB171E8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8AD5B1E8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8AD5B1E8
    Device \Driver\Cdrom \Device\CdRom0 8AB091E8
    Device \Driver\Ftdisk \Device\HarddiskVolume3 8AD5B1E8
    Device \Driver\Cdrom \Device\CdRom1 8AB091E8
    Device \Driver\atapi \Device\Ide\IdePort0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\atapi \Device\Ide\IdePort1 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1c sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\atapi \Device\Ide\IdePort2 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\atapi \Device\Ide\IdePort3 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-24 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\Ftdisk \Device\HarddiskVolume4 8AD5B1E8
    Device \Driver\Cdrom \Device\CdRom2 8AB091E8
    Device \Driver\Ftdisk \Device\HarddiskVolume5 8AD5B1E8
    Device \Driver\prohlp02 \Device\ProHlp02 E1FD61F0
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8951A1E8
    Device \Driver\NetBT \Device\NetbiosSmb 8951A1E8

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\usbohci \Device\USBFDO-0 8AB571E8
    Device \Driver\usbohci \Device\USBFDO-1 8AB571E8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8951C1E8
    Device \Driver\usbohci \Device\USBFDO-2 8AB571E8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8951C1E8
    Device \Driver\usbohci \Device\USBFDO-3 8AB571E8
    Device \Driver\usbohci \Device\USBFDO-4 8AB571E8
    Device \Driver\Ftdisk \Device\FtControl 8AD5B1E8
    Device \Driver\usbehci \Device\USBFDO-5 8AB171E8
    Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target1Lun0 8AAD01E8
    Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target1Lun0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\cdawdm \Device\Scsi\cdawdm1 8AAD01E8
    Device \Driver\cdawdm \Device\Scsi\cdawdm1 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target0Lun0 8AAD01E8
    Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target0Lun0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
    Device \FileSystem\Cdfs \Cdfs 8A881790

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@start 1
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@type 1
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@group file system
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@imagepath \systemroot\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@inst 0
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@ver sni060409
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@cid 01
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@bid 3838505566-725345543-764733703-1801674531
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@aid 998
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@sid 3
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@feed 0x22 0x64 0x78 0x36 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@cmddelay 28801
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@logoffset 3726
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\delete
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{09C632F2-2F51-49E2-9A4C-E0173025E9BC}
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff@version 1
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector@iexplore.exe ovfsthwi.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector@explorer.exe ovfsthff.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\tasks
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.dll \systemroot\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthlog.dat \systemroot\system32\ovfsthokvbxvihlxhdejojsrmrqwyvkxxljxwb.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthwi.dll \systemroot\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthff.dll \systemroot\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.dat \systemroot\system32\ovfstheuposgxodxgbmcnmkjawoinysysxtrpg.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...

    ---- EOF - GMER 1.0.15 ----

    -------------------------------------------------------

    "Silent Runners.vbs", revision 59, http://www.silentrunners.org/
    Operating System: Windows XP
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "Steam" = ""d:\games\steam\steam.exe" -silent" ["Valve Corporation"]
    "Executor" = ""C:\Program Files\Executor\executor.exe" -s" ["Martin Bresson"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]
    "amd_dc_opt" = "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" ["AMD"]
    "AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
    "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
    -> {HKLM...CLSID} = "iTunes"
    \InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {HKLM...CLSID} = "DesktopContext Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {HKLM...CLSID} = "Desktop Explorer"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {HKLM...CLSID} = "nView Desktop Context Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
    -> {HKLM...CLSID} = "NVIDIA CPL Extension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
    -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
    "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
    -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
    "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
    -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
    -> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"
    \InProcServer32\(Default) = "D:\Program Files\MS Antispyware\shellextension.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
    <<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]

    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
    {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
    7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
    AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
    MakeFile Class\(Default) = "{D8504558-278D-4A93-BCBC-75B142CAA3B3}"
    -> {HKLM...CLSID} = "MakeFile Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\vdshell.dll" ["FarStone Technology Inc."]
    SciTE\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}"
    -> {HKLM...CLSID} = "SciTE"
    \InProcServer32\(Default) = "C:\Program Files\Scintilla Text Editor\wscitecm.dll" ["Burgaud.com"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
    7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
    7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
    AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
    FolderShell Class\(Default) = "{24C0824F-BC16-41DB-9845-DE545941C3B0}"
    -> {HKLM...CLSID} = "FolderShell Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\vdshell.dll" ["FarStone Technology Inc."]
    MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
    -> {HKLM...CLSID} = "MBAMShlExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
    MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
    -> {HKLM...CLSID} = "MBAMShlExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


    Default executables:
    --------------------

    <<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoDrives" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "NoDrives" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}

    "DisableRegistryTools" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\DOCUME~1\Steve\LOCALS~1\Temp\AutoWall.bmp"


    Windows Portable Device AutoPlay Handlers
    -----------------------------------------

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

    iTunesBurnCDOnArrival\
    "Provider" = "iTunes"
    "InvokeProgID" = "iTunes.BurnCD"
    "InvokeVerb" = "burn"
    HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Computer, Inc."]

    iTunesImportSongsOnArrival\
    "Provider" = "iTunes"
    "InvokeProgID" = "iTunes.ImportSongsOnCD"
    "InvokeVerb" = "import"
    HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Computer, Inc."]

    iTunesPlaySongsOnArrival\
    "Provider" = "iTunes"
    "InvokeProgID" = "iTunes.PlaySongsOnCD"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Computer, Inc."]

    iTunesShowSongsOnArrival\
    "Provider" = "iTunes"
    "InvokeProgID" = "iTunes.ShowSongsOnCD"
    "InvokeVerb" = "showsongs"
    HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Computer, Inc."]

    PDVDPlayDVDMovieOnArrival\
    "Provider" = "PowerDVD"
    "InvokeProgID" = "DVD"
    "InvokeVerb" = "PlayWithPowerDVD"
    HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."]

    RPCDBurningOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.CDBurn.6"
    "InvokeVerb" = "open"
    HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

    RPDeviceOnArrival\
    "Provider" = "RealPlayer"
    "ProgID" = "RealPlayer.HWEventHandler"
    HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
    -> {HKLM...CLSID} = "RealNetworks Scheduler"
    \LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

    RPPlayCDAudioOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.AudioCD.6"
    "InvokeVerb" = "play"
    HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

    RPPlayDVDMovieOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.DVD.6"
    "InvokeVerb" = "play"
    HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

    RPPlayMediaOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.AutoPlay.6"
    "InvokeVerb" = "open"
    HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

    VLCPlayCDAudioOnArrival\
    "Provider" = "VideoLAN VLC media player"
    "InvokeProgID" = "VLC.CDAudio"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

    VLCPlayDVDMovieOnArrival\
    "Provider" = "VideoLAN VLC media player"
    "InvokeProgID" = "VLC.DVDMovie"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

    WinampMTPHandler\
    "Provider" = "Winamp"
    "ProgID" = "Shell.HWEventHandlerShellExecute"
    "InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
    HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
    -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
    \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

    WinampPlayMediaOnArrival\
    "Provider" = "Winamp"
    "InvokeProgID" = "Winamp.File"
    "InvokeVerb" = "Play"
    HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
    HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
    -> {HKLM...CLSID} = (no title provided)
    \LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]


    Startup items in "Steve" & "All Users" startup folders:
    -------------------------------------------------------

    C:\Documents and Settings\Steve\Start Menu\Programs\Startup
    "AWC" -> shortcut to: "G:\AWC (Auto Wallpaper Changer)\AWC.exe" ["Steve Murphy"]
    "ImpulseNow" -> shortcut to: "C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe" ["Stardock Corporation"]
    "Mozilla Sunbird" -> shortcut to: "C:\Program Files\Mozilla Sunbird\sunbird.exe" ["Mozilla"]
    "Shortcut to Ut3 Map TO DOs" -> shortcut to: "C:\Documents and Settings\Steve\Desktop\TO DO.txt" [null data]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
    "Spybot - Search & Destroy" -> shortcut to: "C:\Program Files\Spybot\SpybotSD.exe" ["Safer Networking Limited"]


    Enabled Scheduled Tasks:
    ------------------------

    "cleanup-test" -> launches: "D:\Data\cleanup.bat" [null data]
    "cleanup" -> launches: "D:\Data\cleanup.bat" [null data]
    "DataOnly" -> launches: "C:\WINDOWS\system32\ntbackup.exe backup "@C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\DataOnly.bks" /n "DataBackup.bkf created 8/7/2005 at 10:27 AM" /d "Set created 8/7/2005 at 10:27 AM" /v:yes /r:no /rs:no /hc:off /m normal /j "DataOnly" /l:s /f "F:\Backup of Data\DataBackup.bkf"" [MS]
    "WGASetup" -> launches: "C:\WINDOWS\system32\KB905474\wgasetup.exe /autoauto" [MS]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
    AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
    Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
    Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
    SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" ["Sony DADC Austria AG."]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
    PCL hpz3l5jy\Driver = "hpz3l5jy.dll" ["Hewlett-Packard Company"]


    ---------- (launch time: 2009-06-21 19:29:43)
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 49 seconds, including 18 seconds for message boxes)
    ===================================

    Here you go.
    Steve

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •