dxclib303562752.dll removal

[XiKeiyaZI]

Okay.. So.. Someone downloaded a file from Shareaza like a moron on my computer... and opened it. When it did.. It shaded all of my desktop icons and along with that, started loading random pages of advertisements.

I've run AVG, and Lavasoft products.. but dxclib303562752.dll still remains in my system32 folder. It's quite annoying so if someone could please tell me how to rid myself of this, it would be nice.

 

[tashi]

Hello.

You seem to have missed this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance

Run Spybot-S&D in safe mode as explained.

Post the results of the on-line anti virus scan, and the HJT log into this topic, and a helper will advise you as soon as available.

Cheers.

 

[XiKeiyaZI]

Sorry about the original post. I was in such a hurry that I skipped over the rules. Here's what was requested. The Pandasoft Run won't work because it keeps closing IE... Luckily I have firefox... If I get it to work.. I'll post that log shortly.



Logfile of HijackThis v1.99.1
Scan saved at 5:16:40 AM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\XiKeiyaZI\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {461B977A-6DBE-4CA1-ABE8-3EF8232459AB} - C:\Program Files\Online Services\wodeg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {D86C5701-63CD-4C05-9795-C441E8B08E00} - C:\Program Files\Messenger\bapuzok.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

 

[XiKeiyaZI]

I actually went in to my startup options and found the delux communications file.. and ceased it from loading on startup. If I run Virus and S&D products after doing this directly after startup, would that rid me of the Delux communications ware that come when I obtained the pesky .dll file which I'm asking for help in removing?

Also, when I ran the pandasoft scan. It found the files, yet it IMEDIATLY closed when it finished scanning. I'm doing something wrong or is this the cause of the infection?

 

[XiKeiyaZI]

I've been waiting 3 days for help, but actually I need to add something else to this.

I got rid of the Deluxe Communications files, yet at the same time... there is something else going on.

When I got the virus/spyware..it messed with my graphics. At one point, I had taken a screen shot to show to a friend, and in the screen shot, I had duel screens. When I restarted, I was missing my windows Task Bar at the bottom. Upon yet ANOTHER restart, it was back.. yet my graphics now are completely faulty and my desktop icons are awkward. They had a black outline to them, now they are blue.

I'm running with an ATI Radeon 9250 PCI version, so the graphics should not be THAT BAD. If you could please help me with this issue, it would be great. I'll post an updated log from Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 9:02:57 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\XBC\neXBC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\XiKeiyaZI\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {461B977A-6DBE-4CA1-ABE8-3EF8232459AB} - C:\Program Files\Online Services\wodeg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {D86C5701-63CD-4C05-9795-C441E8B08E00} - C:\Program Files\Messenger\bapuzok.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Reboot.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

 

[Mr_JAk3]

Hello XiKeiyaZI and welcome to the Forums

Sorry for the delay.

I must warn that one or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

 

[XiKeiyaZI]

I'd like to go ahead and attempt to clean the PC without reformatting, seeing as how that was just recently done. It's not a problem for bank accounts or passwords because there's not too much that could be harmed.

Thank you for you time.

 

[Mr_JAk3]

I'll be happy to help you

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[XiKeiyaZI]

SDFix: Version 1.75

Run by XiKeiyaZI - Fri 03/30/2007 - 22:51:14.10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

"" -e mc-110-12-0000140

Client IP-IPX Deleted


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\XBC\\neXBC.exe"="C:\\Program Files\\XBC\\neXBC.exe:*:Enabled:XBConnect"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\FlashGet\Torrent\RAG_SETUP1010.exe.torrent.bits
C:\Program Files\FlashGet\Torrent\RAG_SETUP1010.exe.torrent.filelist
C:\Program Files\FlashGet\Torrent\RAG_SETUP1010.exe.torrent.seeds
C:\Program Files\FlashGet\Torrent\RAG_SETUP1010.exe.torrent.~tmp
C:\Program Files\FlashGet\Torrent\SAK_SETUP1010.exe.torrent.bits
C:\Program Files\FlashGet\Torrent\SAK_SETUP1010.exe.torrent.filelist
C:\Program Files\FlashGet\Torrent\SAK_SETUP1010.exe.torrent.seeds
C:\Program Files\FlashGet\Torrent\SAK_SETUP1010.exe.torrent.~tmp
C:\WINDOWS\system32\Tools\All.exe
C:\WINDOWS\system32\Tools\Change.exe
C:\WINDOWS\system32\Tools\CheckPath.exe
C:\WINDOWS\system32\Tools\Counter.exe
C:\WINDOWS\system32\Tools\DelFolders.exe
C:\WINDOWS\system32\Tools\DirectSetup.exe
C:\WINDOWS\system32\Tools\RegClean.exe
C:\WINDOWS\system32\Tools\Regexe.exe
C:\WINDOWS\system32\Tools\Restart.exe
C:\WINDOWS\system32\Tools\RunRegexe.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Finished



Logfile of HijackThis v1.99.1
Scan saved at 11:02:16 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\XiKeiyaZI\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {461B977A-6DBE-4CA1-ABE8-3EF8232459AB} - C:\Program Files\Online Services\wodeg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {D86C5701-63CD-4C05-9795-C441E8B08E00} - C:\Program Files\Messenger\bapuzok.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Reboot.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

 

[XiKeiyaZI]

"XiKeiyaZI" - 07-03-30 23:03:30 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Program Files\Mozilla Firefox"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\DOCUME~1\XIKEIY~1\APPLIC~1\Dxcuknwrd.dll
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\Common Files\{3818D~1\system.dll
C:\Program Files\Common Files\{3818D~2\system.dll
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\Program Files\ipwindows
C:\WINDOWS\system32\bund1
C:\Program Files\Common Files\{3818D~1
C:\Program Files\Common Files\{3818D~2
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\Common Files\SMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-30 ))))))))))))))))))))))))))))))))))


2007-03-29 06:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-03-29 06:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-03-29 06:22 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-25 22:43 <DIR> d-------- C:\WINDOWS\system32\Tools
2007-03-25 22:13 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-03-25 22:13 1,478,656 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-25 22:12 <DIR> d-------- C:\Program Files\ATI Technologies
2007-03-25 21:28 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-03-25 14:45 <DIR> d-------- C:\WINDOWS\pss
2007-03-25 05:21 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-25 04:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-03-25 04:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
2007-03-25 03:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-25 02:44 93,736 --a------ C:\WINDOWS\VTTC.exe
2007-03-25 02:10 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-25 01:48 19,296 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-03-25 01:27 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-25 01:27 41,792 --a------ C:\WINDOWS\system32\nek.exe
2007-03-25 01:27 114 --a------ C:\WINDOWS\system32\hhjj.bat
2007-03-25 01:27 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-03-25 01:26 203,149 --a------ C:\WINDOWS\system32\lo.exe
2007-03-24 21:56 <DIR> d-------- C:\Downloads
2007-03-24 21:50 <DIR> d-------- C:\Program Files\FlashGet
2007-03-24 21:43 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2007-03-24 21:43 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2007-03-24 21:43 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-03-24 21:43 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2007-03-24 21:43 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2007-03-24 21:43 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2007-03-24 21:43 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2007-03-24 21:43 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2007-03-24 21:43 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-03-24 21:43 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-03-24 21:43 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-03-24 21:42 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2007-03-24 21:42 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2007-03-24 21:42 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2007-03-24 21:41 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-03-24 21:41 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-03-24 21:41 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-03-24 21:41 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-03-24 21:41 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-03-24 21:41 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-03-24 21:01 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-03-24 17:34 <DIR> d-------- C:\SonySupport
2007-03-24 17:34 <DIR> d-------- C:\Program Files\Sony
2007-03-24 15:52 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-03-24 15:52 <DIR> d-------- C:\Program Files\Viewpoint
2007-03-24 15:52 <DIR> d-------- C:\Program Files\AWS
2007-03-24 15:52 <DIR> d-------- C:\Program Files\AOD
2007-03-24 15:52 <DIR> d-------- C:\Program Files\AIM
2007-03-24 15:52 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\Aim
2007-03-24 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-03-24 15:41 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\Contacts
2007-03-24 15:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-03-24 12:39 <DIR> d-------- C:\Program Files\XBC
2007-03-24 12:39 <DIR> d-------- C:\Program Files\WinPcap
2007-03-24 11:40 <DIR> d-------- C:\Program Files\Silkroad
2007-03-23 21:34 <DIR> d-------- C:\Program Files\Shareaza
2007-03-23 21:34 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\Shareaza
2007-03-23 21:21 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-03-23 21:21 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-03-23 21:21 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-03-23 21:21 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-03-23 21:21 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-03-23 21:21 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-03-23 21:21 <DIR> d-------- C:\Program Files\DivX
2007-03-23 21:21 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\DivX
2007-03-23 17:06 <DIR> d-------- C:\Program Files\World of Warcraft
2007-03-23 16:33 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-03-23 13:41 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-03-23 13:34 <DIR> d-------- C:\Program Files\WinMX
2007-03-23 13:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-03-23 13:28 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-23 13:21 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\AdobeUM
2007-03-23 13:21 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\Adobe
2007-03-16 02:22 <DIR> d-------- C:\Program Files\Eidos Interactive
2007-03-16 01:04 <DIR> d-------- C:\Program Files\Winamp
2007-03-15 22:34 <DIR> d-------- C:\Program Files\Activision
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-14 23:18 <DIR> d-------- C:\Program Files\Bethesda Softworks
2007-03-14 17:56 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-03-05 10:56 <DIR> d-------- C:\Program Files\MSN Messenger
2007-03-02 15:18 <DIR> d--hs---- C:\DOCUME~1\XIKEIY~1\UserData
2007-03-02 15:05 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-03-02 15:05 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-03-02 15:05 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-03-01 12:54 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-02-28 13:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-02-28 13:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-02-28 13:56 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\Lavasoft
2007-02-28 11:15 <DIR> d--hs---- C:\RECYCLER
2007-02-28 02:01 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-02-28 02:01 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-02-28 02:01 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-02-28 02:01 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-02-28 02:01 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-02-28 02:01 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-02-28 02:01 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-02-28 02:01 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-02-28 02:01 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-02-28 02:01 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-02-28 02:00 917,504 --a------ C:\WINDOWS\system\cmids3d.dll
2007-02-28 02:00 712,704 --a------ C:\WINDOWS\system32\Audio3D.dll
2007-02-28 02:00 712,704 --a------ C:\WINDOWS\system32\a3d.dll
2007-02-28 02:00 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-02-28 02:00 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-02-28 02:00 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-02-28 02:00 32,768 --a------ C:\WINDOWS\system32\udaprop.dll
2007-02-28 02:00 28,672 --a------ C:\WINDOWS\system32\cmirmdrv.dll
2007-02-28 02:00 28,672 --a------ C:\WINDOWS\CMIRmDriver.dll
2007-02-28 02:00 266,240 --a------ C:\WINDOWS\CMIUninstall.exe
2007-02-28 02:00 233,472 --a------ C:\WINDOWS\system32\cmirmdrv.exe
2007-02-28 02:00 225,280 --a------ C:\WINDOWS\CmiRmRedundDir.exe
2007-02-28 02:00 172,032 --a------ C:\WINDOWS\system32\cmuda.dll
2007-02-28 02:00 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-02-28 02:00 1,458,176 --a------ C:\WINDOWS\system\SmWizard.exe
2007-02-28 02:00 1,373,120 --a------ C:\WINDOWS\system32\drivers\cmuda.sys
2007-02-28 02:00 <DIR> d-------- C:\Program Files\C-Media 3D Audio


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-30 22:47 -------- d-------- C:\Program Files\online services
2007-03-30 12:01 -------- d-------- C:\Program Files\messenger
2007-03-25 22:33 -------- d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\ati
2007-03-21 19:33 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-21 19:24 -------- d--h----- C:\Program Files\installshield installation information
2007-02-27 19:32 -------- d-------- C:\Program Files\sis vga utilities v3.74
2007-02-27 19:31 -------- d-------- C:\Program Files\Common Files\installshield
2007-02-27 19:11 98304 --a------ C:\WINDOWS\system32cmdlineext.dll
2007-02-27 17:58 -------- d-------- C:\Program Files\ubisoft
2007-02-27 17:57 -------- d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\installshield
2007-02-27 17:42 0 -rahs---- C:\MSDOS.SYS
2007-02-27 17:42 0 -rahs---- C:\IO.SYS
2007-02-27 17:42 0 --a------ C:\CONFIG.SYS
2007-02-27 17:42 0 --a------ C:\AUTOEXEC.BAT
2007-02-27 17:42 -------- d-------- C:\Program Files\microsoft frontpage
2007-02-27 17:40 -------- d--h----- C:\Program Files\windowsupdate
2007-02-27 17:39 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-02-27 17:39 -------- d-------- C:\Program Files\movie maker
2007-02-27 17:39 -------- d-------- C:\Program Files\Common Files\mssoap
2007-02-27 17:38 -------- d-------- C:\Program Files\msn gaming zone
2007-02-27 17:37 -------- d-------- C:\Program Files\windows nt
2007-02-27 11:06 -------- d-------- C:\Program Files\Common Files\speechengines
2007-02-27 11:06 -------- d-------- C:\Program Files\Common Files\odbc
2007-02-27 11:05 62 --ahs---- C:\DOCUME~1\XIKEIY~1\APPLIC~1\desktop.ini
2007-02-22 22:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 22:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 22:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 22:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 22:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 22:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 22:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 22:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 22:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 22:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 22:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 22:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 19:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-23 04:55 1571001 --a------ C:\WINDOWS\system32\sisgl.dll
2007-01-23 04:39 3514368 --a------ C:\WINDOWS\system32\sisgrv.dll
2007-01-23 04:34 9728 --a------ C:\WINDOWS\system32\sispins2.dll
2007-01-23 04:33 12288 --a------ C:\WINDOWS\instfunc.dll
2007-01-23 04:32 49152 --a------ C:\WINDOWS\system32\sisbase.dll
2007-01-23 04:32 258048 --a------ C:\WINDOWS\system32\sisparse.dll
2007-01-23 04:32 172032 --a------ C:\WINDOWS\system32\sisinst.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 19:01 17408 --a------ C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\Messenger\fsoxynid.html

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\autorun.exe


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-30 23:05:49

 

[Mr_JAk3]

Hi again, we'll continue

You seem to have this Viewpoint software installed. It has a suspicious reputation and I recommend that you remove it via Control Panel, Add/Remove programs.

You seem to have this WeatherBug software installed. It has a suspicious reputation and I recommend that you remove it via Control Panel, Add/Remove programs.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Uncheck "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

==================

Backup your registry:

• Start
• Run
• Type the following to the box and hit Ok: regedit
• A window opens, click on File
• Choose Export form the menu
• Change the save location to C:\
• Give the filename, RegBackUp
• Make sure that the filetype is set to Registryfiles (*.reg)
• Click on Save and Close the window

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"IpWins"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {461B977A-6DBE-4CA1-ABE8-3EF8232459AB} - C:\Program Files\Online Services\wodeg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: 0 - {D86C5701-63CD-4C05-9795-C441E8B08E00} - C:\Program Files\Messenger\bapuzok.dll
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Reboot.exe

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\VTTC.exe
C:\WINDOWS\system32\nek.exe
C:\WINDOWS\system32\hhjj.bat
C:\WINDOWS\system32\lo.exe
C:\Program Files\Messenger\fsoxynid.html
C:\Program Files\Messenger\bapuzok.dll
C:\Program Files\Online Services\wodeg.dll

Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\system32\micro1

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot in Normal Mode.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

================

When you're ready, please post the following logs to here:
- Kaspersky's report
- a fresh HijackThis log

 

[tashi]

XiKeiyaZI, still with us?

 

[tashi]

Due to lack of a response to helper this topic has been archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.