Google redirected, Spybot and HJT corrupted

pbaker · Oct 24, 2009

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3027
Windows 5.1.2600 Service Pack 3

10/24/2009 6:55:40 PM
mbam-log-2009-10-24 (18-55-40).txt

Scan type: Quick Scan
Objects scanned: 108622
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

pbaker · Oct 25, 2009

The RSIT log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Philip at 2009-10-24 18:59:16
Microsoft Windows XP Professional Service Pack 3
System drive C: has 834 GB (87%) free of 954 GB
Total RAM: 3582 MB (86% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:22 PM, on 10/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Documents and Settings\Philip\Desktop\RSIT.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\Philip.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dialog Helper.lnk = C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215360418046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7247 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-02 86016]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-06-19 570664]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2007-04-09 19968]
"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2007-04-09 19456]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-10-17 2025752]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Documents and Settings\Philip\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Dialog Helper.lnk - C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\acaptuser32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-28 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"\\Hipserv\FamilyLibrary\FamilyDocuments\D&D\4e\700_DDI_CB-Beta.exe"="\\Hipserv\FamilyLibrary\FamilyDocuments\D&D\4e\700_DDI_CB-Beta.exe:*:Enabled

D Insider"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-10-24 18:51:30 ----D---- C:\Documents and Settings\Philip\Application Data\Malwarebytes
2009-10-24 18:51:26 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-24 18:51:26 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-24 17:27:19 ----D---- C:\WINDOWS\ie8updates
2009-10-24 16:24:43 ----A---- C:\ComboFix.txt
2009-10-24 16:08:56 ----D---- C:\WINDOWS\temp
2009-10-24 15:23:09 ----A---- C:\Boot.bak
2009-10-24 15:23:03 ----RASHD---- C:\cmdcons
2009-10-24 15:22:03 ----A---- C:\WINDOWS\zip.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\SWSC.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\SWREG.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\sed.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\PEV.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\NIRCMD.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\grep.exe
2009-10-24 15:21:59 ----D---- C:\WINDOWS\ERDNT
2009-10-24 15:19:58 ----AD---- C:\Qoobox
2009-10-23 20:11:10 ----D---- C:\rsit
2009-10-23 16:35:40 ----A---- C:\regkey.txt
2009-10-22 09:59:16 ----D---- C:\Config.Msi
2009-10-21 16:52:51 ----D---- C:\Program Files\Trend Micro
2009-10-21 16:50:49 ----D---- C:\Program Files\ERUNT
2009-10-21 11:19:59 ----A---- C:\WINDOWS\entpack.ini
2009-10-20 13:28:26 ----D---- C:\WINDOWS\CSC
2009-10-20 13:28:19 ----A---- C:\WINDOWS\ntbtlog.txt
2009-10-20 12:55:35 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-10-20 12:31:29 ----D---- C:\WINDOWS\pss
2009-10-20 12:24:15 ----D---- C:\Program Files\Windows Live Safety Center
2009-10-20 11:01:20 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-10-20 02:27:51 ----D---- C:\Program Files\Spybot - Search & Destroy.bar
2009-10-20 02:03:08 ----HD---- C:\WINDOWS\PIF
2009-10-20 01:47:03 ----A---- C:\WINDOWS\comp.INI
2009-10-20 01:44:37 ----D---- C:\Program Files\Port80
2009-10-17 16:09:07 ----D---- C:\Documents and Settings\Philip\Application Data\com.fox.dollhouse.VirtualEcho.8DB2FB41E3AF9617470F9C3E78FDAAA51EF66383.1
2009-10-17 16:09:03 ----D---- C:\Program Files\VirtualEcho
2009-10-17 16:09:01 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-10-17 02:00:56 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-17 02:00:53 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-10-17 02:00:51 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-17 02:00:28 ----D---- C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-10-17 02:00:06 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-17 02:00:02 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-17 01:59:56 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-17 01:59:16 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-17 01:58:10 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-17 01:58:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-10-17 01:57:23 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-17 01:57:15 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-10-15 12:25:40 ----D---- C:\bwinPoker
2009-10-14 18:21:55 ----A---- C:\WINDOWS\system32\dbmsqlgc.dll
2009-10-14 18:21:55 ----A---- C:\WINDOWS\system32\dbmsgnet.dll
2009-10-13 23:55:33 ----A---- C:\WINDOWS\system32\insrepim.exe
2009-10-13 23:55:25 ----A---- C:\WINDOWS\system32\mdt2fw95.dll
2009-10-13 23:55:15 ----A---- C:\WINDOWS\system32\dbmslpcn.dll
2009-10-13 23:44:32 ----D---- C:\WINDOWS\Install
2009-10-13 23:41:36 ----D---- C:\WINDOWS\Cluster
2009-10-13 23:21:03 ----A---- C:\WINDOWS\system32\msrpjt40.dll
2009-10-13 23:20:49 ----A---- C:\WINDOWS\system32\ntwdblib.dll
2009-10-13 23:20:47 ----A---- C:\WINDOWS\system32\dbmsshrn.dll
2009-10-13 18:08:12 ----A---- C:\WINDOWS\system32\athprxy.dll
2009-10-13 13:17:38 ----D---- C:\Program Files\Common Files\Merge Modules
2009-10-13 13:16:59 ----D---- C:\Program Files\Microsoft ACT
2009-10-13 13:16:58 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-10-13 01:11:15 ----HDC---- C:\WINDOWS\$NtUninstallKB970483$
2009-10-13 01:11:12 ----HDC---- C:\WINDOWS\$NtUninstallKB953155$
2009-10-13 01:05:37 ----A---- C:\WINDOWS\frontpg.ini
2009-10-13 01:03:36 ----D---- C:\WINDOWS\IIS Temporary Compressed Files
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\snprfdll.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\smtpctrs.ini
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\smtpctrs.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\regtrace.exe
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\ntfsdrct.ini
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\fcachdll.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\adsiisex.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3svapi.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3ctrs.ini
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3ctrs.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\axperf.ini
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\aspperf.dll
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\iisrstap.dll
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\iisreset.exe
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\ftpsapi2.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\wamregps.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\inetsloc.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\iismui.dll
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\infoctrs.ini
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\infoctrs.dll
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\convlog.exe
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\admxprox.dll
2009-10-13 00:57:58 ----D---- C:\Program Files\MagicDisc
2009-10-04 00:22:11 ----D---- C:\Program Files\Pappocom
2009-10-04 00:22:05 ----D---- C:\Program Files\Common Files\MimarSinan

======List of files/folders modified in the last 1 months======

2009-10-24 18:59:13 ----D---- C:\WINDOWS\system32\inetsrv
2009-10-24 18:57:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-24 18:57:25 ----A---- C:\WINDOWS\{00000003-00000000-00000007-00001102-00000008-10211102}.BAK
2009-10-24 18:55:40 ----D---- C:\WINDOWS
2009-10-24 18:51:30 ----D---- C:\WINDOWS\Prefetch
2009-10-24 18:51:27 ----D---- C:\WINDOWS\system32\drivers
2009-10-24 18:51:26 ----RD---- C:\Program Files
2009-10-24 18:49:47 ----D---- C:\Program Files\FireFox
2009-10-24 17:34:22 ----D---- C:\WINDOWS\system32
2009-10-24 17:32:24 ----HD---- C:\WINDOWS\inf
2009-10-24 17:32:23 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-24 17:32:23 ----D---- C:\WINDOWS\system32\CatRoot
2009-10-24 17:32:22 ----D---- C:\Program Files\Internet Explorer
2009-10-24 17:32:15 ----D---- C:\WINDOWS\system32\en-us
2009-10-24 17:27:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-24 17:27:10 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-24 16:21:08 ----A---- C:\WINDOWS\system.ini
2009-10-24 16:09:09 ----D---- C:\WINDOWS\system32\config
2009-10-24 16:07:50 ----D---- C:\WINDOWS\AppPatch
2009-10-24 16:07:49 ----D---- C:\Program Files\Common Files
2009-10-24 15:23:09 ----RASH---- C:\boot.ini
2009-10-24 14:52:11 ----D---- C:\WINDOWS\SxsCaPendDel
2009-10-24 14:52:11 ----D---- C:\WINDOWS\Connection Wizard
2009-10-24 14:52:11 ----D---- C:\WINDOWS\Config
2009-10-24 14:52:11 ----D---- C:\WINDOWS\addins
2009-10-23 22:03:03 ----D---- C:\Program Files\PokerStars.NET
2009-10-23 20:26:52 ----SHD---- C:\System Volume Information
2009-10-23 20:26:52 ----D---- C:\WINDOWS\system32\Restore
2009-10-23 20:25:26 ----A---- C:\WINDOWS\win.ini
2009-10-23 11:03:55 ----D---- C:\WINDOWS\Registration
2009-10-22 18:19:14 ----SHD---- C:\WINDOWS\Installer
2009-10-22 18:19:13 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-10-21 16:52:42 ----D---- C:\Downloads
2009-10-21 11:28:21 ----A---- C:\WINDOWS\lviewpro.ini
2009-10-21 11:11:54 ----D---- C:\Documents and Settings
2009-10-20 14:35:53 ----D---- C:\Program Files\Spybot - Search & Destroy.foo
2009-10-20 14:16:17 ----SD---- C:\WINDOWS\Tasks
2009-10-20 12:55:44 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-20 12:24:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-20 11:21:26 ----D---- C:\WINDOWS\Media
2009-10-20 11:21:26 ----D---- C:\WINDOWS\Help
2009-10-20 11:04:07 ----A---- C:\WINDOWS\imsins.BAK
2009-10-20 03:09:32 ----D---- C:\$AVG8.VAULT$
2009-10-17 20:10:20 ----D---- C:\WINSOCK
2009-10-17 16:09:07 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-10-17 16:08:35 ----D---- C:\Documents and Settings\Philip\Application Data\Adobe
2009-10-17 10:06:40 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-17 10:06:39 ----RSD---- C:\WINDOWS\assembly
2009-10-17 02:02:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-17 02:02:27 ----D---- C:\WINDOWS\WinSxS
2009-10-17 01:32:30 ----D---- C:\keep
2009-10-14 13:44:18 ----SD---- C:\Documents and Settings\Philip\Application Data\Microsoft
2009-10-13 23:41:32 ----D---- C:\Program Files\Common Files\System
2009-10-13 23:20:47 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-13 23:20:22 ----HD---- C:\Program Files\Uninstall Information
2009-10-13 16:32:46 ----D---- C:\Program Files\MSDN
2009-10-13 13:16:59 ----D---- C:\Program Files\Microsoft Visual Studio .NET 2003
2009-10-13 00:59:52 ----D---- C:\WINDOWS\security
2009-10-02 11:01:58 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-28 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-28 27784]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-04-03 1333152]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 COMMONFX.DLL;COMMONFX.DLL; C:\WINDOWS\system32\COMMONFX.DLL [2007-04-18 98600]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2007-04-10 511272]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2007-04-10 520488]
R3 CTAUDFX.DLL;CTAUDFX.DLL; C:\WINDOWS\system32\CTAUDFX.DLL [2007-04-12 546048]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2007-04-10 14632]
R3 CTSBLFX.DLL;CTSBLFX.DLL; C:\WINDOWS\system32\CTSBLFX.DLL [2007-04-12 560384]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2007-04-10 157480]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2007-04-10 92968]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2007-04-10 797992]
R3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2007-04-10 189736]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-15 4225920]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2007-04-10 126760]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CT20XUT.DLL;CT20XUT.DLL; C:\WINDOWS\system32\CT20XUT.DLL [2007-04-12 164608]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2007-04-10 347128]
S3 CTEAPSFX.DLL;CTEAPSFX.DLL; C:\WINDOWS\system32\CTEAPSFX.DLL [2007-04-12 168192]
S3 CTEDSPFX.DLL;CTEDSPFX.DLL; C:\WINDOWS\system32\CTEDSPFX.DLL [2007-04-12 280320]
S3 CTEDSPIO.DLL;CTEDSPIO.DLL; C:\WINDOWS\system32\CTEDSPIO.DLL [2007-04-12 128768]
S3 CTEDSPSY.DLL;CTEDSPSY.DLL; C:\WINDOWS\system32\CTEDSPSY.DLL [2007-04-12 323328]
S3 CTERFXFX.DLL;CTERFXFX.DLL; C:\WINDOWS\system32\CTERFXFX.DLL [2007-04-12 94976]
S3 CTEXFIFX.DLL;CTEXFIFX.DLL; C:\WINDOWS\system32\CTEXFIFX.DLL [2007-04-12 1317632]
S3 CTHWIUT.DLL;CTHWIUT.DLL; C:\WINDOWS\system32\CTHWIUT.DLL [2007-04-12 66816]
S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2007-04-10 163112]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 335872]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-10-11 72704]
S3 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe []
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-01 651720]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MSSQLSERVER;MSSQLSERVER; C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe [2008-12-18 9158656]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-06-24 537896]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe [2005-05-03 323584]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

pbaker · Oct 25, 2009

I haven't experienced any further problems with the computer. The SQL Server still isn't running but everything else seems fine.

-Phil

Dakeyras · Oct 25, 2009

Hi.

The SQL Server still isn't running but everything else seems fine.

To be quite honest I am far from ofay with this type of software application, my best advice as mentioned prior would be to uninstall:-

Microsoft SQL Server 2000

Then re-download/re-install once I give the all clear. The below Microsoft webpage has relevant information about the aforementioned and the download etc link:-

SQL Server 2000 Solution Center

Overall I do think this is the most prudent course of action as the malware we have been dealing with has undoubtedly corrupted the installation.

Next:

Having older Java installations installed poses a security risk and a means for malware to either infect/re-infect a system. The other Java installation you have installed is fine to leave in place.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Java 2 Runtime Environment, SE v1.4.2_17

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Next:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder (if present):

C:\WINDOWS\SxsCaPendDel

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
Click the Start button in the bottom left of TFC
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

F-Secure Blacklight:

Please download Blacklight from here to your desktop.

or

Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.

Go to Start-->Run, copy in the following text, and press Enter:

"%userprofile%\desktop\fsbl.exe" /expert

Accept the license agreement.
Click > scan, wait for it to finish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.

Check Hard Disk For Errors:

Press Start->Run, then copy/paste the following command into the box and press OK:

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"

A blank command window will open on your desktop, then close in a few minutes. This is normal.
A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

When completed the above, please post back the following in the order asked for:

How is you computer performing now, any further symptoms and or problems encountered?
Blacklight Log.
checkhd.txt.
A new RSIT Log.

pbaker · Oct 25, 2009

Having uninstalled SQL Server, I've not encountered any other symptoms. Everything appears to be working OK.

-Phil

pbaker · Oct 25, 2009

fsbl log:

10/25/09 10:54:31 [Info]: BlackLight Engine 2.2.1092 initialized
10/25/09 10:54:31 [Info]: OS: 5.1 build 2600 (Service Pack 3)
10/25/09 10:54:31 [Note]: 7019 4
10/25/09 10:54:31 [Note]: 7005 0
10/25/09 10:54:38 [Note]: 7006 0
10/25/09 10:54:38 [Note]: 7022 0
10/25/09 10:54:38 [Note]: 7011 1888
10/25/09 10:54:38 [Note]: 7035 0
10/25/09 10:54:38 [Note]: 7026 0
10/25/09 10:54:38 [Note]: 7026 0
10/25/09 10:54:38 [Note]: FSRAW library version 1.7.1024
10/25/09 11:16:03 [Note]: 7007 0

pbaker · Oct 25, 2009

checkhd.txt:

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...

Errors found. CHKDSK cannot continue in read-only mode.

pbaker · Oct 25, 2009

RSIT log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Philip at 2009-10-25 11:23:40
Microsoft Windows XP Professional Service Pack 3
System drive C: has 835 GB (87%) free of 954 GB
Total RAM: 3582 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:45 AM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINSOCK\winpmail\winpm-32.exe
C:\Program Files\FireFox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Philip\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Philip.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dialog Helper.lnk = C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215360418046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSSQLSERVER - Unknown owner - C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe (file missing)

--
End of file - 7687 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-02 86016]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-06-19 570664]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2007-04-09 19968]
"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2007-04-09 19456]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-10-17 2025752]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Documents and Settings\Philip\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Dialog Helper.lnk - C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\acaptuser32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-28 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"\\Hipserv\FamilyLibrary\FamilyDocuments\D&D\4e\700_DDI_CB-Beta.exe"="\\Hipserv\FamilyLibrary\FamilyDocuments\D&D\4e\700_DDI_CB-Beta.exe:*:Enabled

D Insider"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-10-25 10:46:24 ----D---- C:\WINDOWS\system32\appmgmt
2009-10-24 18:51:30 ----D---- C:\Documents and Settings\Philip\Application Data\Malwarebytes
2009-10-24 18:51:26 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-24 18:51:26 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-24 17:27:19 ----D---- C:\WINDOWS\ie8updates
2009-10-24 16:24:43 ----A---- C:\ComboFix.txt
2009-10-24 16:08:56 ----D---- C:\WINDOWS\temp
2009-10-24 15:23:09 ----A---- C:\Boot.bak
2009-10-24 15:23:03 ----RASHD---- C:\cmdcons
2009-10-24 15:22:03 ----A---- C:\WINDOWS\zip.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\SWSC.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\SWREG.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\sed.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\PEV.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\NIRCMD.exe
2009-10-24 15:22:03 ----A---- C:\WINDOWS\grep.exe
2009-10-24 15:21:59 ----D---- C:\WINDOWS\ERDNT
2009-10-24 15:19:58 ----AD---- C:\Qoobox
2009-10-23 20:11:10 ----D---- C:\rsit
2009-10-23 16:35:40 ----A---- C:\regkey.txt
2009-10-21 16:52:51 ----D---- C:\Program Files\Trend Micro
2009-10-21 16:50:49 ----D---- C:\Program Files\ERUNT
2009-10-21 11:19:59 ----A---- C:\WINDOWS\entpack.ini
2009-10-20 13:28:26 ----D---- C:\WINDOWS\CSC
2009-10-20 13:28:19 ----A---- C:\WINDOWS\ntbtlog.txt
2009-10-20 12:55:35 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-10-20 12:31:29 ----D---- C:\WINDOWS\pss
2009-10-20 12:24:15 ----D---- C:\Program Files\Windows Live Safety Center
2009-10-20 11:01:20 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-10-20 02:27:51 ----D---- C:\Program Files\Spybot - Search & Destroy.bar
2009-10-20 02:03:08 ----HD---- C:\WINDOWS\PIF
2009-10-20 01:47:03 ----A---- C:\WINDOWS\comp.INI
2009-10-20 01:44:37 ----D---- C:\Program Files\Port80
2009-10-17 16:09:07 ----D---- C:\Documents and Settings\Philip\Application Data\com.fox.dollhouse.VirtualEcho.8DB2FB41E3AF9617470F9C3E78FDAAA51EF66383.1
2009-10-17 16:09:03 ----D---- C:\Program Files\VirtualEcho
2009-10-17 16:09:01 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-10-17 02:00:56 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-17 02:00:53 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-10-17 02:00:51 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-17 02:00:28 ----D---- C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-10-17 02:00:06 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-17 02:00:02 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-17 01:59:56 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-17 01:59:16 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-17 01:58:10 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-17 01:58:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-10-17 01:57:23 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-17 01:57:15 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-10-15 12:25:40 ----D---- C:\bwinPoker
2009-10-14 18:21:55 ----A---- C:\WINDOWS\system32\dbmsqlgc.dll
2009-10-14 18:21:55 ----A---- C:\WINDOWS\system32\dbmsgnet.dll
2009-10-13 23:44:32 ----D---- C:\WINDOWS\Install
2009-10-13 23:41:36 ----D---- C:\WINDOWS\Cluster
2009-10-13 23:21:03 ----A---- C:\WINDOWS\system32\msrpjt40.dll
2009-10-13 23:20:49 ----A---- C:\WINDOWS\system32\ntwdblib.dll
2009-10-13 23:20:47 ----A---- C:\WINDOWS\system32\dbmsshrn.dll
2009-10-13 18:08:12 ----A---- C:\WINDOWS\system32\athprxy.dll
2009-10-13 13:17:38 ----D---- C:\Program Files\Common Files\Merge Modules
2009-10-13 13:16:59 ----D---- C:\Program Files\Microsoft ACT
2009-10-13 13:16:58 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-10-13 01:11:15 ----HDC---- C:\WINDOWS\$NtUninstallKB970483$
2009-10-13 01:11:12 ----HDC---- C:\WINDOWS\$NtUninstallKB953155$
2009-10-13 01:05:37 ----A---- C:\WINDOWS\frontpg.ini
2009-10-13 01:03:36 ----D---- C:\WINDOWS\IIS Temporary Compressed Files
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\snprfdll.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\smtpctrs.ini
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\smtpctrs.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\regtrace.exe
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\ntfsdrct.ini
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\fcachdll.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\adsiisex.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3svapi.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3ctrs.ini
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3ctrs.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\axperf.ini
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\aspperf.dll
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\iisrstap.dll
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\iisreset.exe
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\ftpsapi2.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\wamregps.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\inetsloc.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\iismui.dll
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\infoctrs.ini
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\infoctrs.dll
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\convlog.exe
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\admxprox.dll
2009-10-13 00:57:58 ----D---- C:\Program Files\MagicDisc
2009-10-04 00:22:11 ----D---- C:\Program Files\Pappocom
2009-10-04 00:22:05 ----D---- C:\Program Files\Common Files\MimarSinan

======List of files/folders modified in the last 1 months======

2009-10-25 11:16:32 ----D---- C:\WINDOWS\Prefetch
2009-10-25 10:56:24 ----D---- C:\WINDOWS\system32\inetsrv
2009-10-25 10:52:34 ----D---- C:\Program Files\FireFox
2009-10-25 10:52:13 ----D---- C:\WINDOWS
2009-10-25 10:50:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-25 10:50:23 ----D---- C:\WINDOWS\system32
2009-10-25 10:48:54 ----RD---- C:\Program Files
2009-10-25 10:46:24 ----SHD---- C:\WINDOWS\Installer
2009-10-25 10:46:22 ----D---- C:\Program Files\Java
2009-10-25 01:18:44 ----N---- C:\WINDOWS\{00000003-00000000-00000007-00001102-00000008-10211102}.BAK
2009-10-25 00:00:00 ----D---- C:\Program Files\PokerStars.NET
2009-10-24 18:51:27 ----D---- C:\WINDOWS\system32\drivers
2009-10-24 17:32:24 ----HD---- C:\WINDOWS\inf
2009-10-24 17:32:23 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-24 17:32:23 ----D---- C:\WINDOWS\system32\CatRoot
2009-10-24 17:32:22 ----D---- C:\Program Files\Internet Explorer
2009-10-24 17:32:15 ----D---- C:\WINDOWS\system32\en-us
2009-10-24 17:27:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-24 17:27:10 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-24 16:21:08 ----A---- C:\WINDOWS\system.ini
2009-10-24 16:09:09 ----D---- C:\WINDOWS\system32\config
2009-10-24 16:07:50 ----D---- C:\WINDOWS\AppPatch
2009-10-24 16:07:49 ----D---- C:\Program Files\Common Files
2009-10-24 15:23:09 ----RASH---- C:\boot.ini
2009-10-24 14:52:11 ----D---- C:\WINDOWS\Connection Wizard
2009-10-24 14:52:11 ----D---- C:\WINDOWS\Config
2009-10-24 14:52:11 ----D---- C:\WINDOWS\addins
2009-10-23 20:26:52 ----SHD---- C:\System Volume Information
2009-10-23 20:26:52 ----D---- C:\WINDOWS\system32\Restore
2009-10-23 20:25:26 ----A---- C:\WINDOWS\win.ini
2009-10-23 11:03:55 ----D---- C:\WINDOWS\Registration
2009-10-22 18:19:13 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-10-21 16:52:42 ----D---- C:\Downloads
2009-10-21 11:28:21 ----A---- C:\WINDOWS\lviewpro.ini
2009-10-21 11:11:54 ----D---- C:\Documents and Settings
2009-10-20 14:35:53 ----D---- C:\Program Files\Spybot - Search & Destroy.foo
2009-10-20 14:16:17 ----SD---- C:\WINDOWS\Tasks
2009-10-20 12:55:44 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-20 12:24:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-20 11:21:26 ----D---- C:\WINDOWS\Media
2009-10-20 11:21:26 ----D---- C:\WINDOWS\Help
2009-10-20 11:04:07 ----A---- C:\WINDOWS\imsins.BAK
2009-10-20 03:09:32 ----D---- C:\$AVG8.VAULT$
2009-10-17 20:10:20 ----D---- C:\WINSOCK
2009-10-17 16:09:07 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-10-17 16:08:35 ----D---- C:\Documents and Settings\Philip\Application Data\Adobe
2009-10-17 10:06:40 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-17 10:06:39 ----RSD---- C:\WINDOWS\assembly
2009-10-17 02:02:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-17 02:02:27 ----D---- C:\WINDOWS\WinSxS
2009-10-17 01:32:30 ----D---- C:\keep
2009-10-14 13:44:18 ----SD---- C:\Documents and Settings\Philip\Application Data\Microsoft
2009-10-13 23:41:32 ----D---- C:\Program Files\Common Files\System
2009-10-13 23:20:47 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-13 23:20:22 ----HD---- C:\Program Files\Uninstall Information
2009-10-13 16:32:46 ----D---- C:\Program Files\MSDN
2009-10-13 13:16:59 ----D---- C:\Program Files\Microsoft Visual Studio .NET 2003
2009-10-13 00:59:52 ----D---- C:\WINDOWS\security
2009-10-02 11:01:58 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-28 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-28 27784]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-04-03 1333152]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 COMMONFX.DLL;COMMONFX.DLL; C:\WINDOWS\system32\COMMONFX.DLL [2007-04-18 98600]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2007-04-10 511272]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2007-04-10 520488]
R3 CTAUDFX.DLL;CTAUDFX.DLL; C:\WINDOWS\system32\CTAUDFX.DLL [2007-04-12 546048]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2007-04-10 14632]
R3 CTSBLFX.DLL;CTSBLFX.DLL; C:\WINDOWS\system32\CTSBLFX.DLL [2007-04-12 560384]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2007-04-10 157480]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2007-04-10 92968]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2007-04-10 797992]
R3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2007-04-10 189736]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-15 4225920]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2007-04-10 126760]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CT20XUT.DLL;CT20XUT.DLL; C:\WINDOWS\system32\CT20XUT.DLL [2007-04-12 164608]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2007-04-10 347128]
S3 CTEAPSFX.DLL;CTEAPSFX.DLL; C:\WINDOWS\system32\CTEAPSFX.DLL [2007-04-12 168192]
S3 CTEDSPFX.DLL;CTEDSPFX.DLL; C:\WINDOWS\system32\CTEDSPFX.DLL [2007-04-12 280320]
S3 CTEDSPIO.DLL;CTEDSPIO.DLL; C:\WINDOWS\system32\CTEDSPIO.DLL [2007-04-12 128768]
S3 CTEDSPSY.DLL;CTEDSPSY.DLL; C:\WINDOWS\system32\CTEDSPSY.DLL [2007-04-12 323328]
S3 CTERFXFX.DLL;CTERFXFX.DLL; C:\WINDOWS\system32\CTERFXFX.DLL [2007-04-12 94976]
S3 CTEXFIFX.DLL;CTEXFIFX.DLL; C:\WINDOWS\system32\CTEXFIFX.DLL [2007-04-12 1317632]
S3 CTHWIUT.DLL;CTHWIUT.DLL; C:\WINDOWS\system32\CTHWIUT.DLL [2007-04-12 66816]
S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2007-04-10 163112]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 335872]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-10-11 72704]
S3 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe []
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-01 651720]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MSSQLSERVER;MSSQLSERVER; C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe []
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-06-24 537896]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe -i MSSQLSERVER []
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Dakeyras · Oct 25, 2009

Hi.

Custom Batch File:

Open Notepad.
Copy and Paste everything from the Code Box below into Notepad: <-- Start >> Run... type in notepad and select OK

Code:

@Echo off
SC Stop MSSQLSERVER
SC Delete MSSQLSERVER
SC Stop SQLSERVERAGENT
SC Delete SQLSERVERAGENT
Del %0

Go to File >> Save As
Save File name as "Dakeyras.bat" <-- Make sure to include the quotes.
Change Save as Type to All Files and save the file to your Desktop.
It should look like this:

Now double click on the desktop Dakeyras.bat to run the batch file. It will self-delete when completed.

Hard-Drive Maintenance/Repair:

Note: for the CHKDSK portion you may refer to this tutorial of mine here and follow the instructions for Graphical Mode if you so wish.

Click Start >> Run... then type in CMD and click on OK.
At the Command Prompt C:\ > type the following:
CD C:\ and hit the Enter/Return key.
Now type in DEFRAG C: -F
A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
This may take some time, when completed the Command Prompt C:\ > will appear.
Now type in CHKDSK C: /R and hit the Enter/Return key.
When prompted with:

CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)

Hit the Y key then at the Command Prompt C:\ >
Type in EXIT and and hit the Enter/Return key.
Now Reboot(Restart) your computer.

Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

You should see a screen like this just after the Post(power on self test) screen:

Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be cancelled and your computer will continue to boot-up as normal.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Please go here then click on:

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Click to expand...
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

When completed the above, please post back the following:

How is you computer performing now? Any problems encountered and or any further symptoms?
ESET Log.
A new HijackThis Log.

pbaker · Oct 26, 2009

The computer still seems to be behaving well. No symptoms noticed.

-Phil

pbaker · Oct 26, 2009

ESET log:
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=12256042c782fb4798ce8683d614b372
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-26 09:30:38
# local_time=2009-10-26 05:30:38 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 37 83 93 4122749062500
# scanned=566218
# found=11
# cleaned=0
# scan_time=7500
C:\Downloads\Nero 8 Ultra Edition 8.3.6.0\Setup.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan 00000000000000000000000000000000 I
F:\dnload\gPhotoShow.exe multiple threats 00000000000000000000000000000000 I
H:\MS Office\Templates\D2HUTIL7.DOC probably unknown POLY.CRYPT.MACRO virus 00000000000000000000000000000000 I
H:\MS Office\Templates\D2H_IN.DOT probably unknown CRYPT.COMPANION.MACRO virus 00000000000000000000000000000000 I
H:\MS Office\Templates\D2H_NORM.DOT probably unknown CRYPT.COMPANION.MACRO virus 00000000000000000000000000000000 I
H:\MS Office\Templates\D2H_INSD.DOT probably unknown CRYPT.COMPANION.MACRO virus 00000000000000000000000000000000 I
H:\MS Office\Templates\D2H_SIDE.DOT probably unknown CRYPT.COMPANION.MACRO virus 00000000000000000000000000000000 I
H:\MS Office\Templates\D2H_INSM.DOT probably unknown CRYPT.COMPANION.MACRO virus 00000000000000000000000000000000 I
H:\MS Office\Templates\D2H_SMAL.DOT probably unknown CRYPT.COMPANION.MACRO virus 00000000000000000000000000000000 I
H:\MS Office\Templates\D2H_HELP.DOT probably unknown CRYPT.COMPANION.MACRO virus 00000000000000000000000000000000 I

pbaker · Oct 26, 2009

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:24 AM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINSOCK\winpmail\winpm-32.exe
C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FireFox\firefox.exe
C:\Program Files\Avanquest\PowerDesk\PDExplo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dialog Helper.lnk = C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215360418046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7458 bytes

Dakeyras · Oct 26, 2009

HI.

Do you recognise the below files at all, did you create them yourself and or get them from another source?

H:\MS Office\Templates\D2HUTIL7.DOC
H:\MS Office\Templates\D2H_IN.DOT
H:\MS Office\Templates\D2H_NORM.DOT
H:\MS Office\Templates\D2H_INSD.DOT
H:\MS Office\Templates\D2H_SIDE.DOT
H:\MS Office\Templates\D2H_INSM.DOT
H:\MS Office\Templates\D2H_SMAL.DOT
H:\MS Office\Templates\D2H_HELP.DOT

pbaker · Oct 26, 2009

I believe those files came from Doc2Help, an old utility for converting Word documents into Windows help files.

I have no need of them any more as I have long since uninstalled both Doc2Help and the version of MSOffice that was on what is now my H drive. These are just files left behind by the uninstall process.

-Phil

Dakeyras · Oct 26, 2009

Hi.

OK fair enough, it would be prudent to remove them and run one last specific check at the same time. The tool we are going to use for this will actually assist with removing the applications we have used during the malware removal process also later on.

Next:

Please download OTM to your Desktop.

Double-click OTM to start the program.
Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):

Code:

:Processes

:Files
H:\MS Office\Templates\D2HUTIL7.DOC
H:\MS Office\Templates\D2H_IN.DOT
H:\MS Office\Templates\D2H_NORM.DOT
H:\MS Office\Templates\D2H_INSD.DOT 
H:\MS Office\Templates\D2H_SIDE.DOT 
H:\MS Office\Templates\D2H_INSM.DOT 
H:\MS Office\Templates\D2H_SMAL.DOT 
H:\MS Office\Templates\D2H_HELP.DOT 

:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
Then click the red MoveIt! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Close OTM.

Malwarebytes Anti-Malware:

Launch the application, Check for Updates >> Perform a Quick Scan
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following:

How is you computer performing now? Any problems encountered and or any further symptoms?
OTM Log.
Malwarebytes Anti-Malware Log.
A new HijackThis Log.

pbaker · Oct 26, 2009

This is done, and I'm not seeing any problems with the system at the moment.

-Phil

pbaker · Oct 26, 2009

OTM log:

All processes killed
========== PROCESSES ==========
========== FILES ==========
H:\MS Office\Templates\D2HUTIL7.DOC moved successfully.
H:\MS Office\Templates\D2H_IN.DOT moved successfully.
H:\MS Office\Templates\D2H_NORM.DOT moved successfully.
H:\MS Office\Templates\D2H_INSD.DOT moved successfully.
H:\MS Office\Templates\D2H_SIDE.DOT moved successfully.
H:\MS Office\Templates\D2H_INSM.DOT moved successfully.
H:\MS Office\Templates\D2H_SMAL.DOT moved successfully.
H:\MS Office\Templates\D2H_HELP.DOT moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: OWNER-B459ED82B

User: Philip
->Temp folder emptied: 25244 bytes
->Temporary Internet Files folder emptied: 1381201 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 86279768 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_844.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 83.70 mb

OTM by OldTimer - Version 3.0.0.6 log created on 10262009_162231

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_844.dat not found!

Registry entries deleted on Reboot...

pbaker · Oct 26, 2009

MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3027
Windows 5.1.2600 Service Pack 3

10/26/2009 4:29:46 PM
mbam-log-2009-10-26 (16-29-46).txt

Scan type: Quick Scan
Objects scanned: 108635
Time elapsed: 2 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pbaker · Oct 26, 2009

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:28 PM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\notepad.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FireFox\firefox.exe
C:\WINSOCK\winpmail\winpm-32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dialog Helper.lnk = C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215360418046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7638 bytes

Dakeyras · Oct 26, 2009

Hi.

Congratulations your computer now appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

Click on Start >> Run...
Now type in ComboFix /Uninstall into the and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Clean up with OTM:

Double-click OTM to start the program.
Close all other programs apart from OTM as this step will require a reboot
On the OTM main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed security application, AVG 8 automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
Install the Active X
Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
Start >> All Programs >> Microsoft Updates

Be careful when opening attachments and downloading files:

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Advised Optional Installation:

There is no sign of a software firewall installed on your system. Regardless if using a hardware type and or using the inbuilt Windows Service Pack 3 firewall this is a necessary application as it will also provide outbound protection where as the aforementioned do not.

I highly advise you download ONE of the following firewalls and install it. Restart the computer for changes to take effect.

This article is a excellent resource regarding the aforementioned firewalls: Understanding and Using Firewalls

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein:

So how did I get infected in the first place?

Any questions? Feel free to ask, if not stay safe!

Google redirected, Spybot and HJT corrupted

New member

New member

New member

Security Expert-Emeritus

New member

New member

New member

New member

Security Expert-Emeritus

New member

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

New member

New member

Security Expert-Emeritus