Win32.VB.PW, Win32.Delf.uv & Hupigon13

[griepe]

Unable to remove them even after several attempts in safe mode and auto-scan at startup even after updating Spybot to 1.6.
Win32.Delf.uv will always be referenced as successfully fixed(although it comes back next reboot), but the other two just won't go.
Used the fix command to rid of remnants of wmsncs.exe which should have been fixed prior to current infection.

Help is greatly appriciated as the dangers posed by these are kind of hindering me from getting work done.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:35 PM, on 10/20/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINNT\system32\Pen_Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINNT\system32\internat.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66F1B507-3874-4BA5-B92B-4DC1967918F8}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F7259-8C34-473D-9F1D-882AF088270C}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF96049E-48D2-4E0A-B064-5A9A5A418241}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol hijack: cdo - >IT00H20MH8IH5-1HT1G8IT{-H0N0HFIH62PH}
O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINNT\system32\Pen_Tablet.exe

--
End of file - 5737 bytes

 

[katana]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Download and Run RSIT

• Please download Random's System Information Tool by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.

 

[griepe]

Here they are-

-----------------------------------------

Logfile of random's system information tool 1.04 (written by random/random)
Run by nine at 2008-10-25 03:03:56
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 1 GB (6%) free of 23 GB
Total RAM: 1023 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:07 AM, on 10/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINNT\system32\Pen_Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINNT\system32\internat.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nine\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\nine.exe

F2 - REG:system.ini: Shell=
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66F1B507-3874-4BA5-B92B-4DC1967918F8}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F7259-8C34-473D-9F1D-882AF088270C}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF96049E-48D2-4E0A-B064-5A9A5A418241}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol hijack: cdo - >IT00H20MH8IH5-1HT1G8IT{-H0N0HFIH62PH}
O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINNT\system32\Pen_Tablet.exe

--
End of file - 6585 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]
IeCatch2 Class - C:\PROGRA~1\FLASHGET\jccatch.dll [2002-01-16 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - @msdxmLC.dll,-1@1033,&Radio - C:\WINNT\system32\msdxm.ocx [2005-03-31 844560]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar - C:\PROGRA~1\FLASHGET\fgiebar.dll [2002-05-27 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-18 590848]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"SoundMan"=C:\WINNT\SOUNDMAN.EXE [2005-06-20 77824]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"ZTE ADSL"= []
"NvCplDaemon"=C:\WINNT\system32\NvCpl.dll [2007-11-07 8523776]
"@OnlineArmor GUI"=C:\Program Files\Tall Emu\Online Armor\oaui.exe [2008-10-07 6223048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-11-16 139264]
"internat.exe"=C:\WINNT\system32\internat.exe [2003-07-04 20752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E60A0B68-2F3C-A1D2-A901-9381E136D21A}"= []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RemoteAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\RemoteAccess]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-10-25 02:59:17 ----D---- C:\rsit
2008-10-25 00:10:15 ----A---- C:\WINNT\system32\javaws.exe
2008-10-25 00:10:15 ----A---- C:\WINNT\system32\javaw.exe
2008-10-25 00:10:15 ----A---- C:\WINNT\system32\java.exe
2008-10-24 14:05:53 ----HD---- C:\WINNT\$NtUninstallKB958644$
2008-10-22 22:11:42 ----D---- C:\[Nipponsei] Toradora! OP Single - Pre-Parade [Various]
2008-10-21 04:02:04 ----D---- C:\Program Files\Tall Emu
2008-10-21 04:01:15 ----D---- C:\OnlineArmor
2008-10-20 05:34:45 ----D---- C:\Program Files\Trend Micro
2008-10-19 23:33:06 ----D---- C:\WINNT\system32\rocket
2008-10-19 23:33:05 ----D---- C:\WINNT\system32\rpcproxy
2008-10-19 23:33:05 ----D---- C:\WINNT\system32\inetsrv
2008-10-18 20:17:40 ----D---- C:\WINNT\system32\34566
2008-10-18 04:05:16 ----D---- C:\[Nipponsei] Yozakura Quartet OP Single - JUST TUNE [savage genius]
2008-10-18 01:41:56 ----A---- C:\WINNT\system32\NETAPI32.DLL
2008-10-16 17:24:20 ----HD---- C:\WINNT\$NtUninstallKB922582$
2008-10-16 13:19:48 ----A---- C:\WINNT\ntbtlog.txt
2008-10-16 11:46:06 ----A---- C:\WINNT\system32\MRT.exe
2008-10-16 11:44:17 ----D---- C:\WINNT\system32\Windows Media
2008-10-16 11:43:49 ----D---- C:\WINNT\msiinst.tmp
2008-10-16 11:39:47 ----D---- C:\WINNT\mui
2008-10-16 11:39:08 ----A---- C:\WINNT\system32\spupdsvc.exe
2008-10-16 11:37:46 ----A---- C:\WINNT\system32\wmpns.dll
2008-10-15 17:19:33 ----A---- C:\WINNT\updcustom.dll.log
2008-10-15 14:28:26 ----D---- C:\WINNT\system32\BITS
2008-10-15 13:36:48 ----D---- C:\Program Files\ZTE
2008-10-15 13:25:15 ----A---- C:\WINNT\ModemLog_Standard 56000 bps K56Flex Modem.txt
2008-10-05 16:19:21 ----A---- C:\WINNT\YAN2.INI

======List of files/folders modified in the last 1 months======

2008-10-25 01:33:48 ----A---- C:\WINNT\NeroDigital.ini
2008-10-20 19:11:58 ----A---- C:\WINNT\SchedLgU.Txt
2008-10-16 17:24:26 ----A---- C:\WINNT\imsins.BAK
2008-10-15 13:24:38 ----A---- C:\WINNT\ModemDet.txt
2008-10-05 15:53:48 ----A---- C:\WINNT\Wininit.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Avg7RsW;AVG7 Wrap Driver; C:\WINNT\System32\Drivers\avg7rsw.sys [2007-11-25 4224]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2007-11-26 58000]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2007-11-26 23420]
R1 FsVga;FsVga; C:\WINNT\system32\DRIVERS\fsvga.sys [2003-07-04 12368]
R1 OADevice;OADriver; \??\C:\WINNT\system32\drivers\OADriver.sys []
R1 OAmon;OAmon; \??\C:\WINNT\system32\drivers\OAmon.sys []
R1 OAnet;OAnet; \??\C:\WINNT\system32\drivers\OAnet.sys []
R1 SiSkp;SiSkp; C:\WINNT\system32\DRIVERS\srvkp.sys [2006-06-22 11264]
R1 VIAPFD;VIAPFD; C:\WINNT\System32\Drivers\VIAPFD.SYS [2001-05-04 3033]
R2 AvgTdi;AVG Network Redirector; C:\WINNT\System32\Drivers\avgtdi.sys [2007-11-25 4960]
R2 hidusb;Microsoft HID Class Driver; C:\WINNT\system32\DRIVERS\hidusb.sys [2003-07-04 13904]
R2 SecDrv;SecDrv; \??\C:\WINNT\system32\drivers\SECDRV.SYS []
R2 SetupNT;SetupNT; C:\WINNT\system32\SetupNT.sys [2000-10-25 3000]
R3 cmuda;C-Media WDM Audio Interface; C:\WINNT\system32\drivers\cmuda.sys [2003-10-17 754560]
R3 dtscsi;dtscsi; C:\WINNT\System32\Drivers\dtscsi.sys [2008-08-23 223128]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter; C:\WINNT\system32\DRIVERS\lne100v5.sys [2001-04-02 36013]
R3 mouhid;Mouse HID Driver; C:\WINNT\system32\DRIVERS\mouhid.sys [2003-07-04 11632]
R3 nv;nv; C:\WINNT\system32\DRIVERS\nv4_mini.sys [2007-11-07 7429088]
R3 openhci;Microsoft USB Open Host Controller Driver; C:\WINNT\system32\DRIVERS\openhci.sys [2003-07-04 24784]
R3 PSched;QoS Packet Scheduler; C:\WINNT\system32\DRIVERS\psched.sys [2003-07-04 60496]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINNT\System32\Drivers\RootMdm.sys [2003-07-04 6032]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2002-04-23 19216]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\system32\DRIVERS\usbhub.sys [2003-07-04 40176]
R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S2 pvopstrr;pvopstrr; \??\C:\WINNT\system32\drivers\pvopstrr.sys []
S3 ADM9X;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINNT\system32\DRIVERS\ADM9X.sys [2001-10-25 35968]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINNT\system32\drivers\ALCXWDM.SYS [2005-06-20 2324480]
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 GMSIPCI;GMSIPCI; \??\H:\INSTALL\GMSIPCI.SYS []
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 SiS315;SiS315; C:\WINNT\system32\DRIVERS\sisgrp.sys [2006-06-22 427776]
S3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINNT\system32\DRIVERS\sisnic.sys [2002-08-02 35427]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\system32\DRIVERS\usbprint.sys [2003-06-19 21872]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\system32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 viafilter;VIA USB Filter; C:\WINNT\System32\Drivers\viausb.sys [2005-03-23 9038]
S3 vulfnths;VIA USB Host Controller Lower Filter; C:\WINNT\System32\Drivers\vulfnth.sys [2006-06-22 6912]
S3 vulfntrs;VIA USB Roothub Lower Filter; C:\WINNT\System32\Drivers\vulfntr.sys [2006-06-22 10496]
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-11-25 418816]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2007-12-21 406528]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINNT\system32\nvsvc32.exe [2007-11-07 155716]
R2 OAcat;Online Armor Helper Service; C:\Program Files\Tall Emu\Online Armor\oacat.exe [2008-10-07 1402568]
R2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-29 275968]
R2 TabletServicePen;TabletServicePen; C:\WINNT\system32\Pen_Tablet.exe [2007-09-08 1373480]

-----------------EOF-----------------




info.txt logfile of random's system information tool 1.04 2008-10-25 02:59:34

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x11 -uninst
7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"
ACDSee 10 Photo Manager-->MsiExec.exe /I{F8B98EB6-FC06-45BF-87D4-9784E0408611}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0-->C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Anathema 1.3-->C:\Program Files\Anathema\uninstall.exe
AVG 7.5-->C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BattleMoonWars銀 第四部-->C:\WINNT\eiunin21.exe "C:\Program Files\Werk\BMW\install3.DAT"
BitComet 0.70-->C:\Program Files\BitComet\uninst.exe
C-Media 3D Audio-->C:\WINNT\CMIUnInstall.exe
C-Media WDM Audio Driver-->C:\WINNT\system32\cmirmdrv.exe
Combined Community Codec Pack 2006-07-28 (Remove Only)-->C:\Program Files\Combined Community Codec Pack\Uninstall.exe
DivX Player-->C:\WINNT\unvise32.exe C:\Program Files\DivX\DivX Player\uninstal.log
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FlashGet(JetCar)-->C:\PROGRA~1\FLASHGET\UNWISE.EXE C:\PROGRA~1\FLASHGET\INSTALL.LOG
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Macromedia Dreamweaver MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Flash MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
ML-2150 Series-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E3114A-CA9F-481A-94FD-41346EDE67CF}\setup.exe"
Nero 7 Essentials-->MsiExec.exe /I{F87DA817-8D53-42CC-AA45-93A100341033}
NVIDIA Drivers-->C:\WINNT\system32\nvudisp.exe UninstallGUI
Online Armor 3.0-->"C:\Program Files\Tall Emu\Online Armor\unins000.exe"
Pen Tablet-->C:\Program Files\Tablet\Pen\Remove.exe /u
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x11 -removeonly
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\Setup.exe" -l0x9 REMOVE
Remove DivX Codec-->C:\WINNT\unvise32.exe C:\Program Files\DivX\DivX Codec\UninstalDivXCodec.log
SiS 900 PCI Fast Ethernet Adapter Driver-->C:\Progra~1\SiSLan\Uninst.exe
Sonic Foundry Sound Forge 6.0-->MsiExec.exe /I{62FC357F-022B-4F90-9376-7A0DF9FBE7A1}
Spybot - Search & Destroy 1.5.2.20-->"C:\WINNT\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
VideoLAN VLC media player 0.8.6b-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp3 (remove only)-->C:\Program Files\Winamp3\uninst-wa3.EXE
Windows 2000 Hotfix - KB922582-->"C:\WINNT\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB958644-->"C:\WINNT\$NtUninstallKB958644$\spuninst\spuninst.exe"
Windows Media Player system update (9 Series)-->C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XviD MPEG-4 Codec-->"C:\Program Files\XviD\UninstXviD.exe"
ZTE ADSL Dialer 1.0g_MY-->"C:\Program Files\ZTE\ADSLDIAL\unins000.exe"
東方緋想天-->"C:\Program Files\tasofro\th105\unins000.exe"

=====HijackThis Backups=====

O18 - Protocol hijack: cdo - >IT00H20MH8IH5-1HT1G8IT{-H0N0HFIH62PH}
O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O18 - Protocol hijack: cdo - >00

Hosts File Missing

 

[katana]

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitComet 0.70

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.

Post back a new HijackThis, so we can continue cleaning your pc.





Installed Programs

Please could you give me a list of the programs that are installed.

• Start HijackThis
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

 

[griepe]

The following error showed up when trying to access Add/Remove Programs, but BitComet was uninstalled with its own uninstall command.




Uninstall list (the first one is most likely this: 東方緋想天)
-------------

“??u”e‘z“V
7-Zip 4.57
ACDSee 10 Photo Manager
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 9
Anathema 1.3
AVG 7.5
BattleMoonWars?a ‘a?l?”
C-Media 3D Audio
C-Media WDM Audio Driver
Combined Community Codec Pack 2006-07-28 (Remove Only)
DivX Player
DivX Web Player
FlashGet(JetCar)
HijackThis 2.0.2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash MX
Microsoft Office XP Professional with FrontPage
mIRC
ML-2150 Series
Nero 7 Essentials
NVIDIA Drivers
Online Armor 3.0
Pen Tablet
RealPlayer
Realtek AC'97 Audio
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
Remove DivX Codec
SiS 900 PCI Fast Ethernet Adapter Driver
Sonic Foundry Sound Forge 6.0
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
System Requirements Lab
VideoLAN VLC media player 0.8.6b
Winamp3 (remove only)
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB958644
Windows Media Player system update (9 Series)
WinRAR archiver
WinZip
XviD MPEG-4 Codec
ZTE ADSL Dialer 1.0g_MY


------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:06 PM, on 10/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINNT\system32\Pen_Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66F1B507-3874-4BA5-B92B-4DC1967918F8}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F7259-8C34-473D-9F1D-882AF088270C}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF96049E-48D2-4E0A-B064-5A9A5A418241}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol hijack: cdo - >IT00H20MH8IH5-1HT1G8IT{-H0N0HFIH62PH}
O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINNT\system32\Pen_Tablet.exe

--
End of file - 6072 bytes

 

[katana]

Step 1


Disable Teatimer
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

----------------------------------------------------------- -----------------------------------------------------------
Step 2


Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

F2 - REG:system.ini: Shell=

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


O18 - Protocol hijack: cdo - >IT00H20MH8IH5-1HT1G8IT{-H0N0HFIH62PH}
O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


----------------------------------------------------------- -----------------------------------------------------------
Step 3


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 4

If the previous step did not automatically reboot your machine, Please reboot now

----------------------------------------------------------- -----------------------------------------------------------
Step 5


Logs/Information to Post in Reply
Please post the following logs/Information in your reply

• MalwareBytes Log
• A Fresh HJT Log ( from after reboot )
• How are things running now ?

 

[griepe]

It still seems to be there in the memory and Spybot is still picking them up.


Malwarebytes' Anti-Malware 1.30
Database version: 1321
Windows 5.0.2195 Service Pack 4

10/26/2008 11:11:45 AM
mbam-log-2008-10-26 (11-11-45).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 146312
Time elapsed: 22 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NET Runtime Optimization Service v2.1.41329_X86 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APVXDWIN.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PERSFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKUnHooker.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAS.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONLINENT.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\Fonts\wmsncs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\wmsncs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\spool\drivers\wmsncs.exe (Trojan.Agent) -> Quarantined and deleted successfully.


--------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:08 PM, on 10/26/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINNT\system32\Pen_Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F7259-8C34-473D-9F1D-882AF088270C}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF96049E-48D2-4E0A-B064-5A9A5A418241}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol hijack: cdo - >00
20
8
5-1
1 8-
00
F
62
}
O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINNT\system32\Pen_Tablet.exe

--
End of file - 5157 bytes

 

[katana]

Spybot Report
Please retrieve the last scan that you did with Spybot

1. Open Spybot S&D
2. Click Mode (on the top bar)
3. Put a check next to Advanced. Click Yes at the prompt.
4. Click Tools (left hand column near the bottom)
5. Click View Report (left hand column near the top)
6. Put a tick next to
   • Include results of last check in report
   (make sure that the rest are unchecked)
7. Click View Report (top of page)
8. Click Export (top of page)
9. Save the report to your desktop

Please post this report in your reply

 

[griepe]

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2007-11-25 unins000.exe (51.41.0.0)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-10-20 unins001.exe (51.49.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-02 aports.dll (2.1.0.0)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-07-07 Tools.dll (2.1.5.7)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2008-07-07 advcheck.dll (1.6.1.12)
2008-09-02 Includes\Dialer.sbi
2008-09-02 Includes\Hijackers.sbi
2008-09-09 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2008-10-08 Includes\Malware.sbi
2008-09-02 Includes\PUPS.sbi
2008-06-18 Includes\Security.sbi
2008-06-03 Includes\Spybots.sbi
2008-10-22 Includes\Spyware.sbi
2008-09-02 Includes\Adware.sbi
2008-10-15 Includes\Trojans.sbi
2008-06-03 Includes\Cookies.sbi
2007-11-07 Includes\Revision.sbi
2008-06-03 Includes\Tracks.uti
2008-10-14 Includes\TrojansC.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-09-30 Includes\SecurityC.sbi
2008-10-14 Includes\PUPSC.sbi
2008-10-22 Includes\MalwareC.sbi
2008-10-14 Includes\KeyloggersC.sbi
2008-10-07 Includes\HijackersC.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-10-14 Includes\AdwareC.sbi
2008-10-14 Includes\SpywareC.sbi
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll


--- System information ---
Windows 2000 (Build: 2195) Service Pack 4 (5.0.2195)
/ DataAccess: Microsoft Data Access Components KB870669
/ DirectX 9: Security Update for DirectX 9 (KB951698)
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB905495
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB938464
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB956390
/ Outlook Express 6 / SP1: Windows 2000 Hotfix - KB951066
/ Windows 2000: Security Update for Windows 2000 (KB941569)
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB329115
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842773
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893756
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896358
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896422
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896423
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899587
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899589
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB900725
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901017
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901214
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905414
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908519
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908531
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB911280
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB913580
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB914388
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB914389
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917008
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB918118
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920213
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920670
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920683
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920685
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB921398
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB922582
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923191
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923810
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923980
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB924270
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB924667
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB925902
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB926122
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB926436
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB927891
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB928843
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB930178
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB931784
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB933729
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB935839
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB935840
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB936021
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB938827
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB943055
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB943485
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB944338
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB945553
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB948590
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB950749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB950974
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB951071
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB951748
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB952954
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB954211
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB956391
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB957095
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB958644
/ Windows 2000 / SP5: Update Rollup 1 for Windows 2000 SP4
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)


--- Startup entries list ---
Located: HK_LM:Run, @OnlineArmor GUI
command: "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
file: C:\Program Files\Tall Emu\Online Armor\oaui.exe
size: 6223048
MD5: 0CB8CAAF925C554C5023A7A30F624EFC

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
size: 590848
MD5: F1B42DE29AF84F24FB59989805B1B62D

Located: HK_LM:Run, NeroFilterCheck
command: C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
file: C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
size: 155648
MD5: C93AB037A8C792D5F8A1A9FC88A7C7C5

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
file: C:\WINNT\system32\NvCpl.dll
size: 8523776
MD5: B00401A1F1DF052D3E54FBCC7F96A0FE

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINNT\SOUNDMAN.EXE
size: 77824
MD5: FBEF9F9C97B6B93E2041E65D3CD81C9C

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9B2F5B9E745DEAAA57FB78329ED03061

Located: HK_LM:Run, ZTE ADSL
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, AVG7_Run
where: .DEFAULT...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
where: S-1-5-21-746137067-861567501-725345543-1000...
command: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
file: C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
size: 139264
MD5: 3DBE5B70FCA1F15BE651A5EB02594B84

Located: HK_CU:Run, internat.exe
where: S-1-5-21-746137067-861567501-725345543-1000...
command: internat.exe
file: C:\WINNT\system32\internat.exe
size: 20752
MD5: F4206FCA3B1D2FEAB50738EC2485D5F3

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-746137067-861567501-725345543-1000...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: ssv.dll
Short name:
Date (created): 10/25/2008 12:09:36 AM
Date (last access): 10/26/2008
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 509328
Attributes: archive
MD5: F921D875A1CBD69A6A462BA2514BC831
CRC32: 38AC9EE2
Version: 6.0.70.6

{A5366673-E8CA-11D3-9CD9-0090271D075B} (IeCatch2 Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: IeCatch2 Class
description: FlashGet
classification: Open for discussion
known filename: Jccatch.dll
info link: http://www.amazesoft.com/
info source: TonyKlein
Path: C:\PROGRA~1\FLASHGET\
Long name: Jccatch.dll
Short name: JCCATCH.DLL
Date (created): 11/26/2007 12:09:08 AM
Date (last access): 10/26/2008
Date (last write): 1/16/2002 7:12:18 PM
Filesize: 65536
Attributes: archive
MD5: F2FAFE3CB6412C89F43D88CCEBE308F3
CRC32: B1AEC78B
Version: 1.1.4.0



--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\swdir.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla

{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab)
DPF name: System Requirements Lab
CLSID name: System Requirements Lab Class
Installer:
Codebase: http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: sysreqlab2.dll
Short name: SYSREQ~1.DLL
Date (created): 3/29/2007 11:07:12 AM
Date (last access): 10/26/2008
Date (last write): 3/29/2007 11:07:12 AM
Filesize: 206384
Attributes: archive
MD5: ED3B0F1BA60554B9D2E5AE1B02AD9306
CRC32: E2F1D780
Version: 2.30.0.0

{7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class)
DPF name:
CLSID name: MabinogiWebAvatarRenderer Class
Installer: C:\WINNT\Downloaded Program Files\mabiweb.inf
Codebase: http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: mabiwebframe.dll
Short name: MABIWE~1.DLL
Date (created): 4/4/2007 10:51:30 AM
Date (last access): 10/26/2008
Date (last write): 4/4/2007 10:51:30 AM
Filesize: 229376
Attributes: archive
MD5: A369ECF50C9166D6A0355E52D8D6424F
CRC32: 41C81A8B
Version: 2007.4.4.0

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 10/26/2008
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/24/2007 11:31:44 PM
Date (last access): 10/26/2008
Date (last write): 9/25/2007 1:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 10/26/2008
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 10/26/2008
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 10/26/2008
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6



--- Process list ---
PID: 0 ( 0) [System]
PID: 156 ( 8) \SystemRoot\System32\smss.exe
size: 45840
PID: 180 ( 156) \??\C:\WINNT\system32\csrss.exe
size: 5392
PID: 176 ( 156) \??\C:\WINNT\system32\winlogon.exe
size: 186640
PID: 228 ( 176) C:\WINNT\system32\services.exe
size: 92944
MD5: B861B4E6E9637EB76A40C10C552E0229
PID: 240 ( 176) C:\WINNT\system32\lsass.exe
size: 33552
MD5: F19D0A319AB4BF5496F08807CB9B8651
PID: 412 ( 228) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 444 ( 228) C:\WINNT\system32\spoolsv.exe
size: 47376
MD5: FACFB75ECC070103619FA044E0B210D3
PID: 472 ( 228) C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
size: 418816
MD5: 3C7B93F947355E374A49564D0D017B7B
PID: 484 ( 228) C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
size: 406528
MD5: FC0B2AE890BB0DC8C2306DABEDC8A4BA
PID: 512 ( 228) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 556 ( 228) C:\WINNT\system32\nvsvc32.exe
size: 155716
MD5: 357CDE6C24EB15888E810C6D2787C238
PID: 592 ( 228) C:\Program Files\Tall Emu\Online Armor\oacat.exe
size: 1402568
MD5: BF0425CEA8BC6784FBFB0DCED90DCCBE
PID: 676 ( 228) C:\WINNT\system32\regsvc.exe
size: 68368
MD5: 250C4CE389783FA2398E3AFA4317008C
PID: 708 ( 228) C:\WINNT\system32\MSTask.exe
size: 122128
MD5: B00529EAE5D0CE97010B69CC677128C8
PID: 776 ( 228) C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
size: 275968
MD5: B1691AF4A072CB674D600DB16DD7308E
PID: 816 ( 228) C:\WINNT\system32\Pen_Tablet.exe
size: 1373480
MD5: DAD1A4D96291139C0F834B138320E475
PID: 904 ( 228) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 920 ( 228) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 628 ( 344) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 1136 ( 628) C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
size: 590848
MD5: F1B42DE29AF84F24FB59989805B1B62D
PID: 1096 ( 628) C:\WINNT\SOUNDMAN.EXE
size: 77824
MD5: FBEF9F9C97B6B93E2041E65D3CD81C9C
PID: 1208 ( 628) C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
size: 139264
MD5: 3DBE5B70FCA1F15BE651A5EB02594B84
PID: 1216 ( 628) C:\WINNT\system32\internat.exe
size: 20752
MD5: F4206FCA3B1D2FEAB50738EC2485D5F3
PID: 1188 ( 816) C:\WINNT\system32\WTablet\Pen_TabletUser.exe
size: 132392
MD5: A876B5FEB247E65A138A88DFE73FCF32
PID: 1148 (1292) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6
PID: 1340 ( 628) C:\Program Files\mIRC\mirc.exe
size: 1949696
MD5: 0471108D25398E9F200FD7C580082A8E
PID: 1288 ( 628) C:\Program Files\Internet Explorer\iexplore.exe
size: 91136
MD5: EB9EAF627F705525D01DE5FA07EA1818
PID: 1112 ( 628) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 8 ( 0) System
PID: 640 ( 228) svchost.exe
size: 7952


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 10/26/2008 8:17:07 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF96049E-48D2-4E0A-B064-5A9A5A418241}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF96049E-48D2-4E0A-B064-5A9A5A418241}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{711F7259-8C34-473D-9F1D-882AF088270C}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{711F7259-8C34-473D-9F1D-882AF088270C}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{864E4ACE-9D5D-471B-AFC2-672EE9B4ED89}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{864E4ACE-9D5D-471B-AFC2-672EE9B4ED89}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23DAF193-2360-49A1-AFF5-684643911034}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23DAF193-2360-49A1-AFF5-684643911034}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EA5D984-61E0-4834-AD20-0EE27CD04DD4}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EA5D984-61E0-4834-AD20-0EE27CD04DD4}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A50CFCA-E54A-4BAC-9332-C9093F1CD03D}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A50CFCA-E54A-4BAC-9332-C9093F1CD03D}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{66F1B507-3874-4BA5-B92B-4DC1967918F8}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{66F1B507-3874-4BA5-B92B-4DC1967918F8}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

 

[griepe]

I seem to have gotten it wrong. This is the right one, I think ?

--- Report generated: 2008-10-26 15:16 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Hupigon13: [SBI $79919CB3] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe

Hupigon13: [SBI $AF1EC726] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe

Hupigon13: [SBI $46DBB063] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe

Win32.Delf.uv: [SBI $AEB50E08] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APVXDWIN.EXE\Debugger

Win32.Delf.uv: [SBI $757C4426] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.EXE\Debugger

Win32.Delf.uv: [SBI $F963F0F7] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger

Win32.Delf.uv: [SBI $9BFB3235] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PERSFW.EXE\Debugger

Win32.VB.PW: [SBI $1D067958] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2007-11-25 unins000.exe (51.41.0.0)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-10-20 unins001.exe (51.49.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-02 aports.dll (2.1.0.0)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-07-07 Tools.dll (2.1.5.7)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2008-07-07 advcheck.dll (1.6.1.12)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-10-08 Includes\Malware.sbi (*)
2008-09-02 Includes\PUPS.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-10-22 Includes\Spyware.sbi (*)
2008-09-02 Includes\Adware.sbi (*)
2008-10-15 Includes\Trojans.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-10-14 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-09-30 Includes\SecurityC.sbi (*)
2008-10-14 Includes\PUPSC.sbi (*)
2008-10-22 Includes\MalwareC.sbi (*)
2008-10-14 Includes\KeyloggersC.sbi (*)
2008-10-07 Includes\HijackersC.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-10-14 Includes\AdwareC.sbi (*)
2008-10-14 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll

 

[katana]

Curious, those are the lines that MBAM fixed ???

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

 

[griepe]

All except one it seems. MBAM also had more fixes.


ComboFix 08-10-25.01 - nine 10/27/2008 13:13:58.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.932.81.1033.18.742 [GMT 8:00]
Running from: C:\Documents and Settings\nine\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\34566\svchost.exe
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_VFILT


((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-26 07:12 . 08-10-26 07:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-26 07:12 . 08-10-26 07:12 <DIR> d-------- C:\Documents and Settings\nine\Application Data\Malwarebytes
2008-10-26 07:12 . 08-10-26 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-26 07:12 . 08-10-22 16:10 38,496 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-10-26 07:12 . 08-10-22 16:10 15,504 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-10-25 13:41 . 08-10-25 13:41 76,042 --a------ C:\prog_error.jpg
2008-10-25 02:59 . 08-10-25 02:59 <DIR> d-------- C:\rsit
2008-10-24 19:26 . 08-10-25 09:01 244,869,120 --a------ C:\[SS-Eclipse] Kyouran Kazoku Nikki - 02 (XviD) [8AFBFCBE].avi
2008-10-24 03:25 . 08-10-24 16:41 243,435,520 --a------ C:\[SS-Eclipse] Kyouran Kazoku Nikki - 01 (XviD) [3AFFBD34].avi
2008-10-22 22:11 . 08-10-22 22:11 <DIR> d-------- C:\[Nipponsei] Toradora! OP Single - Pre-Parade [Various]
2008-10-21 04:02 . 08-10-21 04:02 <DIR> d-------- C:\Program Files\Tall Emu
2008-10-21 04:02 . 08-10-07 00:09 178,376 --a------ C:\WINNT\system32\drivers\OADriver.sys
2008-10-21 04:02 . 08-10-07 00:09 30,920 --a------ C:\WINNT\system32\drivers\OAmon.sys
2008-10-21 04:02 . 08-10-07 00:09 28,872 --a------ C:\WINNT\system32\drivers\OAnet.sys
2008-10-21 04:01 . 08-10-21 04:01 <DIR> d-------- C:\OnlineArmor
2008-10-20 19:10 . 08-10-26 06:56 1,372,978 ---h----- C:\WINNT\ShellIconCache
2008-10-20 05:34 . 08-10-20 05:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-19 23:33 . 08-10-19 23:33 <DIR> d-------- C:\WINNT\system32\rpcproxy
2008-10-19 23:33 . 08-10-19 23:33 <DIR> d-------- C:\WINNT\system32\rocket
2008-10-18 20:19 . 08-10-18 20:19 0 -rahs---- C:\WINNT\system32\drivers\rkreveal150.sys
2008-10-18 20:17 . 08-10-18 20:17 <DIR> d-------- C:\WINNT\system32\34566
2008-10-18 04:05 . 08-10-18 04:05 <DIR> d-------- C:\[Nipponsei] Yozakura Quartet OP Single - JUST TUNE [savage genius]
2008-10-16 11:44 . 08-10-16 11:44 <DIR> d-------- C:\WINNT\system32\Windows Media
2008-10-16 11:43 . 08-10-16 11:43 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-10-16 11:39 . 08-10-16 11:39 <DIR> d-------- C:\WINNT\mui
2008-10-16 11:39 . 05-06-28 10:21 22,752 --a------ C:\WINNT\system32\spupdsvc.exe
2008-10-16 11:39 . 08-10-16 11:39 957 --a------ C:\WINNT\setup.inf
2008-10-16 11:39 . 08-10-16 11:39 283 --a------ C:\WINNT\setup.rpt
2008-10-16 11:37 . 02-12-11 17:34 208,896 --a------ C:\WINNT\system32\wmpns.dll
2008-10-15 17:22 . 02-08-29 07:14 44,032 --------- C:\WINNT\system32\dllcache\msxml3r.dll
2008-10-15 14:28 . 08-10-15 14:28 <DIR> d-------- C:\WINNT\system32\BITS
2008-10-15 13:36 . 08-10-15 13:36 <DIR> d-------- C:\WINNT\system\catroot
2008-10-15 13:36 . 08-10-15 13:36 <DIR> d-------- C:\Program Files\ZTE
2008-10-15 00:18 . 08-10-15 00:17 193,770 --a------ C:\1217920173864.jpg
2008-10-05 16:19 . 08-10-05 16:20 262 --a------ C:\WINNT\YAN2.INI
2008-10-04 14:15 . 08-10-27 13:19 335 --a------ C:\WINNT\system32\Pen_Tablet.dat
2008-10-03 13:00 . 08-10-03 12:46 3,701,530 --a------ C:\yozakura_quartet_OP.flv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 17:41 310,032 ----a-w C:\WINNT\system32\dllcache\NETAPI32.DLL
2008-09-15 05:13 1,644,432 ----a-w C:\WINNT\system32\WIN32K.SYS
2008-09-15 05:13 1,644,432 ------w C:\WINNT\system32\dllcache\win32k.sys
2008-09-12 02:19 --------- d-----w C:\Program Files\Anathema
2008-09-05 22:05 --------- d-----w C:\Program Files\7-Zip
2008-08-28 04:44 239,344 ----a-w C:\WINNT\system32\drivers\SRV.SYS
2008-08-28 04:44 239,344 ----a-w C:\WINNT\system32\dllcache\srv.sys
2008-08-20 04:24 132,096 ----a-w C:\WINNT\system32\dllcache\MSRATING.DLL
2008-08-20 04:23 402,944 ----a-w C:\WINNT\system32\dllcache\SHLWAPI.DLL
2008-08-20 04:23 143,360 ----a-w C:\WINNT\system32\dllcache\CDFVIEW.DLL
2008-08-20 04:23 1,340,416 ----a-w C:\WINNT\system32\dllcache\SHDOCVW.DLL
2008-08-20 04:23 1,018,368 ----a-w C:\WINNT\system32\dllcache\BROWSEUI.DLL
2008-08-20 02:51 69,632 ----a-w C:\WINNT\system32\dllcache\INSENG.DLL
2008-08-20 02:51 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-08-20 02:51 575,488 ----a-w C:\WINNT\system32\dllcache\WININET.DLL
2008-08-20 02:51 498,176 ----a-w C:\WINNT\system32\dllcache\MSTIME.DLL
2008-08-20 02:51 462,336 ----a-w C:\WINNT\system32\dllcache\URLMON.DLL
2008-08-20 02:51 351,744 ----a-w C:\WINNT\system32\dllcache\DXTMSFT.DLL
2008-08-20 02:51 34,816 ----a-w C:\WINNT\system32\dllcache\PNGFILT.DLL
2008-08-20 02:51 236,032 ----a-w C:\WINNT\system32\dllcache\IEPEERS.DLL
2008-08-20 02:51 2,706,432 ----a-w C:\WINNT\system32\dllcache\MSHTML.DLL
2008-08-20 02:51 192,512 ----a-w C:\WINNT\system32\dllcache\DXTRANS.DLL
2008-08-20 02:51 12,288 ----a-w C:\WINNT\system32\dllcache\JSPROXY.DLL
2008-08-12 07:47 98,064 ----a-w C:\WINNT\system32\dllcache\mqmig.exe
2008-08-12 07:47 77,712 ----a-w C:\WINNT\system32\dllcache\mqac.sys
2008-08-12 07:47 25,360 ----a-w C:\WINNT\system32\dllcache\mqbkup.exe
2008-08-12 07:47 14,096 ----a-w C:\WINNT\system32\dllcache\mqsvc.exe
2008-08-12 07:47 14,096 ----a-w C:\WINNT\system32\dllcache\mq1sync.exe
2007-11-25 09:48 271 ---h--w C:\Program Files\desktop.ini
2007-11-25 09:48 21,952 ---h--w C:\Program Files\folder.htt
2003-08-27 03:49 3,424 ----a-w C:\WINNT\inf\OTHER\cmiainfo.sys
2003-07-04 04:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06-11-16 19:04 139264]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-09-16 12:16 1833296]
"internat.exe"="internat.exe" [03-07-04 12:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-10-18 09:31 590848]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [06-01-12 15:40 155648]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [07-11-07 07:00 8523776]
"@OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [08-10-07 00:09 6223048]
"SoundMan"="SOUNDMAN.EXE" [05-06-20 21:42 77824 C:\WINNT\soundman.exe]
"Synchronization Manager"="mobsync.exe" [03-07-04 12:00 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-11-25 20:18 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.xvid"= xvid.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

R1 OADevice;OADriver;C:\WINNT\system32\drivers\OADriver.sys [08-10-07 00:09 178376]
R1 OAmon;OAmon;C:\WINNT\system32\drivers\OAmon.sys [08-10-07 00:09 30920]
R1 OAnet;OAnet;C:\WINNT\system32\drivers\OAnet.sys [08-10-07 00:09 28872]
R2 OAcat;Online Armor Helper Service;C:\Program Files\Tall Emu\Online Armor\oacat.exe [08-10-07 00:09 1402568]
R2 TabletServicePen;TabletServicePen;C:\WINNT\system32\Pen_Tablet.exe [07-09-08 02:16 1373480]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\lne100v5.sys [01-04-02 11:01 36013]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-07-04 12:00 24784]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 49776]
R3 ZTPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINNT\system32\DRIVERS\ztpppoe.sys [04-01-04 18:37 18238]
S2 pvopstrr;pvopstrr;C:\WINNT\system32\drivers\pvopstrr.sys [ ]
S3 ADM9X;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM9X.sys [01-10-25 14:43 35968]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [05-03-23 16:56 9038]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ZTE ADSL - (no file)
ShellExecuteHooks-{E60A0B68-2F3C-A1D2-A901-9381E136D21A} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
O8 -: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 -: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
O17 -: HKLM\CCS\Interface\{66F1B507-3874-4BA5-B92B-4DC1967918F8}: NameServer = 202.188.0.133 202.188.1.5
O17 -: HKLM\CCS\Interface\{711F7259-8C34-473D-9F1D-882AF088270C}: NameServer = 202.188.0.133,202.188.1.5
O17 -: HKLM\CCS\Interface\{EF96049E-48D2-4E0A-B064-5A9A5A418241}: NameServer = 202.188.0.133,202.188.1.5

O16 -: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
C:\WINNT\Downloaded Program Files\mabiweb.inf
C:\WINNT\Downloaded Program Files\mabiwebframe.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 13:19:51
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7Core]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7RsNT]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7UpdSvc]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgClean]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AASW2_Service]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AbtrusionDriver]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AbtrusionSecurityService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\acshield]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AeServ]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AMBRAPP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AMBRIM]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AntiVirFirewallService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ANTIVIRSERVICE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\APFTrans]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avas_service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avfwot]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVG Anti-Rootkit]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVG Anti-Spyware Guard]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7Core]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7RsNT]
"ImagePath"="nul"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7UpdSvc]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avg8wd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgArCln]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgClean]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgCore]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgCoreSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgFsh]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avgfws8]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVGFwSrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgMfx86]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgRkx86]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgServ]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avipbb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVKWCtl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVZRK]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVZSG]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\baserand]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bc_filter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bc_ip_f]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdftdif]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BlackICE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\blinksvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BOCore]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BufferZoneSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BZDcomLaunch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BZRpcSs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CAISafe]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cavasm]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdAgent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cmdGuard]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Comodo Anti-Virus and Anti-Spyware Service]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ctdrvw2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ctiserv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ctsvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cyberhawk]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DarkSpy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DCSPGSRV]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DeepFrz]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DEEPMON]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\defensewall_serv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRIVESENTRYCOMMSDRIVER]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drivesentryfilterdriver2lite]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRIVESENTRYKEEPERDRIVER]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DriveSentryRegHookDriver]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DrvFltIp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ds2kDrv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dwall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ECONCEAL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EconService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekrn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EQService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EQSpyWatch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eScan Monitor Service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ESCANMX]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\esiasdrv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\F-Secure Gatekeeper Handler Starter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\F-Secure HIPS]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fgccow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fgccsrt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fgcrepl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FileHook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FILEMON701]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FireSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FortiPFW]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fortknox]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fortknox_drv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FSDFWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fsfltdrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FSFW]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FSRT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fwdrv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GDFwSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ghostsec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ghstwall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gmer]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GuardX]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HipService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iamServ]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\icsak]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IMMDRV]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InoRT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ipcSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ipfrwl]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IsDrv118]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISFWEnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IsPubDrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISRService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IswSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\itmrtsvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jetico personal firewall server]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KAVMonitorService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kavsvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KerioServerFirewall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\khips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KLIF]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KLPF]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Klpid]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KPF4]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KPfwSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KWatchSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lnsfw1]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LocalCpa]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McODS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McRedirector]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McShield]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MksFwall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mksfwallf]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MKSFWALLT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPFP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPFSERVICE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPSVCService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSFWHLPR]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVAPEL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\navapsvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\naveng]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NCDSSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\neoava_drv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\neosvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETFLTDI]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nk4Seem]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nod32drv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NOD32krn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norman ZANDA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NORTON ANTIVIRUS SERVER]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OneCareMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OnlineNT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OutpostFirewall]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pavfires]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pavkre]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PavProt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pavsrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PcCtlCom]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PcScnSrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCTAVSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCToolsFirewallPlus]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PersFw]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PFNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pldriver]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PortsLock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PPCtlPriv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PREVXAgent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PrismaNDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PrismaNDISFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCEXP100]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCEXP90]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCMON10]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCMON11]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProSecur]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\services.exe"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSEXESVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSHost]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\psh_svc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSIMSVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSMAntiSpy]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pwipf2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PWIPF6]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QuickHealFirewall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RapApp]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RegHook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\REGMON701]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ImagePath"="C:\WINNT\system32\34566\svchost.exe"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RFW]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RfwService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RGSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RKD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkhdrv10]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkhdrv31]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkhdrv40]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RVSDISK]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\safemon]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SafenSec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAFESYSTEM]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SanaSafeConnectAgent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\savant]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\savantnetagent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\savrtpel]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SBAPIFS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SBCSSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SBHR]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdAuxService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdCoreService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfcorevt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SfCtlCom]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Shadow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShadowSystemService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SmcService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SnoopFree]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SnoopFreeSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Client Firewall]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPF4]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\spider]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPIDERCTL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\spidernt]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srescan]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Superkill]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SvcOnlineArmor]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symantec AntiVirus]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymantecAntiBotAgent]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymEvent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysProtService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tahi]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TAVM_Service]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDI_RD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Teefer]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TMBMServer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tmntsrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TmPfw]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tppfdmn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TPSrv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UmxCfg]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UmxPol]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Vba32Ldr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VCFSVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VETMONNT]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VFILT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vrfwsvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsmon]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WehnServ]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefend]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows SteadyState]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinRollBackSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinRoute]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WRDRV]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\XCOMM]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\XPacket]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZeroVProtect]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZVRegMon]

.
Completion time: 2008-10-27 13:21:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-27 05:21:12

Pre-Run: 1,778,057,216 bytes free
Post-Run: 1,824,063,488 bytes free

524 --- E O F --- 2008-10-24 06:05:59

 

[griepe]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:42 PM, on 10/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINNT\system32\Pen_Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\conime.exe
C:\WINNT\system32\WTablet\Pen_TabletUser.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66F1B507-3874-4BA5-B92B-4DC1967918F8}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F7259-8C34-473D-9F1D-882AF088270C}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF96049E-48D2-4E0A-B064-5A9A5A418241}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol hijack: cdo - >00
20
8
5-1
1 8-
00
F
62
}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINNT\system32\Pen_Tablet.exe

--
End of file - 5228 bytes

 

[katana]

Information

It appears that something is stopping access to the registry. Make sure you stop Online Armour and AVG from running at startup
What Antivirus do you use ?
You should only have one installed.
----------------------------------------------------------- -----------------------------------------------------------

Step 1


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINNT\system32\dllcache\mqac.sys
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINNT\system32\dllcache\mqmig.exe
C:\WINNT\system32\dllcache\mqbkup.exe
C:\WINNT\system32\dllcache\mqsvc.exe
C:\WINNT\system32\dllcache\mq1sync.exe

If Virustotal is too busy please try Jotti

----------------------------------------------------------- -----------------------------------------------------------
Step 2


Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  DirLook::
  C:\WINNT\system32\34566
  
  Driver::
  pvopstrr
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SpybotSD TeaTimer"=-
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APVXDWIN.EXE]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.EXE]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PERSFW.EXE]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKUnHooker.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAS.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kav.exe]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONLINENT.exe]
  ADS::

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


----------------------------------------------------------- -----------------------------------------------------------
Step 4


Logs/Information to Post in Reply
Please post the following logs/Information in your reply

• AV Info
• Virus Total Results
• ComboFix Log
• Kaspersky Log
• How are things running now ?

 

[griepe]

Ahh.. although I had turned Online Armour off before running ComboFix, I didn't stop it from running at startup. I only had AVG 7.5 installed, which I uninstalled earlier today to install 8 (the malware had affected AVG's functions so I was going to have to do this anyway), but yeah, something halted the installation due to failure in creating a registry key. I'll stop it this time.

Step 1

File mqac.sys received on 10.29.2008 12:52:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/36 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.10.28.3 2008.10.29 -
AntiVir 7.9.0.10 2008.10.29 -
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.29 -
BitDefender 7.2 2008.10.29 -
CAT-QuickHeal 9.50 2008.10.29 -
ClamAV 0.93.1 2008.10.29 -
DrWeb 4.44.0.09170 2008.10.29 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6179 2008.10.29 -
Ewido 4.0 2008.10.28 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.29 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.29 -
Ikarus T3.1.1.44.0 2008.10.29 -
K7AntiVirus 7.10.511 2008.10.29 -
Kaspersky 7.0.0.125 2008.10.29 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.29 -
NOD32 3565 2008.10.29 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.29 -
PCTools 4.4.2.0 2008.10.29 -
Prevx1 V2 2008.10.29 -
Rising 21.01.22.00 2008.10.29 -
SecureWeb-Gateway 6.7.6 2008.10.29 -
Sophos 4.35.0 2008.10.29 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.29 -
TheHacker 6.3.1.1.133 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.29 -
VBA32 3.12.8.8 2008.10.28 -
ViRobot 2008.10.29.1443 2008.10.29 -
VirusBuster 4.5.11.0 2008.10.28 -
Additional information
File size: 77712 bytes
MD5...: f1f1caddbf2eb8c333ed3f18e46b7f2f
SHA1..: 574173cc48cf05bbc63193eaae807c05503e2ca2
SHA256: fbb338f2f6f419c1fb3186d8f2a21b57d56675daaf20cb9fd1f82039739e9472
SHA512: b2750b6bf2fb0663d674c935714d6e6c4755cf43e8d8c3759335fa860e0ddb05
a8a3833a75dee6c8b14dc423efd59120cfc0f132ff8100136b94f794812b6066
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x16980
timedatestamp.....: 0x48a0a7fd (Mon Aug 11 20:58:37 2008)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2c0 0x1065e 0x10660 6.42 8e9475beb43783675bee7caa4dac8f2f
.rdata 0x10920 0x73c 0x740 6.73 910881774981e992c1a147cddae12fff
.data 0x11060 0x8d0 0x8e0 1.43 daa839b02575454daa485ba6f8282c0b
INIT 0x11940 0x5a4 0x5c0 5.31 1104c68576da0d592b9c8d20b1b4264f
.rsrc 0x11f00 0x488 0x4a0 3.31 9a17323135be5ef275b9ae05c7fa0abc
.reloc 0x123a0 0xac8 0xae0 6.58 17eaf76634e81567f371866ae9ee27e3

( 1 imports )
> ntoskrnl.exe: ExFreePool, ExAllocatePoolWithTagPriority, ExAllocatePoolWithTag, IoReleaseCancelSpinLock, InterlockedExchange, KeLeaveCriticalRegion, ExReleaseFastMutexUnsafe, IofCompleteRequest, ExAcquireFastMutexUnsafe, KeEnterCriticalRegion, InterlockedDecrement, IoAcquireCancelSpinLock, ObfDereferenceObject, MmMapViewInSystemSpace, ObReferenceObjectByHandle, MmUnmapViewInSystemSpace, RtlCompareMemory, IoCheckShareAccess, IoGetRequestorProcess, _purecall, IoSetShareAccess, _except_handler3, wcslen, _snwprintf, InterlockedIncrement, ZwWriteFile, KeAttachProcess, KeDetachProcess, IoGetCurrentProcess, ZwReadFile, ZwDeleteFile, MmUnmapViewOfSection, MmMapViewOfSection, ZwClose, MmCreateSection, ZwCreateFile, RtlInitUnicodeString, swprintf, ZwSetInformationFile, IoCreateSymbolicLink, KeInitializeEvent, IoDeleteDevice, IoCreateDevice, KeInitializeDpc, KeInitializeTimer, IoDeleteSymbolicLink, ZwQuerySystemInformation, KeQuerySystemTime, ExRaiseAccessViolation, MmUserProbeAddress, wcscpy, KeDelayExecutionThread, ExQueueWorkItem, IoRemoveShareAccess, KeSetTimer, KeCancelTimer

( 0 exports )

---------------------------------------------------

File mqmig.exe received on 10.29.2008 12:55:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/36 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.10.28.3 2008.10.29 -
AntiVir 7.9.0.10 2008.10.29 -
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.29 -
BitDefender 7.2 2008.10.29 -
CAT-QuickHeal 9.50 2008.10.29 -
ClamAV 0.93.1 2008.10.29 -
DrWeb 4.44.0.09170 2008.10.29 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6179 2008.10.29 -
Ewido 4.0 2008.10.28 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.29 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.29 -
Ikarus T3.1.1.44.0 2008.10.29 -
K7AntiVirus 7.10.511 2008.10.29 -
Kaspersky 7.0.0.125 2008.10.29 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.29 -
NOD32 3565 2008.10.29 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.29 -
PCTools 4.4.2.0 2008.10.29 -
Prevx1 V2 2008.10.29 -
Rising 21.01.22.00 2008.10.29 -
SecureWeb-Gateway 6.7.6 2008.10.29 -
Sophos 4.35.0 2008.10.29 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.29 -
TheHacker 6.3.1.1.133 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.29 -
VBA32 3.12.8.8 2008.10.28 -
ViRobot 2008.10.29.1443 2008.10.29 -
VirusBuster 4.5.11.0 2008.10.28 -
Additional information
File size: 98064 bytes
MD5...: 7275b4836ed6a6cdcdeabb330d1ab306
SHA1..: ec08029a3fff1efc4a32147cc9989bd7f2def629
SHA256: 5ad6a9832233250ffc1b6c059a32fa1b20bf930f9936b82ec08c0fc9d56e69cd
SHA512: 74f2f35316c1b8b88ab640ce6e58f9927b64e5b89f45250aefc3d02e94ddc421
2eee060d5f7496a15b4845f320efa5d3fc7a211a12f29707bf6fe8ff10e09645
PEiD..: InstallShield 2000
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x406070
timedatestamp.....: 0x48a0a75d (Mon Aug 11 20:55:57 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5c51 0x5e00 6.11 59edf4d941f0fb36e6455136e3cc23fd
.rdata 0x7000 0x2c2e 0x2e00 4.77 a559945416dc4c9c1525dd8b8f2c0e90
.data 0xa000 0x6e0 0x400 4.16 cd7a94503483392d289a732f4e4182fe
.rsrc 0xb000 0xe920 0xea00 3.76 9dd1ada7783e3b973a882713f34ff5b3

( 9 imports )
> SHLWAPI.dll: PathRemoveFileSpecA, PathFileExistsA, PathIsDirectoryA
> WLDAP32.dll: -, -
> VERSION.dll: GetFileVersionInfoSizeA, VerQueryValueA, GetFileVersionInfoA
> MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, _setmbcp, _strcmpi, memset, wcslen, strrchr, __CxxFrameHandler, _EH_prolog, strcpy, strlen, sprintf, printf, memcpy
> KERNEL32.dll: lstrlenA, lstrcpyA, CreateDirectoryA, GetDriveTypeA, GetFileAttributesA, GetLastError, MultiByteToWideChar, GetSystemDirectoryA, WaitForSingleObject, LoadLibraryA, GetModuleFileNameA, GetComputerNameA, CreateProcessA, GetComputerNameW, GetComputerNameExW, SetLastError, FreeLibrary, GetModuleHandleA, MapViewOfFile, CreateFileMappingA, UnmapViewOfFile, ExitProcess, GetStartupInfoA, WideCharToMultiByte, GetTickCount, GetProcAddress, InterlockedIncrement, GetWindowsDirectoryA, Sleep, CreateThread, CloseHandle, DeleteFileA, SetEvent, CreateEventA
> USER32.dll: LoadBitmapA, ShowWindow, SetWindowLongA, SetForegroundWindow, DispatchMessageA, MsgWaitForMultipleObjects, PeekMessageA, SetDlgItemTextA, CreateDialogParamA, DefWindowProcA, FindWindowA, CharLowerA, GetSystemMenu, InsertMenuA, DrawMenuBar, LoadIconA, SendMessageA, KillTimer, SetTimer, GetDlgItem, IsWindowEnabled, CharNextA, PostMessageA, GetParent, EnableWindow, MessageBoxA, LoadStringA, BringWindowToTop
> GDI32.dll: CreateFontIndirectA
> ADVAPI32.dll: ControlService, RegCreateKeyExA, RegSetValueExA, RegFlushKey, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, CreateServiceA, ChangeServiceConfig2A, QueryServiceConfigA, OpenSCManagerA, OpenServiceA, ChangeServiceConfigA, StartServiceA, CloseServiceHandle, RegDeleteKeyA, QueryServiceStatus

( 0 exports )

---------------------------------------------------

File mqbkup.exe received on 10.29.2008 12:58:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.10.28.3 2008.10.29 -
AntiVir 7.9.0.10 2008.10.29 -
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.29 -
BitDefender 7.2 2008.10.29 -
CAT-QuickHeal 9.50 2008.10.29 -
ClamAV 0.93.1 2008.10.29 -
DrWeb 4.44.0.09170 2008.10.29 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6179 2008.10.29 -
Ewido 4.0 2008.10.28 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.29 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.29 -
Ikarus T3.1.1.44.0 2008.10.29 -
K7AntiVirus 7.10.511 2008.10.29 -
Kaspersky 7.0.0.125 2008.10.29 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.29 -
NOD32 3565 2008.10.29 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.29 -
PCTools 4.4.2.0 2008.10.29 -
Prevx1 V2 2008.10.29 -
Rising 21.01.22.00 2008.10.29 -
SecureWeb-Gateway 6.7.6 2008.10.29 -
Sophos 4.35.0 2008.10.29 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.29 -
TheHacker 6.3.1.1.133 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.29 -
VBA32 3.12.8.8 2008.10.28 -
ViRobot 2008.10.29.1443 2008.10.29 -
VirusBuster 4.5.11.0 2008.10.28 -
Additional information
File size: 25360 bytes
MD5...: 7ddeb08974f2d2ee0999b6065ba2b516
SHA1..: db4e5803a3ae9062397dd31a08fd3c9be731b5c5
SHA256: 3d00697624c649a3939ac290d1e11c3a54dc1c0f9f9cdebccc6d1f9aca0d3c0a
SHA512: 4b843f3423544c66191393a8baf24714b1318dc9b3afb5bfbd34cb71f3555ccb
2922264e19a80fbaa6b8b2c00bee251cb17c8d4ae97b93f26daeee6117afb61a
PEiD..: InstallShield 2000
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404010
timedatestamp.....: 0x48a0a7a5 (Mon Aug 11 20:57:09 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3306 0x3400 5.79 e0cc9169de180ce55b4419ff7b7a2a73
.rdata 0x5000 0xc04 0xe00 4.49 a75be8644d88ddacacdb0524de5f4430
.data 0x6000 0x264 0x400 3.19 dbda59489f78076108461569a5fe0f12
.rsrc 0x7000 0x1680 0x1800 3.35 b1ab4600813464079e4bbd13e422ed47

( 5 imports )
> KERNEL32.dll: GetSystemDirectoryA, GetFileAttributesA, CreateDirectoryA, CopyFileA, GetSystemTimeAsFileTime, GetDiskFreeSpaceExA, DeviceIoControl, Sleep, FreeLibrary, WriteFile, CompareStringA, FindFirstFileA, DeleteFileA, FindNextFileA, GetModuleHandleA, FindClose, GetCurrentProcess, GetLastError, CloseHandle, FormatMessageA, LocalFree, LoadLibraryA, GetProcAddress, GetVersionExA, GetFullPathNameA, CreateFileA
> USER32.dll: CharNextA, LoadStringA
> ADVAPI32.dll: AddAce, AllocateAndInitializeSid, GetLengthSid, InitializeSecurityDescriptor, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, SetFileSecurityA, FreeSid, RegSetValueExA, RegRestoreKeyA, RegSaveKeyA, RegCreateKeyExA, StartServiceA, OpenSCManagerA, OpenServiceA, ControlService, CloseServiceHandle, QueryServiceStatus, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, LookupPrivilegeValueA, AdjustTokenPrivileges, OpenProcessToken
> CLUSAPI.dll: OfflineClusterResource, OnlineClusterResource, GetClusterResourceState, CloseClusterResource, OpenCluster, OpenClusterResource, CloseCluster, ClusterResourceControl
> MSVCRT.dll: wcslen, __dllonexit, _controlfp, printf, strcat, strlen, strcpy, exit, scanf, _mbsrchr, __3@YAXPAX@Z, memcpy, __2@YAPAXI@Z, _mbschr, sprintf, __CxxFrameHandler, _EH_prolog, mbstowcs, _onexit, _mbsnbcat, memset, _mbctolower, _exit, _XcptFilter, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3

( 0 exports )

---------------------------------------------------

File mqsvc.exe received on 10.29.2008 13:01:13 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/36 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.10.28.3 2008.10.29 -
AntiVir 7.9.0.10 2008.10.29 -
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.29 -
BitDefender 7.2 2008.10.29 -
CAT-QuickHeal 9.50 2008.10.29 -
ClamAV 0.93.1 2008.10.29 -
DrWeb 4.44.0.09170 2008.10.29 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6179 2008.10.29 -
Ewido 4.0 2008.10.29 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.29 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.29 -
Ikarus T3.1.1.44.0 2008.10.29 -
K7AntiVirus 7.10.511 2008.10.29 -
Kaspersky 7.0.0.125 2008.10.29 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.29 -
NOD32 3565 2008.10.29 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.29 -
PCTools 4.4.2.0 2008.10.29 -
Prevx1 V2 2008.10.29 -
Rising 21.01.22.00 2008.10.29 -
SecureWeb-Gateway 6.7.6 2008.10.29 -
Sophos 4.35.0 2008.10.29 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.29 -
TheHacker 6.3.1.1.133 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.29 -
VBA32 3.12.8.8 2008.10.28 -
ViRobot 2008.10.29.1443 2008.10.29 -
VirusBuster 4.5.11.0 2008.10.28 -
Additional information
File size: 14096 bytes
MD5...: fb78e358b230c757a6e656291935b867
SHA1..: a959619fa29ec22c9159bbfe47f49b45de909b1e
SHA256: 9857e88f612526670a6933138e030ea5ddb4399946b1f3933caa0f7fadb232bf
SHA512: aa8f5c83a687ee83f1157497fc5f383bf9302b4d1e20b003ec1e2789aea88353
b922154a822502afa2482e2b5b2c708bd62406514844b879f5eba7c96b3a6b93
PEiD..: InstallShield 2000
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402a80
timedatestamp.....: 0x48a0a6e1 (Mon Aug 11 20:53:53 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1d84 0x1e00 5.98 d339e2d1402331d5de19c300710779d4
.rdata 0x3000 0x844 0xa00 4.31 fbdc510820b838b748ccb4b040cefd1a
.data 0x4000 0x3a4 0x400 3.96 6510f29792634f03c8fa5400c821bae8
.rsrc 0x5000 0x458 0x600 2.62 e55dd55beb51c64dd97a12544b93471c

( 4 imports )
> MQQM.dll: QMInit, QMRun, _QMFinish@0
> KERNEL32.dll: WaitForSingleObject, Sleep, Beep, LeaveCriticalSection, EnterCriticalSection, SetEvent, CreateSemaphoreA, CreateThread, LocalFree, GetCurrentProcess, LocalAlloc, ReleaseSemaphore, MultiByteToWideChar, ExitProcess, CloseHandle, DeleteCriticalSection, CreateEventA, InitializeCriticalSection, GetLastError
> ADVAPI32.dll: GetTokenInformation, OpenProcessToken, AllocateAndInitializeSid, FreeSid, EqualSid, SetServiceStatus, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA
> MSVCRT.dll: __3@YAXPAX@Z, exit, malloc, __2@YAPAXI@Z, __CxxFrameHandler, free, realloc, isalpha, gets, printf, __dllonexit, _onexit, _exit, _XcptFilter, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _stricmp, _strnicmp

( 0 exports )

---------------------------------------------------

File mq1sync.exe received on 10.29.2008 13:05:45 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/36 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.10.28.3 2008.10.29 -
AntiVir 7.9.0.10 2008.10.29 -
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.29 -
BitDefender 7.2 2008.10.29 -
CAT-QuickHeal 9.50 2008.10.29 -
ClamAV 0.93.1 2008.10.29 -
DrWeb 4.44.0.09170 2008.10.29 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6179 2008.10.29 -
Ewido 4.0 2008.10.29 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.29 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.29 -
Ikarus T3.1.1.44.0 2008.10.29 -
K7AntiVirus 7.10.511 2008.10.29 -
Kaspersky 7.0.0.125 2008.10.29 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.29 -
NOD32 3565 2008.10.29 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.29 -
PCTools 4.4.2.0 2008.10.29 -
Prevx1 V2 2008.10.29 -
Rising 21.01.22.00 2008.10.29 -
SecureWeb-Gateway 6.7.6 2008.10.29 -
Sophos 4.35.0 2008.10.29 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.29 -
TheHacker 6.3.1.1.133 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.29 -
VBA32 3.12.8.8 2008.10.28 -
ViRobot 2008.10.29.1443 2008.10.29 -
VirusBuster 4.5.11.0 2008.10.28 -
Additional information
File size: 14096 bytes
MD5...: 8fa7ff2d1001599b2a173445da40790b
SHA1..: 3c1a02e0177b7f986d2a8de51a1f7cb8a144f479
SHA256: b79bb33f30391a8fd1dca46603f2e8702dfca157c4ca88d9232713a28e63a3bb
SHA512: 7548d56b03432b82fed3714162bfd671710f7fb6d81976053c479da3d4b5450e
b12179126ccf8d2357459b05b5b7d065efa0fef8bf5c1f58399576981628cfea
PEiD..: InstallShield 2000
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402a40
timedatestamp.....: 0x48a0a792 (Mon Aug 11 20:56:50 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1d44 0x1e00 5.95 829146326e99dfdca71f4d359ef91e2e
.rdata 0x3000 0x818 0xa00 4.24 3e932d53632f6c317d8eaf294c8a3cee
.data 0x4000 0x408 0x400 4.26 6536562e47e5ade0b53eae40ac586682
.rsrc 0x5000 0x478 0x600 2.68 6f97e907ef7cbfd5326bc14086ab1d78

( 3 imports )
> KERNEL32.dll: EnterCriticalSection, SetEvent, CreateSemaphoreA, GetLastError, LocalFree, GetCurrentProcess, LeaveCriticalSection, ReleaseSemaphore, GetProcAddress, LoadLibraryA, FreeLibrary, ExitProcess, Beep, Sleep, WaitForSingleObject, CreateThread, CloseHandle, DeleteCriticalSection, CreateEventA, InitializeCriticalSection, LocalAlloc
> ADVAPI32.dll: OpenProcessToken, GetTokenInformation, AllocateAndInitializeSid, FreeSid, EqualSid, SetServiceStatus, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA
> MSVCRT.dll: __3@YAXPAX@Z, exit, malloc, __2@YAPAXI@Z, __CxxFrameHandler, free, realloc, isalpha, gets, printf, __dllonexit, _onexit, _exit, _XcptFilter, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _stricmp, _strnicmp

( 0 exports )

 

[griepe]

There apparently was still problems when it comes to the registry.
Maybe it wasn't stopped after all ? Perhaps I should try uninstalling Online Armour next.

Step 2

ComboFix 08-10-25.01 - nine 10/29/2008 20:23:06.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.932.81.1033.18.770 [GMT 8:00]
Running from: C:\Documents and Settings\nine\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nine\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PVOPSTRR
-------\Service_pvopstrr
-------\Service_VFILT


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-29 19:09 . 08-10-29 19:09 464,530 ---h----- C:\WINNT\ShellIconCache
2008-10-26 07:12 . 08-10-26 07:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-26 07:12 . 08-10-26 07:12 <DIR> d-------- C:\Documents and Settings\nine\Application Data\Malwarebytes
2008-10-26 07:12 . 08-10-26 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-26 07:12 . 08-10-22 16:10 38,496 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-10-26 07:12 . 08-10-22 16:10 15,504 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-10-25 13:41 . 08-10-25 13:41 76,042 --a------ C:\prog_error.jpg
2008-10-25 02:59 . 08-10-25 02:59 <DIR> d-------- C:\rsit
2008-10-24 19:26 . 08-10-25 09:01 244,869,120 --a------ C:\[SS-Eclipse] Kyouran Kazoku Nikki - 02 (XviD) [8AFBFCBE].avi
2008-10-24 03:25 . 08-10-24 16:41 243,435,520 --a------ C:\[SS-Eclipse] Kyouran Kazoku Nikki - 01 (XviD) [3AFFBD34].avi
2008-10-22 22:11 . 08-10-22 22:11 <DIR> d-------- C:\[Nipponsei] Toradora! OP Single - Pre-Parade [Various]
2008-10-21 04:02 . 08-10-21 04:02 <DIR> d-------- C:\Program Files\Tall Emu
2008-10-21 04:02 . 08-10-07 00:09 178,376 --a------ C:\WINNT\system32\drivers\OADriver.sys
2008-10-21 04:02 . 08-10-07 00:09 30,920 --a------ C:\WINNT\system32\drivers\OAmon.sys
2008-10-21 04:02 . 08-10-07 00:09 28,872 --a------ C:\WINNT\system32\drivers\OAnet.sys
2008-10-21 04:01 . 08-10-21 04:01 <DIR> d-------- C:\OnlineArmor
2008-10-20 05:34 . 08-10-20 05:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-19 23:33 . 08-10-19 23:33 <DIR> d-------- C:\WINNT\system32\rpcproxy
2008-10-19 23:33 . 08-10-19 23:33 <DIR> d-------- C:\WINNT\system32\rocket
2008-10-18 20:19 . 08-10-18 20:19 0 -rahs---- C:\WINNT\system32\drivers\rkreveal150.sys
2008-10-18 20:17 . 08-10-18 20:17 <DIR> d-------- C:\WINNT\system32\34566
2008-10-18 04:05 . 08-10-18 04:05 <DIR> d-------- C:\[Nipponsei] Yozakura Quartet OP Single - JUST TUNE [savage genius]
2008-10-16 11:44 . 08-10-16 11:44 <DIR> d-------- C:\WINNT\system32\Windows Media
2008-10-16 11:43 . 08-10-16 11:43 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-10-16 11:39 . 08-10-16 11:39 <DIR> d-------- C:\WINNT\mui
2008-10-16 11:39 . 05-06-28 10:21 22,752 --a------ C:\WINNT\system32\spupdsvc.exe
2008-10-16 11:39 . 08-10-16 11:39 957 --a------ C:\WINNT\setup.inf
2008-10-16 11:39 . 08-10-16 11:39 283 --a------ C:\WINNT\setup.rpt
2008-10-16 11:37 . 02-12-11 17:34 208,896 --a------ C:\WINNT\system32\wmpns.dll
2008-10-15 17:22 . 02-08-29 07:14 44,032 --------- C:\WINNT\system32\dllcache\msxml3r.dll
2008-10-15 14:28 . 08-10-15 14:28 <DIR> d-------- C:\WINNT\system32\BITS
2008-10-15 13:36 . 08-10-15 13:36 <DIR> d-------- C:\WINNT\system\catroot
2008-10-15 13:36 . 08-10-15 13:36 <DIR> d-------- C:\Program Files\ZTE
2008-10-15 00:18 . 08-10-15 00:17 193,770 --a------ C:\1217920173864.jpg
2008-10-05 16:19 . 08-10-05 16:20 262 --a------ C:\WINNT\YAN2.INI
2008-10-04 14:15 . 08-10-29 20:26 335 --a------ C:\WINNT\system32\Pen_Tablet.dat
2008-10-03 13:00 . 08-10-03 12:46 3,701,530 --a------ C:\yozakura_quartet_OP.flv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 17:41 310,032 ----a-w C:\WINNT\system32\dllcache\NETAPI32.DLL
2008-09-15 05:13 1,644,432 ----a-w C:\WINNT\system32\WIN32K.SYS
2008-09-15 05:13 1,644,432 ------w C:\WINNT\system32\dllcache\win32k.sys
2008-09-12 02:19 --------- d-----w C:\Program Files\Anathema
2008-09-05 22:05 --------- d-----w C:\Program Files\7-Zip
2008-08-28 04:44 239,344 ----a-w C:\WINNT\system32\drivers\SRV.SYS
2008-08-28 04:44 239,344 ----a-w C:\WINNT\system32\dllcache\srv.sys
2008-08-20 04:24 132,096 ----a-w C:\WINNT\system32\dllcache\MSRATING.DLL
2008-08-20 04:23 402,944 ----a-w C:\WINNT\system32\dllcache\SHLWAPI.DLL
2008-08-20 04:23 143,360 ----a-w C:\WINNT\system32\dllcache\CDFVIEW.DLL
2008-08-20 04:23 1,340,416 ----a-w C:\WINNT\system32\dllcache\SHDOCVW.DLL
2008-08-20 04:23 1,018,368 ----a-w C:\WINNT\system32\dllcache\BROWSEUI.DLL
2008-08-20 02:51 69,632 ----a-w C:\WINNT\system32\dllcache\INSENG.DLL
2008-08-20 02:51 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-08-20 02:51 575,488 ----a-w C:\WINNT\system32\dllcache\WININET.DLL
2008-08-20 02:51 498,176 ----a-w C:\WINNT\system32\dllcache\MSTIME.DLL
2008-08-20 02:51 462,336 ----a-w C:\WINNT\system32\dllcache\URLMON.DLL
2008-08-20 02:51 351,744 ----a-w C:\WINNT\system32\dllcache\DXTMSFT.DLL
2008-08-20 02:51 34,816 ----a-w C:\WINNT\system32\dllcache\PNGFILT.DLL
2008-08-20 02:51 236,032 ----a-w C:\WINNT\system32\dllcache\IEPEERS.DLL
2008-08-20 02:51 2,706,432 ----a-w C:\WINNT\system32\dllcache\MSHTML.DLL
2008-08-20 02:51 192,512 ----a-w C:\WINNT\system32\dllcache\DXTRANS.DLL
2008-08-20 02:51 12,288 ----a-w C:\WINNT\system32\dllcache\JSPROXY.DLL
2008-08-12 07:47 98,064 ----a-w C:\WINNT\system32\dllcache\mqmig.exe
2008-08-12 07:47 77,712 ----a-w C:\WINNT\system32\dllcache\mqac.sys
2008-08-12 07:47 25,360 ----a-w C:\WINNT\system32\dllcache\mqbkup.exe
2008-08-12 07:47 14,096 ----a-w C:\WINNT\system32\dllcache\mqsvc.exe
2008-08-12 07:47 14,096 ----a-w C:\WINNT\system32\dllcache\mq1sync.exe
2007-11-25 09:48 271 ---h--w C:\Program Files\desktop.ini
2007-11-25 09:48 21,952 ---h--w C:\Program Files\folder.htt
2003-08-27 03:49 3,424 ----a-w C:\WINNT\inf\OTHER\cmiainfo.sys
2003-07-04 04:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINNT\system32\34566 ----

08-10-27 12:25 429801 --a------ C:\WINNT\system32\34566\sp03.exe
08-10-27 12:25 2278 --a------ C:\WINNT\system32\34566\f01.ini
08-10-27 11:30 18 --a------ C:\WINNT\system32\34566\d00.ini
08-10-27 11:14 16 --a------ C:\WINNT\system32\34566\d02.ini
08-10-27 10:20 60 --a------ C:\WINNT\system32\34566\ev0.info
08-10-19 18:17 2855 --a------ C:\WINNT\system32\34566\svchost.PIF
08-10-18 20:33 1118208 --a------ C:\WINNT\system32\34566\libeay32.dll
08-10-18 20:32 262144 --a------ C:\WINNT\system32\34566\ssleay32.dll


((((((((((((((((((((((((((((( snapshot@Mon 2008-10-27_13.20.36.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-01 14:56:00 96,256 ----a-w C:\WINNT\system32\ATL80.dll
+ 2006-12-01 16:08:00 40,960 ----a-w C:\WINNT\system32\mfc80CHS.dll
+ 2006-12-01 16:08:00 45,056 ----a-w C:\WINNT\system32\mfc80CHT.dll
+ 2006-12-01 16:08:00 65,536 ----a-w C:\WINNT\system32\mfc80DEU.dll
+ 2006-12-01 16:08:00 57,344 ----a-w C:\WINNT\system32\mfc80ENU.dll
+ 2006-12-01 16:08:00 61,440 ----a-w C:\WINNT\system32\mfc80ESP.dll
+ 2006-12-01 16:08:00 61,440 ----a-w C:\WINNT\system32\mfc80FRA.dll
+ 2006-12-01 16:08:00 61,440 ----a-w C:\WINNT\system32\mfc80ITA.dll
+ 2006-12-01 16:08:00 49,152 ----a-w C:\WINNT\system32\mfc80JPN.dll
+ 2006-12-01 16:08:00 49,152 ----a-w C:\WINNT\system32\mfc80KOR.dll
+ 2006-12-01 14:56:00 96,256 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 16:08:00 40,960 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 16:08:00 45,056 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 16:08:00 65,536 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 16:08:00 57,344 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 16:08:00 61,440 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 16:08:00 61,440 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 16:08:00 61,440 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 16:08:00 49,152 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 16:08:00 49,152 ----a-w C:\WINNT\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06-11-16 19:04 139264]
"internat.exe"="internat.exe" [03-07-04 12:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [06-01-12 15:40 155648]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [07-11-07 07:00 8523776]
"SoundMan"="SOUNDMAN.EXE" [05-06-20 21:42 77824 C:\WINNT\soundman.exe]
"Synchronization Manager"="mobsync.exe" [03-07-04 12:00 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.xvid"= xvid.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"@OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

R1 OADevice;OADriver;C:\WINNT\system32\drivers\OADriver.sys [08-10-07 00:09 178376]
R1 OAmon;OAmon;C:\WINNT\system32\drivers\OAmon.sys [08-10-07 00:09 30920]
R1 OAnet;OAnet;C:\WINNT\system32\drivers\OAnet.sys [08-10-07 00:09 28872]
R2 OAcat;Online Armor Helper Service;C:\Program Files\Tall Emu\Online Armor\oacat.exe [08-10-07 00:09 1402568]
R2 TabletServicePen;TabletServicePen;C:\WINNT\system32\Pen_Tablet.exe [07-09-08 02:16 1373480]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\lne100v5.sys [01-04-02 11:01 36013]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-07-04 12:00 24784]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 49776]
R3 ZTPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINNT\system32\DRIVERS\ztpppoe.sys [04-01-04 18:37 18238]
S3 ADM9X;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM9X.sys [01-10-25 14:43 35968]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [05-03-23 16:56 9038]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 20:27:04
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7Core]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7RsNT]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7UpdSvc]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgClean]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AASW2_Service]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AbtrusionDriver]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AbtrusionSecurityService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\acshield]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AeServ]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AMBRAPP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AMBRIM]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AntiVirFirewallService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ANTIVIRSERVICE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\APFTrans]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avas_service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avfwot]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVG Anti-Rootkit]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7Core]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7RsNT]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg7UpdSvc]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avg8wd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgArCln]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgClean]
"ImagePath"="nul"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgCore]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgCoreSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgFsh]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avgfws8]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVGFwSrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgMfx86]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgRkx86]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgServ]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avipbb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVKWCtl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVZRK]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVZSG]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\baserand]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bc_filter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bc_ip_f]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdftdif]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BlackICE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\blinksvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BOCore]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BufferZoneSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BZDcomLaunch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BZRpcSs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CAISafe]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cavasm]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdAgent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cmdGuard]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Comodo Anti-Virus and Anti-Spyware Service]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ctdrvw2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ctiserv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ctsvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cyberhawk]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DarkSpy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DCSPGSRV]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DeepFrz]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DEEPMON]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\defensewall_serv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRIVESENTRYCOMMSDRIVER]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drivesentryfilterdriver2lite]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRIVESENTRYKEEPERDRIVER]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DriveSentryRegHookDriver]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DrvFltIp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ds2kDrv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dwall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ECONCEAL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EconService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekrn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EQService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EQSpyWatch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eScan Monitor Service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ESCANMX]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\esiasdrv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\F-Secure Gatekeeper Handler Starter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\F-Secure HIPS]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fgccow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fgccsrt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fgcrepl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FileHook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FILEMON701]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FireSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FortiPFW]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fortknox]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fortknox_drv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FSDFWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fsfltdrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FSFW]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FSRT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fwdrv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GDFwSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ghostsec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ghstwall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gmer]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GuardX]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HipService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iamServ]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\icsak]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IMMDRV]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InoRT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ipcSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ipfrwl]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IsDrv118]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISFWEnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IsPubDrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISRService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IswSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\itmrtsvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jetico personal firewall server]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KAVMonitorService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kavsvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KerioServerFirewall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\khips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KLIF]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KLPF]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Klpid]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KPF4]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KPfwSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KWatchSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lnsfw1]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LocalCpa]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McODS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McRedirector]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McShield]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MksFwall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mksfwallf]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MKSFWALLT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPFP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPFSERVICE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPSVCService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSFWHLPR]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVAPEL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\navapsvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\naveng]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NCDSSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\neoava_drv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\neosvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETFLTDI]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nk4Seem]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nod32drv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NOD32krn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norman ZANDA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NORTON ANTIVIRUS SERVER]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OneCareMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OnlineNT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OutpostFirewall]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pavfires]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pavkre]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PavProt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pavsrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PcCtlCom]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PcScnSrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCTAVSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCToolsFirewallPlus]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PersFw]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PFNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pldriver]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PortsLock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PPCtlPriv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PREVXAgent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PrismaNDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PrismaNDISFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCEXP100]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCEXP90]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCMON10]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCMON11]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProSecur]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\services.exe"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSEXESVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSHost]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\psh_svc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSIMSVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSMAntiSpy]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pwipf2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PWIPF6]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QuickHealFirewall]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RapApp]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RegHook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\REGMON701]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ImagePath"="C:\WINNT\system32\34566\svchost.exe"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RFW]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RfwService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RGSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RKD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkhdrv10]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkhdrv31]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkhdrv40]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RVSDISK]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\safemon]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SafenSec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAFESYSTEM]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SanaSafeConnectAgent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\savant]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\savantnetagent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\savrtpel]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SBAPIFS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SBCSSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SBHR]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdAuxService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdCoreService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfcorevt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SfCtlCom]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Shadow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShadowSystemService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SmcService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SnoopFree]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SnoopFreeSvc]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Client Firewall]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPF4]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\spider]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPIDERCTL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\spidernt]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srescan]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Superkill]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SvcOnlineArmor]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symantec AntiVirus]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymantecAntiBotAgent]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymEvent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysProtService]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tahi]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TAVM_Service]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDI_RD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Teefer]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TMBMServer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tmntsrv]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TmPfw]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tppfdmn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TPSrv]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UmxCfg]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UmxPol]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Vba32Ldr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VCFSVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VETMONNT]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vrfwsvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsmon]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WehnServ]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefend]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows SteadyState]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinRollBackSvc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinRoute]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WRDRV]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\XCOMM]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\XPacket]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZeroVProtect]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZVRegMon]

.
Completion time: 2008-10-29 20:28:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 12:28:00
ComboFix2.txt 2008-10-27 05:21:18

Pre-Run: 1,957,117,952 bytes free
Post-Run: 1,981,300,736 bytes free

528 --- E O F --- 2008-10-24 06:05:59

 

[griepe]

Memory usage seems to be back to normal and Spybot didn't pick up anything the last time I ran it, but 'Add/Remove Programs' still doesn't work.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, October 30, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, October 29, 2008 04:28:52
Records in database: 1355156
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 116630
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 04:59:13


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Downloads\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
F:\Downloads\FlashGet.v1.40\fgf140.exe Infected: not-a-virus:AdWare.Win32.Cydoor 1

The selected area was scanned.

 

[katana]

If Spybot S&D didn't pick them up, then Combofix has removed them
Try running MBAM again to make sure.

Are you aware that mIRC is installed ?


I recommend that you delete the following file
F:\Downloads\FlashGet.v1.40\fgf140.exe

 

[griepe]

aaand Deleted. Yes I'm aware of mIRC, I need it to be present at project channels. Is it currently a threat ?

Thankfully MBAM isn't detecting anything either

However, I still get this error while trying to install AVG8, even in safe mode:

------------------------------------------------------

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SYSTEM\CurrentControlSet\Services\AvgMfx86: creating registry key....
Error 0x80070005

------------------------------------------------------

..and Add/Remove Programs is still not working.

There's also these three highly suspicious 'empty' folders that can't be deleted due to sharing violation(source or destination file may be in use). They can be removed in safe mode, only to reappear when rebooting in normal.

C:\WINNT\system32\rpcproxy
C:\WINNT\system32\rocket
C:\WINNT\system32\inetsrv

 

[katana]

Yes I'm aware of mIRC, I need it to be present at project channels. Is it currently a threat ?

Not as long as you know it is there, sometimes malware installs it and uses it to receive instructions, that is why we check if you installed it.

..and Add/Remove Programs is still not working.

In what way is in not working ...
It won't open at all ?
It opens but is empty ?
It won't uninstall certain programs ?

C:\WINNT\system32\rpcproxy
C:\WINNT\system32\rocket
C:\WINNT\system32\inetsrv

These are all Microsoft folders and should be left alone.

Try installing Avast instead of AVG.
Avast

please post a fresh HJT log also.