[Closed] ativtmx.dll virus!

Computer forums for help with removing malicious software (malware) and improving computer security

grin Welcome to What the Tech! ( Log In | Register ) What tech support ought to be... Fast, friendly and free! Once registered - you'll have the ability to post your question in the appropriate forum below. Additionally, if you can assist another member by sharing your tech knowledge, please post a reply! Best of all - Registration and all assistance is FREE! Once you've completed registration, simply choose the appropriate forum below, click on the "new topic" button, and post your question! What are you waiting for? Register today! *Registered users see NO ADVERTISING.

What the Tech > Spyware / Malware / Virus Removal > Infections Removal

2 Pages

1 2 >

[Closed] ativtmx.dll virus!

Options

cereal_killerxx View Member Profile	Dec 15 2008, 12:40 AM Post #1
Authentic Member Group: Authentic Member Posts: 28 Joined: 15-December 08 Member No.: 82,965 Operating System: Windows XP Professional SP3	For the past few days, my computer has been acting slower in Internet Explorer and Firefox Mozilla. It has been either going slow when moving to pages or redirecting me to another site or 404 type of page. So, I decided to update my Spybot search and destroy and download AVG antivirus free with all the newest updates. Rebooted my computer into safe mode. After scanning with both programs and finding quite a bit of stuff, i went back into regular mode only to find that every minute or so, AVG pops up with ativtmx.dll virus. And for all I know, there still might be more viruses and stuff! Please help! Here's my log file from hijackthis. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:38:08 AM, on 12/15/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\lxddcoms.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\PrevxCSI\prevxcsi.exe C:\Program Files\PrevxCSI\prevxcsi.exe C:\Program Files\Steam\Steam.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O1 - Hosts: 208.69.57.87 game01.us.segaonline.jp O1 - Hosts: 208.69.57.87 patch01.us.segaonline.jp O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {52A94784-A36E-4517-8729-0456A7098E23} - C:\Program Files\MSN\mesofimyt.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: (no name) - {68EF0032-B354-4A54-9E49-FFFDABDB2936} - C:\WINDOWS\system32\ativtmx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {983CD211-164D-48C7-9B84-38E1745DCA1C} - C:\WINDOWS\system32\ativvax.dll (file missing) O2 - BHO: 0 - {9F754ED1-20E8-4123-A898-D6C75F20638F} - C:\Program Files\Common Files\qufax.dll (file missing) O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Svcs: Dnscache] C:\DOCUME~1\Jesse\LOCALS~1\Temp\16360\explorer.exe O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [install] C:\WINDOWS\WINDOWS\install.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [install] C:\WINDOWS\WINDOWS\install.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://legendofares.netgame.com/download/m...anagerv1001.cab O16 - DPF: {9BEEA7FF-FF76-403C-B124-86D9835435F0} (GameChu Login Control) - http://file.gamechu.net/dl/download/sessionctrl.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://keycrypt.levelupgames.co.in/nProtec...crypt/npkcx.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat,avgrsstx.dll O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing) O21 - SSODL: JkSwxZfo - {588C74B3-F226-DE19-2803-20D675DC3D2B} - C:\WINDOWS\system32\yi.dll (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi67655.exe (file missing) O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: spoolsv.exe - Unknown owner - c:\windows\system32\drivers\etc\Services.exe (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 11505 bytes

IndiGenus View Member Profile	Dec 15 2008, 08:15 AM Post #2
Anti-Malware Buddha Group: Malware Expert Posts: 5,140 Joined: 22-July 04 From: New England, USA Member No.: 10,811 Operating System: Windows XP Pro SP3 ~ Vista Ultimate SP2 ~ Windows 7 RC	Hi and welcome to the forums here at WTT. Yes, you are pretty heavily infected here. Let's see if we can get this cleaned up. Please stay with this thread until I give the all clear. Absence of symptoms does not mean you are Malware free. Please download SDFix and save it to your Desktop. You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Open the SDFix folder and double click on RunThis.bat to start the script. Type Y and press Enter to begin the script. It will start cleaning your PC and then prompt you to press any key to Reboot. Press any key to restart the PC. Your system will take longer than normal to restart as the fixtool will be removing files. When the desktop loads the Fixtool will complete the removal and display Finished. Press any key to end the script and to load your desktop icons. A text file should automatically open, so please copy the contents and post them here. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running. Notes: 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 3. Combofix prevents autorun of ALL** CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

cereal_killerxx View Member Profile	Dec 15 2008, 03:15 PM Post #3
Authentic Member Group: Authentic Member Posts: 28 Joined: 15-December 08 Member No.: 82,965 Operating System: Windows XP Professional SP3	My computer still has issues. That dll file i mentioned earlier still pops up from AVG whenever I open up anything (I think I forgot to mention that before). Here are all the log files: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:10:52 PM, on 12/15/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\PrevxCSI\prevxcsi.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lxddcoms.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\PrevxCSI\prevxcsi.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: (no name) - {68EF0032-B354-4A54-9E49-FFFDABDB2936} - C:\WINDOWS\system32\ativtmx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://legendofares.netgame.com/download/m...anagerv1001.cab O16 - DPF: {9BEEA7FF-FF76-403C-B124-86D9835435F0} (GameChu Login Control) - http://file.gamechu.net/dl/download/sessionctrl.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: spoolsv.exe - Unknown owner - c:\windows\system32\drivers\etc\Services.exe (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 9511 bytes ComboFix 08-12-15.01 - Jesse 2008-12-15 15:57:29.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1536 [GMT -5:00] Running from: c:\documents and settings\Jesse\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Jesse\Application Data\inst.exe c:\temp\17o7 c:\temp\17o7\tmpTF.log c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb c:\windows\cs_cache.ini c:\windows\system32\config\systemprofile\application data\.rdr.ini c:\windows\system32\dumphive.exe c:\windows\system32\Process.exe c:\windows\system32\smpi1 c:\windows\system32\smpi1\DealioKit1-stub-0.exe c:\windows\system32\SrchSTS.exe c:\windows\system32\tmp.reg c:\windows\WINDOWS . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASPI113210 -------\Legacy_CORE -------\Legacy_DRIVERPP -------\Legacy_EXAMPLE -------\Legacy_GB -------\Legacy_NDNET1 -------\Legacy_RUNTIME -------\Legacy_WINCOM32 -------\Service_aspi113210 ((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 ))))))))))))))))))))))))))))))) . 2008-12-15 15:27 . 2008-12-15 15:27 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-12-15 15:19 . 2008-12-15 15:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 15:08 . 2008-12-15 15:48 <DIR> d-------- C:\SDFix 2008-12-15 01:37 . 2008-12-15 01:37 <DIR> d-------- c:\program files\Trend Micro 2008-12-15 01:20 . 2008-12-15 01:20 <DIR> d-------- c:\program files\ERUNT 2008-12-14 20:11 . 2008-12-14 20:11 <DIR> d-------- c:\program files\PrevxCSI 2008-12-14 20:11 . 2008-12-14 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2008-12-14 20:11 . 2008-12-14 20:11 26,808 --a------ c:\windows\system32\drivers\pxark.sys 2008-12-14 20:09 . 2008-12-14 20:09 8,576 --a------ c:\windows\system32\drivers\jwuevecbaupr.sys 2008-12-14 16:51 . 2008-12-14 16:51 <DIR> d-------- c:\documents and settings\Administrator\Pavark 2008-12-14 16:34 . 2008-12-14 16:34 <DIR> d-------- c:\documents and settings\Jesse\Pavark 2008-12-14 16:34 . 2008-12-14 16:34 8,576 --a------ c:\windows\system32\drivers\cbqwlbykjvtj.sys 2008-12-14 16:28 . 2008-12-15 00:56 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-14 16:26 . 2008-12-14 16:26 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-12-14 16:26 . 2008-12-14 16:26 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-12-14 16:25 . 2008-12-15 09:26 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-12-14 16:25 . 2008-12-14 16:25 <DIR> d-------- c:\program files\AVG 2008-12-14 16:25 . 2008-12-14 16:25 <DIR> d-------- c:\documents and settings\Jesse\Application Data\AVGTOOLBAR 2008-12-14 16:25 . 2008-12-14 16:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-12-14 16:25 . 2008-12-14 16:25 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys 2008-12-14 14:51 . 2008-12-14 14:51 <DIR> d--hs---- c:\documents and settings\Jesse\PrivacIE 2008-12-14 14:44 . 2008-12-14 14:45 <DIR> d--h-c--- c:\windows\ie8 2008-12-14 04:00 . 2008-12-14 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier 2008-12-13 01:59 . 2008-04-13 19:11 95,744 --a------ c:\windows\system32\ativtmx.dll 2008-12-07 20:06 . 2008-12-07 20:13 <DIR> d-------- c:\program files\Phantasy Star Online Blue Burst 2008-12-04 16:48 . 2008-12-04 16:48 <DIR> d-------- c:\windows\system32\AGEIA 2008-12-04 16:48 . 2008-12-04 16:48 <DIR> d-------- c:\program files\AGEIA Technologies 2008-12-04 16:19 . 2008-12-12 15:31 <DIR> d-------- c:\program files\SpeedFan 2008-12-04 16:19 . 2008-12-04 16:19 45 --a------ c:\windows\system32\initdebug.nfo 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-15 19:31 --------- d-----w c:\program files\Steam 2008-12-14 19:44 31,616 ----a-w c:\windows\system32\drivers\Winir18.sys 2008-12-13 22:05 --------- d-----w c:\documents and settings\Jesse\Application Data\Vso 2008-12-13 09:46 --------- d-----w c:\documents and settings\Jesse\Application Data\mIRC 2008-12-04 22:08 --------- d-----w c:\program files\Java 2008-12-04 21:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-02 19:52 --------- d-----w c:\program files\StepMania 2008-11-21 19:29 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-21 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-17 20:39 --------- d-----w c:\program files\Lx_cats 2008-11-03 07:07 --------- d-----w c:\program files\SHARP 2008-10-26 23:39 --------- d-----w c:\program files\Midway Home Entertainment 2008-10-25 03:43 --------- d-----w c:\documents and settings\Jesse\Application Data\Move Networks 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 08:03 --------- d-----w c:\program files\LibUSB-Win32-0.1.10.1 2008-09-23 21:12 9,216 ----a-w C:\MsnHandWriting.dll 2008-02-27 05:46 47,360 ----a-w c:\documents and settings\Jesse\Application Data\pcouffin.sys 2008-02-06 21:15 87,608 ----a-w c:\documents and settings\Jesse\Application Data\ezpinst.exe 2007-05-07 04:10 279 ----a-w c:\program files\Common Files\qufax 2007-04-30 15:06 142 ----a-w c:\program files\Common Files\rtenem.html 2006-09-20 20:15 94,080 ----a-w c:\documents and settings\Jesse\Application Data\ezplay.sys 2007-06-02 18:24 61,038 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2007-06-02 18:24 49,256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2007-06-02 18:24 166,000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-07-11 02:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071020080711\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936}] 2008-04-13 19:11 95744 --a------ c:\windows\system32\ativtmx.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 180269] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-14 1261336] "nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe] "SoundMan"="SOUNDMAN.EXE" [2005-11-11 c:\windows\soundman.exe] c:\documents and settings\Jesse\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll "VIDC.JPEG"= JpegCode.dll "VIDC.MJPG"= JpegCode.dll "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winir18.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jesse^Start Menu^Programs^Startup^Registration Far Cry.LNK] path=c:\documents and settings\Jesse\Start Menu\Programs\Startup\Registration Far Cry.LNK backup=c:\windows\pss\Registration Far Cry.LNKStartup [HKLM\~\startupfolder\C:^Documents and Settings^Jesse^Start Menu^Programs^Startup^Z_Start.lnk] path=c:\documents and settings\Jesse\Start Menu\Programs\Startup\Z_Start.lnk backup=c:\windows\pss\Z_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-06-11 13:32 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2006-11-07 10:29 50736 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-05-04 10:39 149040 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] --a------ 2006-10-31 19:34 43008 c:\program files\BitTorrent\bittorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe] --------- 2006-06-12 13:32 700416 c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] --a------ 2003-06-20 07:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-04 07:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-04-19 13:26 484904 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon] --a------ 2007-04-30 07:19 20480 c:\program files\Lexmark 2500 Series\lxddamon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe] --a------ 2007-06-11 18:27 291760 c:\program files\Lexmark 2500 Series\lxddmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] --a------ 2003-06-20 07:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-05-04 10:59 161328 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA Performance Examiner] --a------ 2008-10-07 13:33 797216 c:\windows\system32\nvcplui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] --a------ 2003-06-20 07:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] --a------ 2003-06-20 07:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --------- 2007-03-14 20:01 71216 c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-10-11 15:15 1410296 c:\program files\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-09-11 23:10 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2006-06-21 12:14 35328 c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2006-11-30 21:49 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2005-11-11 13:07 90112 c:\windows\soundman.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "%windir%\\system32\\sessmgr.exe"= R0 bkokjiex;bkokjiex;c:\windows\system32\drivers\bkokjiex.sys [2004-08-04 23424] R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2008-12-14 26808] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-14 97928] R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2006-08-29 13696] R1 BS_I2cIo;BS_I2cIo;\??\c:\windows\system32\drivers\BS_I2cIo.sys [2008-01-26 8192] R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-14 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-14 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-14 76040] R2 CSIScanner;CSIScanner;"c:\program files\PrevxCSI\prevxcsi.exe" /service [2008-12-14 927288] R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service [] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2005-12-31 24652] S0 Winir18;Winir18;c:\windows\system32\Drivers\Winir18.sys [2006-08-29 31616] S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2008-06-20 99248] S2 spoolsv.exe;spoolsv.exe;c:\windows\system32\drivers\etc\Services.exe /name:"spoolsv.exe" /start:"install.exe" [] S3 Acapips;Acapips; [] S3 BS_Flash;BS_Flash;\??\c:\program files\Tseries BIOS Update\Award\BS_Flash.sys [2008-07-16 3604] S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-10-16 28672] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-06-22 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-06-22 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-22 21632] S3 PRISM_USB;Linksys Wireless-B USB Network Adapter Driver;c:\windows\system32\DRIVERS\LSPMUSBX.sys [2004-07-26 666624] S3 XDva008;XDva008;\??\c:\windows\system32\XDva008.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{880e7acc-e6c6-11db-bb88-00e04ce9d8a9}] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce79a42c-406f-11db-baa4-00e04ce9d8a9}] \Shell\AutoRun\command - E:\LaunchU3.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2008-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . - - - - ORPHANS REMOVED - - - - BHO-{52A94784-A36E-4517-8729-0456A7098E23} - c:\program files\MSN\mesofimyt.dll BHO-{983CD211-164D-48C7-9B84-38E1745DCA1C} - c:\windows\system32\ativvax.dll BHO-{9F754ED1-20E8-4123-A898-D6C75F20638F} - c:\program files\Common Files\qufax.dll HKCU-Run-NVIDIA nTune - c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe ShellExecuteHooks-{009D739E-D7A2-456A-AE04-EB9ABF822FE4} - c:\docume~1\Jesse\LOCALS~1\Temp\aow.dll SSODL-JkSwxZfo-{588C74B3-F226-DE19-2803-20D675DC3D2B} - c:\windows\system32\yi.dll MSConfigStartUp-au - c:\program files\Dealio\DealioAU.exe MSConfigStartUp-Brave-Sentry - c:\program files\BraveSentry\BraveSentry.exe MSConfigStartUp-Configuration Manager - c:\windows\cfg32.exe MSConfigStartUp-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe MSConfigStartUp-install - c:\windows\WINDOWS\install.exe MSConfigStartUp-LoadMSvcmm - c:\program files\Movielink\MovielinkManager\Movielink User.exe MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~1.DLL MSConfigStartUp-NielsenOnline - c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe MSConfigStartUp-NVIDIA nTune - c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe MSConfigStartUp-Pinnacle Game Profiler - c:\program files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE MSConfigStartUp-runner1 - c:\windows\retadpu27.exe MSConfigStartUp-spoolsvv - c:\windows\system32\spoolsvv.exe MSConfigStartUp-System - c:\windows\system32\kernels32.exe MSConfigStartUp-Windows update loader - c:\windows\xpupdate.exe MSConfigStartUp-{C7-74-4B-B2-ZN} - c:\windows\system32\dwdsregt.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: ???????????????????????? IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: ???????????????????????? - c:\program files\Megaupload\Mega Manager\mm_file.htm c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E} hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab c:\windows\Downloaded Program Files\SysReqLab3.osd c:\windows\system32\mfc42.dll - c:\windows\system32\msvcrt.dll c:\windows\system32\olepro32.dll c:\windows\Downloaded Program Files\DekaronAutoPlay.ocx c:\windows\Downloaded Program Files\GHSysInfo.ocx O16 -: {4F091885-8A80-478E-8F48-C53508CA12FD} hxxp://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB c:\windows\Downloaded Program Files\Dekaron.inf c:\windows\system32\sessionctrl.dll - O16 -: {9BEEA7FF-FF76-403C-B124-86D9835435F0} hxxp://file.gamechu.net/dl/download/sessionctrl.cab c:\windows\Downloaded Program Files\sessionctrl.inf FF - ProfilePath - c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\nssaw6hh.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p= . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 16:01:36 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl" . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTSVCCDA.EXE c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\lxddcoms.exe c:\windows\system32\nvsvc32.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe . ********************************************************************** . Completion time: 2008-12-15 16:05:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-15 21:05:00 Pre-Run: 10,891,501,568 bytes free Post-Run: 10,873,139,200 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer 327 --- E O F --- 2008-12-14 19:50:15 SDFix: Version 1.240 Run by Jesse on Mon 12/15/2008 at 03:28 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Rootkit Found : C:\WINDOWS\system32\drivers\WINMU86.sys - Rootkit Pandex/Cutwail - Runtime.sys Name : Driver WINMU86 Path : \??\C:\WINDOWS\system32\spoolsvv.sys System32\Drivers\Winmu86.sys Driver - Deleted WINMU86 - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Service WINMU86 - Deleted after Reboot Checking Files : Trojan Files Found: C:\WINDOWS\system32\qvx5gamet2.exe - Deleted C:\Documents and Settings\Jesse\Application Data\.rdr.ini - Deleted C:\WINDOWS\s32.txt - Deleted C:\WINDOWS\search_res.txt - Deleted C:\WINDOWS\system32\drivers\etc\xdcc.ini - Deleted C:\WINDOWS\system32\kr_done1 - Deleted C:\WINDOWS\system32\WinCtrl32.dll - Deleted C:\WINDOWS\ws386.ini - Deleted C:\WINDOWS\system32\drivers\WINMU86.sys - Deleted Folder C:\Documents and Settings\All Users\Documents\Settings - Removed Folder C:\Program Files\Ipwindows - Removed Folder C:\Temp\tn3 - Removed Folder C:\WINDOWS\system32\drivers\etc\channels - Removed Folder C:\WINDOWS\system32\drivers\etc\download - Removed Folder C:\WINDOWS\system32\drivers\etc\scripts - Removed Folder C:\WINDOWS\system32\drivers\etc\server - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 15:44:44 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:675a2658 "s2"=dword:3f96d3a3 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:d6,69,eb,2a,33,1d,fe,f2,a6,a3,33,f8,56,03,3a,38,de,43,27,14,0b,.. "p0"="C:\Program Files\DAEMON Tools Lite\" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,11,cc,ab,9f,5f,7d,f9,2e,79,d6,03,45,8f,f7,ab,c8,b7,.. "khjeh"=hex:08,a2,a2,65,8c,ce,3e,cb,f8,7b,6c,60,4c,85,09,89,66,c8,18,77,dd,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:4c,cc,11,08,b3,f0,fc,f4,33,d7,a3,6b,ac,f4,f4,0d,49,01,34,26,d5,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:d6,69,eb,2a,33,1d,fe,f2,a6,a3,33,f8,56,03,3a,38,de,43,27,14,0b,.. "p0"="C:\Program Files\DAEMON Tools Lite\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,11,cc,ab,9f,5f,7d,f9,2e,79,d6,03,45,8f,f7,ab,c8,b7,.. "khjeh"=hex:08,a2,a2,65,8c,ce,3e,cb,f8,7b,6c,60,4c,85,09,89,66,c8,18,77,dd,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:39,fc,c8,cf,8b,82,2c,9d,82,2a,4b,d0,aa,f9,d7,08,c8,12,69,68,d6,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:d6,69,eb,2a,33,1d,fe,f2,a6,a3,33,f8,56,03,3a,38,de,43,27,14,0b,.. "p0"="C:\Program Files\DAEMON Tools Lite\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,11,cc,ab,9f,5f,7d,f9,2e,79,d6,03,45,8f,f7,ab,c8,b7,.. "khjeh"=hex:08,a2,a2,65,8c,ce,3e,cb,f8,7b,6c,60,4c,85,09,89,66,c8,18,77,dd,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:4c,cc,11,08,b3,f0,fc,f4,33,d7,a3,6b,ac,f4,f4,0d,49,01,34,26,d5,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services** : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "c:\\windows\\system32\\drivers\\etc\\install.exe"="c:\\windows\\system32\\drivers\\etc\\install.exe::Enabled:mIRC" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe::Enabled:Windows Live Call" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Lexmark 2500 Series\\app4r.exe"="C:\\Program Files\\Lexmark 2500 Series\\App4R.exe::Enabled:Printing Application" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe::Enabled:Windows Live Call" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll" Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll" Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll" Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll" Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll" Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe" Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe" Tue 3 Apr 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sun 6 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll" Finished!

IndiGenus View Member Profile	Dec 15 2008, 04:16 PM Post #4
Anti-Malware Buddha Group: Malware Expert Posts: 5,140 Joined: 22-July 04 From: New England, USA Member No.: 10,811 Operating System: Windows XP Pro SP3 ~ Vista Ultimate SP2 ~ Windows 7 RC	This is a very seriously infected machine, with some nasty rootkits that appear to have been there for some time. We'll see if we can get it cleaned up... 1. Open Notepad 2. Now copy/paste the entire content of the codebox below into the Notepad window: CODE File:: c:\windows\system32\ativtmx.dll c:\windows\system32\Drivers\Winir18.sys c:\windows\system32\drivers\etc\Services.exe c:\windows\system32\XDva008.sys Driver:: Winir18 spoolsv.exe Acapips XDva008 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936}] 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.

cereal_killerxx View Member Profile	Dec 15 2008, 04:50 PM Post #5
Authentic Member Group: Authentic Member Posts: 28 Joined: 15-December 08 Member No.: 82,965 Operating System: Windows XP Professional SP3	The dll I mentioned earlier doesn't seem to pop-up anymore, but internet explorer still lags a little when it first loads up and switching pages. Also, sorry I guess there was another thing I forgot to mention now that I think about it. Whenever I try to download stuff, I usually get a script error that asks me if I want to debug it. Here are the logs again: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:46:34 PM, on 12/15/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\PrevxCSI\prevxcsi.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lxddcoms.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\PrevxCSI\prevxcsi.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: (no name) - {68EF0032-B354-4A54-9E49-FFFDABDB2936} - C:\WINDOWS\system32\ativtmx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://legendofares.netgame.com/download/m...anagerv1001.cab O16 - DPF: {9BEEA7FF-FF76-403C-B124-86D9835435F0} (GameChu Login Control) - http://file.gamechu.net/dl/download/sessionctrl.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 9228 bytes ComboFix 08-12-15.01 - Jesse 2008-12-15 17:37:36.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1548 [GMT -5:00] Running from: c:\documents and settings\Jesse\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jesse\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system32\ativtmx.dll c:\windows\system32\drivers\etc\Services.exe c:\windows\system32\Drivers\Winir18.sys c:\windows\system32\XDva008.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\Drivers\Winir18.sys c:\windows\system32\ativtmx.dll . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SPOOLSV.EXE -------\Legacy_WINIR18 -------\Legacy_XDVA008 -------\Service_Acapips -------\Service_spoolsv.exe -------\Service_Winir18 -------\Service_XDva008 ((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 ))))))))))))))))))))))))))))))) . 2008-12-15 15:27 . 2008-12-15 15:27 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-12-15 15:19 . 2008-12-15 15:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 15:08 . 2008-12-15 15:48 <DIR> d-------- C:\SDFix 2008-12-15 01:37 . 2008-12-15 01:37 <DIR> d-------- c:\program files\Trend Micro 2008-12-15 01:20 . 2008-12-15 01:20 <DIR> d-------- c:\program files\ERUNT 2008-12-14 20:11 . 2008-12-14 20:11 <DIR> d-------- c:\program files\PrevxCSI 2008-12-14 20:11 . 2008-12-14 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2008-12-14 20:11 . 2008-12-14 20:11 26,808 --a------ c:\windows\system32\drivers\pxark.sys 2008-12-14 20:09 . 2008-12-14 20:09 8,576 --a------ c:\windows\system32\drivers\jwuevecbaupr.sys 2008-12-14 16:51 . 2008-12-14 16:51 <DIR> d-------- c:\documents and settings\Administrator\Pavark 2008-12-14 16:34 . 2008-12-14 16:34 <DIR> d-------- c:\documents and settings\Jesse\Pavark 2008-12-14 16:34 . 2008-12-14 16:34 8,576 --a------ c:\windows\system32\drivers\cbqwlbykjvtj.sys 2008-12-14 16:28 . 2008-12-15 00:56 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-14 16:26 . 2008-12-14 16:26 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-12-14 16:26 . 2008-12-14 16:26 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-12-14 16:25 . 2008-12-15 09:26 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-12-14 16:25 . 2008-12-14 16:25 <DIR> d-------- c:\program files\AVG 2008-12-14 16:25 . 2008-12-14 16:25 <DIR> d-------- c:\documents and settings\Jesse\Application Data\AVGTOOLBAR 2008-12-14 16:25 . 2008-12-14 16:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-12-14 16:25 . 2008-12-14 16:25 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys 2008-12-14 14:51 . 2008-12-14 14:51 <DIR> d--hs---- c:\documents and settings\Jesse\PrivacIE 2008-12-14 14:44 . 2008-12-14 14:45 <DIR> d--h-c--- c:\windows\ie8 2008-12-14 04:00 . 2008-12-14 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier 2008-12-13 01:59 . 2008-04-13 19:11 95,744 --a------ c:\windows\system32\ativtmx.dll 2008-12-07 20:06 . 2008-12-07 20:13 <DIR> d-------- c:\program files\Phantasy Star Online Blue Burst 2008-12-04 16:48 . 2008-12-04 16:48 <DIR> d-------- c:\windows\system32\AGEIA 2008-12-04 16:48 . 2008-12-04 16:48 <DIR> d-------- c:\program files\AGEIA Technologies 2008-12-04 16:19 . 2008-12-12 15:31 <DIR> d-------- c:\program files\SpeedFan 2008-12-04 16:19 . 2008-12-04 16:19 45 --a------ c:\windows\system32\initdebug.nfo 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-15 19:31 --------- d-----w c:\program files\Steam 2008-12-13 22:05 --------- d-----w c:\documents and settings\Jesse\Application Data\Vso 2008-12-13 09:46 --------- d-----w c:\documents and settings\Jesse\Application Data\mIRC 2008-12-04 22:08 --------- d-----w c:\program files\Java 2008-12-04 21:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-02 19:52 --------- d-----w c:\program files\StepMania 2008-11-21 19:29 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-21 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-17 20:39 --------- d-----w c:\program files\Lx_cats 2008-11-03 07:07 --------- d-----w c:\program files\SHARP 2008-10-26 23:39 --------- d-----w c:\program files\Midway Home Entertainment 2008-10-25 03:43 --------- d-----w c:\documents and settings\Jesse\Application Data\Move Networks 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 08:03 --------- d-----w c:\program files\LibUSB-Win32-0.1.10.1 2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-10-02 15:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE 2008-09-23 21:12 9,216 ----a-w C:\MsnHandWriting.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-15 03:26 131,072 ----a-w c:\windows\system32\SpoonUninstall.exe 2008-02-27 05:46 47,360 ----a-w c:\documents and settings\Jesse\Application Data\pcouffin.sys 2008-02-06 21:15 87,608 ----a-w c:\documents and settings\Jesse\Application Data\ezpinst.exe 2007-05-07 04:10 279 ----a-w c:\program files\Common Files\qufax 2007-04-30 15:06 142 ----a-w c:\program files\Common Files\rtenem.html 2006-09-20 20:15 94,080 ----a-w c:\documents and settings\Jesse\Application Data\ezplay.sys 2007-06-02 18:24 61,038 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2007-06-02 18:24 49,256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2007-06-02 18:24 166,000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-07-11 02:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071020080711\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936}] 2008-04-13 19:11 95744 --a------ c:\windows\system32\ativtmx.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 180269] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-14 1261336] "nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe] "SoundMan"="SOUNDMAN.EXE" [2005-11-11 c:\windows\soundman.exe] c:\documents and settings\Jesse\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll "VIDC.JPEG"= JpegCode.dll "VIDC.MJPG"= JpegCode.dll "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jesse^Start Menu^Programs^Startup^Registration Far Cry.LNK] path=c:\documents and settings\Jesse\Start Menu\Programs\Startup\Registration Far Cry.LNK backup=c:\windows\pss\Registration Far Cry.LNKStartup [HKLM\~\startupfolder\C:^Documents and Settings^Jesse^Start Menu^Programs^Startup^Z_Start.lnk] path=c:\documents and settings\Jesse\Start Menu\Programs\Startup\Z_Start.lnk backup=c:\windows\pss\Z_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-06-11 13:32 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2006-11-07 10:29 50736 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-05-04 10:39 149040 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] --a------ 2006-10-31 19:34 43008 c:\program files\BitTorrent\bittorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe] --------- 2006-06-12 13:32 700416 c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] --a------ 2003-06-20 07:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-04 07:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-04-19 13:26 484904 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon] --a------ 2007-04-30 07:19 20480 c:\program files\Lexmark 2500 Series\lxddamon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe] --a------ 2007-06-11 18:27 291760 c:\program files\Lexmark 2500 Series\lxddmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] --a------ 2003-06-20 07:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-05-04 10:59 161328 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA Performance Examiner] --a------ 2008-10-07 13:33 797216 c:\windows\system32\nvcplui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] --a------ 2003-06-20 07:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] --a------ 2003-06-20 07:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --------- 2007-03-14 20:01 71216 c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-10-11 15:15 1410296 c:\program files\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-09-11 23:10 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2006-06-21 12:14 35328 c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2006-11-30 21:49 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2005-11-11 13:07 90112 c:\windows\soundman.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "%windir%\\system32\\sessmgr.exe"= R0 bkokjiex;bkokjiex;c:\windows\system32\drivers\bkokjiex.sys [2004-08-04 23424] R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2008-12-14 26808] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-14 97928] R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2006-08-29 13696] R1 BS_I2cIo;BS_I2cIo;\??\c:\windows\system32\drivers\BS_I2cIo.sys [2008-01-26 8192] R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-14 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-14 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-14 76040] R2 CSIScanner;CSIScanner;"c:\program files\PrevxCSI\prevxcsi.exe" /service [2008-12-14 927288] R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service [] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2005-12-31 24652] S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2008-06-20 99248] S3 BS_Flash;BS_Flash;\??\c:\program files\Tseries BIOS Update\Award\BS_Flash.sys [2008-07-16 3604] S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-10-16 28672] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-06-22 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-06-22 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-22 21632] S3 PRISM_USB;Linksys Wireless-B USB Network Adapter Driver;c:\windows\system32\DRIVERS\LSPMUSBX.sys [2004-07-26 666624] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{880e7acc-e6c6-11db-bb88-00e04ce9d8a9}] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce79a42c-406f-11db-baa4-00e04ce9d8a9}] \Shell\AutoRun\command - E:\LaunchU3.exe Newly Created Service - CATCHME [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2008-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . - - - - ORPHANS REMOVED - - - - SafeBoot-Winir18.sys MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~1.DLL . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: ???????????????????????? IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: ???????????????????????? - c:\program files\Megaupload\Mega Manager\mm_file.htm c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E} hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab c:\windows\Downloaded Program Files\SysReqLab3.osd c:\windows\system32\mfc42.dll - c:\windows\system32\msvcrt.dll c:\windows\system32\olepro32.dll c:\windows\Downloaded Program Files\DekaronAutoPlay.ocx c:\windows\Downloaded Program Files\GHSysInfo.ocx O16 -: {4F091885-8A80-478E-8F48-C53508CA12FD} hxxp://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB c:\windows\Downloaded Program Files\Dekaron.inf c:\windows\system32\sessionctrl.dll - O16 -: {9BEEA7FF-FF76-403C-B124-86D9835435F0} hxxp://file.gamechu.net/dl/download/sessionctrl.cab c:\windows\Downloaded Program Files\sessionctrl.inf FF - ProfilePath - c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\nssaw6hh.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p= . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 17:41:15 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\TEMP\qzes7elw.TMP 616448 bytes scan completed successfully hidden files: 1 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl" . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTSVCCDA.EXE c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\lxddcoms.exe c:\windows\system32\nvsvc32.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-12-15 17:44:57 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-15 22:44:53 ComboFix2.txt 2008-12-15 21:05:07 Pre-Run: 10,835,365,888 bytes free Post-Run: 10,837,311,488 bytes free 300 --- E O F --- 2008-12-14 19:50:15

IndiGenus View Member Profile	Dec 15 2008, 09:55 PM Post #6
Anti-Malware Buddha Group: Malware Expert Posts: 5,140 Joined: 22-July 04 From: New England, USA Member No.: 10,811 Operating System: Windows XP Pro SP3 ~ Vista Ultimate SP2 ~ Windows 7 RC	Download GMER from here: http://www.gmer.net/files.php Unzip it to the desktop. Open the program and click on the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’. Click on Scan. When the scan has run click Copy and paste the results (if any) into this thread.

cereal_killerxx View Member Profile	Dec 16 2008, 12:32 AM Post #7
Authentic Member Group: Authentic Member Posts: 28 Joined: 15-December 08 Member No.: 82,965 Operating System: Windows XP Professional SP3	GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-12-16 01:31:54 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT spvs.sys ZwCreateKey [0xBA6A80E0] SSDT spvs.sys ZwEnumerateKey [0xBA6C6CA2] SSDT spvs.sys ZwEnumerateValueKey [0xBA6C7030] SSDT spvs.sys ZwOpenKey [0xBA6A80C0] SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xB5F5ABCE] SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xB5F5ACBC] SSDT spvs.sys ZwQueryKey [0xBA6C7108] SSDT spvs.sys ZwQueryValueKey [0xBA6C6F88] SSDT spvs.sys ZwSetValueKey [0xBA6C719A] SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xB5F5AB32] INT 0x63 ? 8A41FF00 INT 0x82 ? 8A612BF8 INT 0x83 ? 8A612BF8 INT 0x83 ? 8A612BF8 INT 0x83 ? 8A612BF8 INT 0xB4 ? 8A41FF00 ---- Kernel code sections - GMER 1.0.14 ---- PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 44F 805BB8ED 7 Bytes JMP 8A5E0168 ? spvs.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload B947B8AC 5 Bytes JMP 8A41F4E0 .text ap05uc47.SYS B8F8C384 1 Byte [ 20 ] .text ap05uc47.SYS B8F8C386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ] .text ap05uc47.SYS B8F8C3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ] .text ap05uc47.SYS B8F8C3C4 3 Bytes [ 00, 00, 00 ] .text ap05uc47.SYS B8F8C3C9 1 Byte [ 00 ] .text ... ? System32\Drivers\17fe331a.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.14 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00B8E0B3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00C1ECEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 00DB157B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 00DB14AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 00DB1518 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 00DB137E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 00DB13E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 00DB15DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 00DB1442 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00B8E0B3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00DB1712 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 00DB1776 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00C1ECEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00DB175D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 00DB157B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 00DB14AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 00DB1518 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 00DB137E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 00DB13E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 00DB15DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 00DB1442 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3156] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00BA1420 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spvs.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spvs.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spvs.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spvs.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spvs.sys IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!KfAcquireSpinLock] 000000AD IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!KeGetCurrentIrql] 000000A2 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!KfRaiseIrql] 000000AF IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!KfLowerIrql] 0000009C IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!HalGetInterruptVector] 000000A4 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!HalTranslateBusAddress] 00000072 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!KfReleaseSpinLock] 000000B7 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!READ_PORT_USHORT] 00000093 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[WMILIB.SYS!WmiSystemControl] 000000F7 IAT \SystemRoot\System32\Drivers\ap05uc47.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spvs.sys ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 8A6111F8 AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\NetBT \Device\NetBT_Tcpip_{8F99D884-6BAB-43E9-AD59-3687D2FDEF1A} 897E21F8 Device \Driver\usbohci \Device\USBPDO-0 8A326500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5A31F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A5A31F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A5A31F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A5A31F8 Device \Driver\usbehci \Device\USBPDO-1 8A2A0500 AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\PCI_PNP5438 \Device\00000057 spvs.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6131F8 Device \Driver\Cdrom \Device\CdRom0 8A37B1F8 Device \Driver\Cdrom \Device\CdRom1 8A37B1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 897E21F8 Device \Driver\sptd \Device\2685070438 spvs.sys Device \Driver\NetBT \Device\NetbiosSmb 897E21F8 AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\usbohci \Device\USBFDO-0 8A326500 Device \Driver\usbehci \Device\USBFDO-1 8A2A0500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 897E81F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 897E81F8 Device \Driver\Ftdisk \Device\FtControl 8A6131F8 Device \Driver\ap05uc47 \Device\Scsi\ap05uc471Port4Path0Target0Lun0 8A33B1F8 Device \Driver\ap05uc47 \Device\Scsi\ap05uc471 8A33B1F8 Device \FileSystem\Cdfs \Cdfs 897D11F8 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1733961304 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1066849187 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD6 0x69 0xEB 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0xA2 0xA2 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4C 0xCC 0x11 0x08 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD6 0x69 0xEB 0x2A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0xA2 0xA2 0x65 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x39 0xFC 0xC8 0xCF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD6 0x69 0xEB 0x2A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0xA2 0xA2 0x65 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4C 0xCC 0x11 0x08 ... ---- EOF - GMER 1.0.14 ----

IndiGenus View Member Profile	Dec 16 2008, 01:42 PM Post #8
Anti-Malware Buddha Group: Malware Expert Posts: 5,140 Joined: 22-July 04 From: New England, USA Member No.: 10,811 Operating System: Windows XP Pro SP3 ~ Vista Ultimate SP2 ~ Windows 7 RC	Please download the OTMoveIt3 by OldTimer. Save it to your desktop. Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE :processes explorer.exe :files C:\WINDOWS\system32\ativtmx.dll :reg [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936}] :commands [purity] [emptytemp] [start explorer] Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Also post a new HJT log.

cereal_killerxx View Member Profile	Dec 16 2008, 02:21 PM Post #9
Authentic Member Group: Authentic Member Posts: 28 Joined: 15-December 08 Member No.: 82,965 Operating System: Windows XP Professional SP3	Here are the new logs: ========== PROCESSES ========== Process explorer.exe killed successfully. ========== FILES ========== LoadLibrary failed for C:\WINDOWS\system32\ativtmx.dll C:\WINDOWS\system32\ativtmx.dll NOT unregistered. File move failed. C:\WINDOWS\system32\ativtmx.dll scheduled to be moved on reboot. ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936}\\ not found. ========== COMMANDS ========== File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\efuntvpw.dat scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DF8C40.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD383.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD3B9.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD4DC.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD509.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD707.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD738.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFF1E4.tmp scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. Java cache emptied. FireFox cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12162008_151215 Files moved on Reboot... LoadLibrary failed for C:\WINDOWS\system32\ativtmx.dll C:\WINDOWS\system32\ativtmx.dll NOT unregistered. File move failed. C:\WINDOWS\system32\ativtmx.dll scheduled to be moved on reboot. File C:\DOCUME~1\Jesse\LOCALS~1\Temp\efuntvpw.dat not found! File C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DF8C40.tmp not found! File C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD383.tmp not found! File C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD3B9.tmp not found! File C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD4DC.tmp not found! File C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD509.tmp not found! File C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD707.tmp not found! File C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFD738.tmp not found! File C:\DOCUME~1\Jesse\LOCALS~1\Temp\~DFF1E4.tmp not found! File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:21:01 PM, on 12/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lxddcoms.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: (no name) - {68EF0032-B354-4A54-9E49-FFFDABDB2936} - C:\WINDOWS\system32\ativtmx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user') O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://legendofares.netgame.com/download/m...anagerv1001.cab O16 - DPF: {9BEEA7FF-FF76-403C-B124-86D9835435F0} (GameChu Login Control) - http://file.gamechu.net/dl/download/sessionctrl.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe -- End of file - 9865 bytes

IndiGenus View Member Profile	Dec 16 2008, 08:13 PM Post #10
Anti-Malware Buddha Group: Malware Expert Posts: 5,140 Joined: 22-July 04 From: New England, USA Member No.: 10,811 Operating System: Windows XP Pro SP3 ~ Vista Ultimate SP2 ~ Windows 7 RC	1. Please download The Avenger by Swandog46 to your Desktop. Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop 2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): CODE Files to delete: C:\WINDOWS\system32\ativtmx.dll Registry keys to delete: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936} Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard. Click on Execute Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

cereal_killerxx View Member Profile	Dec 16 2008, 09:38 PM Post #11
Authentic Member Group: Authentic Member Posts: 28 Joined: 15-December 08 Member No.: 82,965 Operating System: Windows XP Professional SP3	Once again, another program that seems to fail Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! Error: could not open file "C:\WINDOWS\system32\ativtmx.dll" Deletion of file "C:\WINDOWS\system32\ativtmx.dll" failed! Status: 0xc0000022 (STATUS_ACCESS_DENIED) Error: could not open registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936}" for deletion Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936}" failed! Status: 0xc0000022 (STATUS_ACCESS_DENIED) Completed script processing. ***************** Finished! Terminate. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:37:36 PM, on 12/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lxddcoms.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: (no name) - {68EF0032-B354-4A54-9E49-FFFDABDB2936} - C:\WINDOWS\system32\ativtmx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user') O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://legendofares.netgame.com/download/m...anagerv1001.cab O16 - DPF: {9BEEA7FF-FF76-403C-B124-86D9835435F0} (GameChu Login Control) - http://file.gamechu.net/dl/download/sessionctrl.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe -- End of file - 9705 bytes

IndiGenus View Member Profile	Dec 17 2008, 01:03 PM Post #12
Anti-Malware Buddha Group: Malware Expert Posts: 5,140 Joined: 22-July 04 From: New England, USA Member No.: 10,811 Operating System: Windows XP Pro SP3 ~ Vista Ultimate SP2 ~ Windows 7 RC	OK I don't think it's the tools fault here. There is a driver I missed earlier from the combofix log. Let's see if this will finally kill it...we'll use a combofix script again. 1. Open Notepad 2. Now copy/paste the entire content of the codebox below into the Notepad window: CODE File:: c:\windows\system32\drivers\bkokjiex.sys c:\windows\system32\ativtmx.dll Driver:: bkokjiex Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68EF0032-B354-4A54-9E49-FFFDABDB2936}] 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.

cereal_killerxx View Member Profile	Dec 17 2008, 02:16 PM Post #13
Authentic Member Group: Authentic Member Posts: 28 Joined: 15-December 08 Member No.: 82,965 Operating System: Windows XP Professional SP3	Here are the new log files once again. ComboFix 08-12-15.01 - Jesse 2008-12-17 15:02:47.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1425 [GMT -5:00] Running from: c:\documents and settings\Jesse\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jesse\Desktop\CFScript.txt * Created a new restore point * Resident AV is active FILE :: c:\windows\system32\ativtmx.dll c:\windows\system32\drivers\bkokjiex.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\ativtmx.dll c:\windows\system32\drivers\bkokjiex.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BKOKJIEX -------\Service_bkokjiex ((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 ))))))))))))))))))))))))))))))) . 2008-12-16 17:24 . 2008-12-16 17:24 <DIR> d-------- c:\program files\MSXML 4.0 2008-12-16 15:12 . 2008-12-16 15:12 <DIR> d-------- C:\_OTMoveIt 2008-12-16 03:28 . 2008-12-16 03:28 850 --a------ c:\windows\system32\ProductTweaks.xml 2008-12-16 03:28 . 2008-12-16 03:28 385 --a------ c:\windows\system32\user_gensett.xml 2008-12-16 01:10 . 2008-12-16 01:10 250 --a------ c:\windows\gmer.ini 2008-12-15 22:53 . 2008-12-15 22:53 <DIR> d-------- c:\windows\system32\logs 2008-12-15 22:53 . 2008-12-15 22:53 <DIR> d-------- c:\documents and settings\Jesse\Application Data\BitDefender 2008-12-15 22:53 . 2008-12-15 22:53 <DIR> d-------- C:\Binaries 2008-12-15 22:52 . 2008-12-15 22:52 <DIR> d-------- c:\program files\BitDefender 2008-12-15 22:52 . 2008-12-15 22:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender 2008-12-15 22:51 . 2008-12-15 22:51 <DIR> d-------- c:\windows\system32\URTTEMP 2008-12-15 22:48 . 2008-12-15 22:52 <DIR> d-------- c:\program files\Common Files\BitDefender 2008-12-15 15:27 . 2008-12-15 15:27 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-12-15 15:19 . 2008-12-15 15:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 15:08 . 2008-12-15 15:48 <DIR> d-------- C:\SDFix 2008-12-15 01:37 . 2008-12-15 01:37 <DIR> d-------- c:\program files\Trend Micro 2008-12-15 01:20 . 2008-12-15 01:20 <DIR> d-------- c:\program files\ERUNT 2008-12-14 20:11 . 2008-12-16 02:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2008-12-14 20:09 . 2008-12-14 20:09 8,576 --a------ c:\windows\system32\drivers\jwuevecbaupr.sys 2008-12-14 16:51 . 2008-12-14 16:51 <DIR> d-------- c:\documents and settings\Administrator\Pavark 2008-12-14 16:34 . 2008-12-14 16:34 <DIR> d-------- c:\documents and settings\Jesse\Pavark 2008-12-14 16:34 . 2008-12-14 16:34 8,576 --a------ c:\windows\system32\drivers\cbqwlbykjvtj.sys 2008-12-14 16:28 . 2008-12-15 00:56 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-14 16:25 . 2008-12-14 16:25 <DIR> d-------- c:\program files\AVG 2008-12-14 16:25 . 2008-12-15 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-12-14 14:51 . 2008-12-14 14:51 <DIR> d--hs---- c:\documents and settings\Jesse\PrivacIE 2008-12-14 14:44 . 2008-12-14 14:45 <DIR> d--h-c--- c:\windows\ie8 2008-12-14 04:00 . 2008-12-14 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier 2008-12-07 20:06 . 2008-12-15 23:25 <DIR> d-------- c:\program files\Phantasy Star Online Blue Burst 2008-12-04 16:48 . 2008-12-04 16:48 <DIR> d-------- c:\windows\system32\AGEIA 2008-12-04 16:48 . 2008-12-04 16:48 <DIR> d-------- c:\program files\AGEIA Technologies 2008-12-04 16:19 . 2008-12-16 17:04 <DIR> d-------- c:\program files\SpeedFan 2008-12-04 16:19 . 2008-12-04 16:19 45 --a------ c:\windows\system32\initdebug.nfo 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-11-21 14:12 . 2008-11-21 14:12 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-17 19:39 --------- d-----w c:\program files\Steam 2008-12-16 22:11 --------- d-----w c:\documents and settings\Jesse\Application Data\Vso 2008-12-16 22:07 --------- d-----w c:\program files\RivaTuner v2.08 2008-12-16 22:06 --------- d-----w c:\program files\AviSynth 2.5 2008-12-16 22:05 --------- d-----w c:\program files\LibUSB-Win32-0.1.10.1 2008-12-16 22:03 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-16 22:01 --------- d-----w c:\program files\URUSoft 2008-12-16 22:01 --------- d-----w c:\program files\Real 2008-12-16 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software 2008-12-16 21:56 --------- d-----w c:\program files\CCG Maker 2008-12-16 21:55 --------- d-----w c:\program files\CyberLink 2008-12-16 21:55 --------- d-----w c:\program files\BitTorrent 2008-12-16 21:54 --------- d-----w c:\program files\Badongo 2008-12-16 21:54 --------- d-----w c:\program files\Avi2Dvd 2008-12-16 08:28 82,440 ----a-w c:\windows\system32\drivers\BDVEDISK.sys 2008-12-16 08:28 230,920 ----a-w c:\windows\system32\drivers\bdfsfltr.sys 2008-12-16 08:28 192,512 ----a-w c:\windows\system32\txmlutil.dll 2008-12-16 08:28 111,112 ----a-w c:\windows\system32\drivers\bdfm.sys 2008-12-16 08:28 104,328 ----a-w c:\windows\system32\drivers\bdfndisf.sys 2008-12-16 04:22 --------- d-----w c:\program files\Legend Of Ares 2008-12-16 03:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-13 09:46 --------- d-----w c:\documents and settings\Jesse\Application Data\mIRC 2008-12-04 22:08 --------- d-----w c:\program files\Java 2008-12-02 19:52 --------- d-----w c:\program files\StepMania 2008-11-21 19:29 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-21 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-17 20:39 --------- d-----w c:\program files\Lx_cats 2008-10-25 03:43 --------- d-----w c:\documents and settings\Jesse\Application Data\Move Networks 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-10-02 15:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-23 21:12 9,216 ----a-w C:\MsnHandWriting.dll 2008-02-27 05:46 47,360 ----a-w c:\documents and settings\Jesse\Application Data\pcouffin.sys 2008-02-06 21:15 87,608 ----a-w c:\documents and settings\Jesse\Application Data\ezpinst.exe 2007-05-07 04:10 279 ----a-w c:\program files\Common Files\qufax 2007-04-30 15:06 142 ----a-w c:\program files\Common Files\rtenem.html 2006-09-20 20:15 94,080 ----a-w c:\documents and settings\Jesse\Application Data\ezplay.sys 2008-12-16 08:27 39,424 ----a-w c:\program files\mozilla firefox\components\FFComm.dll 2007-06-02 18:24 61,038 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2007-06-02 18:24 49,256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2007-06-02 18:24 166,000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-07-11 02:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071020080711\index.dat . ((((((((((((((((((((((((((((( snapshot@2008-12-15_16.04.26.17 ))))))))))))))))))))))))))))))))))))))))) . + 2008-12-16 03:50:57 7,680 ----a-w c:\windows\assembly\GAC\Accessibility\1.0.5000.0__b03f5f7f11d50a3a\Accessibility.dll + 2008-12-16 03:50:53 12,288 ----a-w c:\windows\assembly\GAC\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll + 2008-12-16 03:50:57 33,792 ----a-w c:\windows\assembly\GAC\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a\CustomMarshalers.dll + 2008-12-16 22:25:35 8,192 ----a-w c:\windows\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll + 2008-12-16 22:25:37 32,768 ----a-w c:\windows\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll + 2008-12-16 03:50:59 4,608 ----a-w c:\windows\assembly\GAC\IIEHost\1.0.5000.0__b03f5f7f11d50a3a\IIEHost.dll + 2008-12-16 03:50:59 26,112 ----a-w c:\windows\assembly\GAC\ISymWrapper\1.0.5000.0__b03f5f7f11d50a3a\ISymWrapper.dll + 2008-12-16 22:25:46 720,896 ----a-w c:\windows\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll + 2008-12-16 03:50:53 28,672 ----a-w c:\windows\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll + 2008-12-16 22:25:37 299,008 ----a-w c:\windows\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll + 2008-12-16 03:50:54 6,144 ----a-w c:\windows\assembly\GAC\Microsoft.VisualC\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll + 2008-12-16 03:50:53 11,264 ----a-w c:\windows\assembly\GAC\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll + 2008-12-16 03:50:53 32,768 ----a-w c:\windows\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll + 2008-12-16 03:50:53 6,656 ----a-w c:\windows\assembly\GAC\Microsoft_VsaVb\7.0.5000.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll + 2008-12-16 03:50:59 1,564,672 ----a-w c:\windows\assembly\GAC\mscorcfg\1.0.5000.0__b03f5f7f11d50a3a\mscorcfg.dll + 2008-12-16 22:25:43 32,768 ----a-w c:\windows\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll + 2008-12-16 03:50:59 77,824 ----a-w c:\windows\assembly\GAC\System.Configuration.Install\1.0.5000.0__b03f5f7f11d50a3a\System.Configuration.Install.dll + 2008-12-16 22:25:41 303,104 ----a-w c:\windows\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll + 2008-12-16 22:25:43 1,294,336 ----a-w c:\windows\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll + 2008-12-16 22:25:36 1,703,936 ----a-w c:\windows\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll + 2008-12-16 22:25:45 90,112 ----a-w c:\windows\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll + 2008-12-16 03:51:01 65,536 ----a-w c:\windows\assembly\GAC\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.Design.dll + 2008-12-16 22:25:40 466,944 ----a-w c:\windows\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll + 2008-12-16 22:25:38 241,664 ----a-w c:\windows\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll + 2008-12-16 22:25:38 66,560 ----a-w c:\windows\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll + 2008-12-16 22:25:42 372,736 ----a-w c:\windows\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll + 2008-12-16 22:25:46 241,664 ----a-w c:\windows\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll + 2008-12-16 22:25:41 323,584 ----a-w c:\windows\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll + 2008-12-16 22:25:39 131,072 ----a-w c:\windows\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll + 2008-12-16 22:25:40 77,824 ----a-w c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll + 2008-12-16 22:25:44 126,976 ----a-w c:\windows\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll + 2008-12-16 22:25:35 819,200 ----a-w c:\windows\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll + 2008-12-16 22:25:38 57,344 ----a-w c:\windows\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll + 2008-12-16 22:25:37 573,440 ----a-w c:\windows\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll + 2008-12-16 22:25:45 1,257,472 ----a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll + 2008-12-16 22:25:39 2,052,096 ----a-w c:\windows\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll + 2008-12-16 22:25:42 1,339,392 ----a-w c:\windows\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll + 2008-12-16 22:25:47 1,224,704 ----a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll + 2008-12-16 22:26:24 118,784 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_113d2790\CustomMarshalers.dll + 2008-12-16 22:25:57 61,440 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_4739f036\CustomMarshalers.dll + 2008-12-16 22:26:19 3,379,200 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_65f4fd12\mscorlib.dll + 2008-12-16 22:26:39 8,880,128 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_b1dd51d4\mscorlib.dll + 2008-12-16 22:26:14 1,466,368 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_0a783337\System.Design.dll + 2008-12-16 22:26:34 3,395,584 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_8791d56d\System.Design.dll + 2008-12-16 22:26:25 192,512 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_037e6e29\System.Drawing.Design.dll + 2008-12-16 22:25:59 90,112 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_7a14e9b3\System.Drawing.Design.dll + 2008-12-16 22:26:36 2,244,608 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_6512de66\System.Drawing.dll + 2008-12-16 22:26:16 835,584 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_7e5576fb\System.Drawing.dll + 2008-12-16 22:26:05 3,014,656 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_10944492\System.Windows.Forms.dll + 2008-12-16 22:26:28 7,880,704 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_fdb45211\System.Windows.Forms.dll + 2008-12-16 22:26:10 2,088,960 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_3b92afb0\System.Xml.dll + 2008-12-16 22:26:30 5,505,024 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_f565fedc\System.Xml.dll + 2008-12-16 22:25:56 1,953,792 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_8a34c10e\System.dll + 2008-12-16 22:26:24 4,763,648 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_cac21c3c\System.dll + 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\12-16-2008\ERDNT.EXE + 2008-12-16 07:57:11 27,668,480 ----a-w c:\windows\ERDNT\AutoBackup\12-16-2008\Users\00000001\NTUSER.DAT + 2008-12-16 07:57:11 253,952 ----a-w c:\windows\ERDNT\AutoBackup\12-16-2008\Users\00000002\UsrClass.dat + 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-17\ERDNT.EXE + 2008-12-17 20:08:46 27,668,480 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-17\Users\00000001\NTUSER.DAT + 2008-12-17 20:08:46 253,952 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-17\Users\00000002\UsrClass.dat + 2008-12-16 06:10:12 884,736 ----a-w c:\windows\gmer.dll + 2008-12-16 06:07:43 811,008 ----a-w c:\windows\gmer.exe + 2008-12-16 22:24:20 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe + 2008-12-16 03:53:48 61,440 ----a-r c:\windows\Installer\{8ACF317C-CA66-4363-AEBF-A073B124AA1A}\helpicon.exe + 2008-12-16 03:53:48 32,768 ----a-r c:\windows\Installer\{8ACF317C-CA66-4363-AEBF-A073B124AA1A}\maintenance_icon.exe + 2008-12-16 03:53:48 22,486 ----a-r c:\windows\Installer\{8ACF317C-CA66-4363-AEBF-A073B124AA1A}\register_icon.exe + 2008-12-16 03:53:48 57,344 ----a-r c:\windows\Installer\{8ACF317C-CA66-4363-AEBF-A073B124AA1A}\texticon.exe + 2003-02-21 07:59:44 16,896 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\alinkui.dll + 2003-02-21 08:55:06 94,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\cscompui.dll + 2003-02-21 08:02:16 131,072 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\vbc7ui.dll + 2003-02-21 10:04:20 155,648 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\Vsavb7rtUI.dll + 2003-02-21 12:24:08 7,680 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Accessibility.dll + 2003-02-21 10:00:36 98,304 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\alink.dll + 2003-02-21 00:19:42 24,576 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll + 2004-07-15 06:49:16 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll + 2003-02-21 00:19:22 40,960 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_rc.dll + 2004-07-15 06:49:18 20,480 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe + 2004-07-15 06:49:26 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe + 2004-07-15 06:49:22 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe + 2002-07-29 16:11:50 219,136 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\c_g18030.dll + 2003-02-21 12:24:10 94,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CasPol.exe + 2003-02-21 12:24:32 49,152 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe + 2004-07-15 05:32:22 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll + 2004-07-15 16:23:28 49,152 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\csc.exe + 2004-07-15 16:23:44 626,688 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\cscomp.dll + 2003-02-21 12:24:34 12,288 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\cscompmgd.dll + 2003-02-21 12:24:36 33,792 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CustomMarshalers.dll + 2003-02-21 09:12:24 28,672 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\cvtres.exe + 2003-02-21 15:21:40 524,288 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\diasymreader.dll + 2003-02-21 00:16:32 798,720 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\EventLogMessages.dll + 2004-07-15 05:24:30 282,624 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll + 2003-10-08 19:30:14 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\gacutil.exe + 2003-02-21 12:24:38 7,680 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\IEExec.exe + 2004-07-15 19:31:00 8,192 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll + 2004-07-15 19:31:04 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\IEHost.dll + 2003-02-21 12:24:40 4,608 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\IIEHost.dll + 2004-07-15 05:35:30 196,608 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\ilasm.exe + 2003-02-21 12:24:42 15,872 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe + 2003-02-21 00:22:24 40,960 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\InstallUtilLib.dll + 2003-02-21 12:24:44 26,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\ISymWrapper.dll + 2003-02-21 12:24:52 40,960 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\jsc.exe + 2004-07-15 19:28:58 720,896 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll + 2004-07-15 19:28:56 299,008 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll + 2003-02-21 12:24:54 28,672 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.dll + 2003-02-21 12:25:02 6,144 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualC.Dll + 2003-02-21 12:24:58 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll + 2003-02-21 12:25:06 11,264 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.Vb.CodeDOMProcessor.dll + 2003-02-21 12:25:02 6,656 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft_VsaVb.dll + 2004-07-15 19:28:50 49,152 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPol.exe + 2004-07-15 19:28:50 49,152 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe + 2003-02-21 12:25:06 1,564,672 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorcfg.dll + 2004-07-15 05:32:44 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll + 2004-07-15 05:32:46 233,472 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll + 2003-02-21 00:09:14 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll + 2004-07-15 05:25:06 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll + 2004-07-15 05:33:04 102,400 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll + 2004-07-15 19:29:02 2,138,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll + 2003-02-20 23:43:52 131,072 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscormmc.dll + 2003-02-21 00:06:34 65,536 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorpe.dll + 2004-07-15 05:33:22 143,360 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll + 2004-07-15 05:33:24 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll + 2003-02-21 00:09:18 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll + 2004-07-15 05:26:52 2,510,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll + 2003-02-21 00:09:24 9,216 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscortim.dll + 2004-07-15 05:28:34 2,502,656 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll + 2003-02-21 09:42:22 348,160 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\msvcr71.dll + 2003-02-21 00:18:34 20,480 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mtxoci8.dll + 2003-02-20 23:43:36 22,528 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\MUI\0409\mscorsecr.dll + 2004-08-10 21:20:00 106,496 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe + 2003-02-21 00:09:46 73,728 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\ngen.exe + 2004-07-15 05:34:50 94,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll + 2003-02-21 12:25:24 28,672 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\RegAsm.exe + 2004-07-15 19:28:48 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\RegCode.dll + 2003-02-21 12:25:30 12,288 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\RegSvcs.exe + 2003-02-21 00:09:34 253,952 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\shfusion.dll + 2003-02-21 00:09:34 122,880 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\shfusres.dll + 2004-07-15 05:35:04 319,488 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SOS.dll + 2003-02-21 12:26:38 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Configuration.Install.dll + 2004-07-15 19:32:00 1,294,336 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Data.dll + 2004-07-15 19:31:14 303,104 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll + 2004-07-15 19:29:02 1,703,936 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Design.dll + 2004-07-15 19:28:54 90,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll + 2004-07-15 19:31:16 1,224,704 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll + 2003-02-21 12:26:48 65,536 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.Design.dll + 2004-07-15 19:28:58 466,944 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll + 2004-07-15 19:28:56 241,664 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll + 2004-07-15 05:35:12 66,560 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll + 2004-07-15 19:31:58 372,736 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Management.dll + 2004-07-15 19:31:12 241,664 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll + 2004-07-15 19:28:58 323,584 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll + 2004-07-15 19:31:54 131,072 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll + 2004-07-15 19:28:52 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll + 2004-07-15 19:28:54 126,976 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll + 2004-07-15 19:29:00 1,257,472 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll + 2004-07-15 19:28:58 819,200 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll + 2004-07-15 19:28:52 57,344 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll + 2004-07-15 19:31:16 573,440 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll + 2004-07-15 19:32:02 2,052,096 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll + 2004-07-15 19:29:00 1,339,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.XML.dll + 2004-06-22 18:51:38 53,248 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe + 2004-07-15 16:23:20 737,280 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\vbc.exe + 2004-07-15 13:15:14 1,032,192 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll + 2004-07-15 07:11:56 31,744 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll - 2006-05-15 23:24:34 466,944 ----a-w c:\windows\system32\capicom.dll + 2007-04-11 16:11:20 511,328 ----a-w c:\windows\system32\capicom.dll + 2008-12-16 06:10:12 85,969 ----a-w c:\windows\system32\drivers\gmer.sys - 2008-10-16 07:08:10 285,312 ----a-w c:\windows\system32\FNTCACHE.DAT + 2008-12-17 03:31:31 284,520 ----a-w c:\windows\system32\FNTCACHE.DAT - 2004-08-04 12:00:00 112,128 ----a-w c:\windows\system32\mapi32.dll + 2004-03-31 18:28:00 131,072 ----a-w c:\windows\system32\mapi32.dll + 2002-01-05 08:48:16 974,848 ----a-w c:\windows\system32\mfc70.dll + 2002-01-05 08:36:38 964,608 ----a-w c:\windows\system32\mfc70u.dll - 2003-03-19 01:20:00 1,060,864 ----a-w c:\windows\system32\MFC71.dll + 2003-03-19 02:20:00 1,060,864 ----a-w c:\windows\system32\mfc71.dll - 2007-03-12 17:37:04 1,047,552 ----a-w c:\windows\system32\MFC71U.dll + 2003-03-19 02:12:12 1,047,552 ----a-w c:\windows\system32\mfc71u.dll + 2002-01-05 08:38:38 54,784 ----a-w c:\windows\system32\msvci70.dll + 2002-01-05 08:40:20 487,424 ----a-w c:\windows\system32\msvcp70.dll - 2007-06-06 21:33:05 505,392 ----a-w c:\windows\system32\msvcp71.dll + 2003-03-19 01:14:52 499,712 ----a-w c:\windows\system32\msvcp71.dll + 2002-01-05 07:37:28 344,064 ----a-w c:\windows\system32\msvcr70.dll - 2006-10-23 18:37:14 348,160 ----a-w c:\windows\system32\msvcr71.dll + 2003-02-21 09:42:22 348,160 ----a-w c:\windows\system32\msvcr71.dll + 2003-04-18 21:29:26 82,432 ----a-w c:\windows\system32\msxml4r.dll + 2003-02-20 23:43:36 4,096 ----a-w c:\windows\system32\mui\0409\mscoreer.dll - 2008-12-15 08:01:40 68,608 ----a-w c:\windows\system32\perfc009.dat + 2008-12-16 22:25:27 72,298 ----a-w c:\windows\system32\perfc009.dat - 2008-12-15 08:01:40 436,090 ----a-w c:\windows\system32\perfh009.dat + 2008-12-16 22:25:27 444,418 ----a-w c:\windows\system32\perfh009.dat + 2003-02-21 10:16:08 49,152 ----a-w c:\windows\system32\URTTEMP\regtlib.exe + 2007-01-31 19:50:32 913,408 ----a-w c:\windows\system32\xreglib.dll + 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll + 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll - 2006-12-02 02:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll + 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll - 2006-12-02 02:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll + 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll - 2006-12-02 02:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll + 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 180269] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-12-16 741376] "BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-12-16 69632] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984] "nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe] "SoundMan"="SOUNDMAN.EXE" [2005-11-11 c:\windows\soundman.exe] c:\documents and settings\Jesse\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll "VIDC.JPEG"= JpegCode.dll "VIDC.MJPG"= JpegCode.dll "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jesse^Start Menu^Programs^Startup^Registration Far Cry.LNK] path=c:\documents and settings\Jesse\Start Menu\Programs\Startup\Registration Far Cry.LNK backup=c:\windows\pss\Registration Far Cry.LNKStartup [HKLM\~\startupfolder\C:^Documents and Settings^Jesse^Start Menu^Programs^Startup^Z_Start.lnk] path=c:\documents and settings\Jesse\Start Menu\Programs\Startup\Z_Start.lnk backup=c:\windows\pss\Z_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-06-11 13:32 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2006-11-07 10:29 50736 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-05-04 10:39 149040 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe] --------- 2006-06-12 13:32 700416 c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] --a------ 2003-06-20 07:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-04 07:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-04-19 13:26 484904 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon] --a------ 2007-04-30 07:19 20480 c:\program files\Lexmark 2500 Series\lxddamon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe] --a------ 2007-06-11 18:27 291760 c:\program files\Lexmark 2500 Series\lxddmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] --a------ 2003-06-20 07:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-05-04 10:59 161328 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA Performance Examiner] --a------ 2008-10-07 13:33 797216 c:\windows\system32\nvcplui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] --a------ 2003-06-20 07:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] --a------ 2003-06-20 07:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --------- 2007-03-14 20:01 71216 c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-10-11 15:15 1410296 c:\program files\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-09-11 23:10 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2006-06-21 12:14 35328 c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2006-11-30 21:49 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2005-11-11 13:07 90112 c:\windows\soundman.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "%windir%\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9371:TCP"= 9371:TCP:BitComet 9371 TCP "9371:UDP"= 9371:UDP:BitComet 9371 UDP R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2006-08-29 13696] R1 BS_I2cIo;BS_I2cIo;\??\c:\windows\system32\drivers\BS_I2cIo.sys [2008-01-26 8192] R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560] R2 BDVEDISK;BDVEDISK;\??\c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82440] R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service [] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2005-12-31 24652] R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-08-12 111112] R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2008-08-14 104328] S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2008-06-20 99248] S3 Arrakis3;BitDefender Arrakis Server;"c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe" [2008-07-17 118784] S3 BS_Flash;BS_Flash;\??\c:\program files\Tseries BIOS Update\Award\BS_Flash.sys [2008-07-16 3604] S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-10-16 28672] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-06-22 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-06-22 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-22 21632] S3 PRISM_USB;Linksys Wireless-B USB Network Adapter Driver;c:\windows\system32\DRIVERS\LSPMUSBX.sys [2004-07-26 666624] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{880e7acc-e6c6-11db-bb88-00e04ce9d8a9}] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce79a42c-406f-11db-baa4-00e04ce9d8a9}] \Shell\AutoRun\command - E:\LaunchU3.exe Newly Created Service - BKOKJIEX [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~1.DLL MSConfigStartUp-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: ???????????????????????? IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: ???????????????????????? - c:\program files\Megaupload\Mega Manager\mm_file.htm c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E} hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab c:\windows\Downloaded Program Files\SysReqLab3.osd c:\windows\system32\mfc42.dll - c:\windows\system32\msvcrt.dll c:\windows\system32\olepro32.dll c:\windows\Downloaded Program Files\DekaronAutoPlay.ocx c:\windows\Downloaded Program Files\GHSysInfo.ocx O16 -: {4F091885-8A80-478E-8F48-C53508CA12FD} hxxp://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB c:\windows\Downloaded Program Files\Dekaron.inf c:\windows\system32\sessionctrl.dll - O16 -: {9BEEA7FF-FF76-403C-B124-86D9835435F0} hxxp://file.gamechu.net/dl/download/sessionctrl.cab c:\windows\Downloaded Program Files\sessionctrl.inf FF - ProfilePath - c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\nssaw6hh.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p= . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-17 15:08:00 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl" . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe c:\program files\BitDefender\BitDefender 2009\vsserv.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\lxddcoms.exe c:\windows\system32\nvsvc32.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\windows\system32\rundll32.exe c:\program files\BitDefender\BitDefender 2009\seccenter.exe . ************************************************************************ . Completion time: 2008-12-17 15:11:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-17 20:11:42 ComboFix2.txt 2008-12-15 22:44:59 ComboFix3.txt 2008-12-15 21:05:07 Pre-Run: 28,486,213,632 bytes free Post-Run: 28,404,658,176 bytes free 517 --- E O F --- 2008-12-16 22:25:52 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:13:05 PM, on 12/17/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lxddcoms.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user') O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://legendofares.netgame.com/download/m...anagerv1001.cab O16 - DPF: {9BEEA7FF-FF76-403C-B124-86D9835435F0} (GameChu Login Control) - http://file.gamechu.net/dl/download/sessionctrl.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe -- End of file - 9465 bytes

IndiGenus View Member Profile	Dec 17 2008, 02:31 PM Post #14
Anti-Malware Buddha Group: Malware Expert Posts: 5,140 Joined: 22-July 04 From: New England, USA Member No.: 10,811 Operating System: Windows XP Pro SP3 ~ Vista Ultimate SP2 ~ Windows 7 RC	Finally! Sorry I did not see that service running earlier. That was preventing the malware from being deleted. Let's do some scans.... First, use Use ATF Cleaner to remove temp files, cookies, cache, ect... Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'd like for you to run this next online scan to check for remnants or anything that might be hidden. The below scan can take up to an hour or longer, please be patient. Note It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time. Please don't go surfing while your resident protection is disabled! Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use. Please do a scan with Kaspersky Online Scanner or from here http://www.kaspersky.com/virusscanner Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.* Click on the Accept button and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer. This will start the program and scan your system. The scan will take a while, so be patient and let it run. (At times it may appear to stall) * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Once the scan is complete, click on View scan report To obtain the report: Click on: Save Report As Next, in the Save as prompt, Save in area, select: Desktop In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: *Text file [.txt] Then, click: Save Please post the Kaspersky Online Scanner Report in your reply. Animated tutorial http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom**" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.) Or use Firefox with IE-Tab plugin https://addons.mozilla.org/en-US/firefox/addon/1419 In your next reply post: Kaspersky log New HJT log taken after the above scan has run

cereal_killerxx View Member Profile	Dec 17 2008, 09:47 PM Post #15
Authentic Member Group: Authentic Member Posts: 28 Joined: 15-December 08 Member No.: 82,965 Operating System: Windows XP Professional SP3	Whatever problems/viruses are going on, they are affecting the javascript pages ect. While using that Kasper program to scan, it came up with a javascript error and closed. I managed to get the log though before that happened. This javascript thing has been happening on all sorts of webpages for downloading as well as different applications. The error is always different for each though and usually asks me if i want to debug it. I really hope you can help get rid of this stuff! O_O Anyways, here are the logs Wednesday, December 17, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, December 17, 2008 22:35:55 Records in database: 1473355 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ E:\ Scan statistics Files scanned 111091 Threat name 2 Infected objects 7 Suspicious objects 0 Duration of the scan 02:14:58 File name Threat name Threats count C:\Documents and Settings\Jesse\.housecall6.6\Quarantine\crtdcghcn.jar-6302bf39-6867b506.zip.bac_a03620 Infected: Trojan.Java.ClassLoader.ao 3 C:\Documents and Settings\Jesse\.housecall6.6\Quarantine\ms-counter.jar-4535331c-25cf7cd0.zip.bac_a03620 Infected: Trojan.Java.ClassLoader.ao 3 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_bkokjiex_.sys.zip Infected: Trojan.Win32.BHO.ext 1 The selected area was scanned. Malwarebytes' Anti-Malware 1.31 Database version: 1512 Windows 5.1.2600 Service Pack 3 12/17/2008 7:43:01 PM mbam-log-2008-12-17 (19-43-01).txt Scan type: Quick Scan Objects scanned: 53837 Time elapsed: 3 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_windev-7e94-6f96 (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:46:29 PM, on 12/17/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lxddcoms.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user') O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://legendofares.netgame.com/download/m...anagerv1001.cab O16 - DPF: {9BEEA7FF-FF76-403C-B124-86D9835435F0} (GameChu Login Control) - http://file.gamechu.net/dl/download/sessionctrl.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe -- End of file - 9609 bytes

« Next Oldest · Infections Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
Infections Removal Having problems with updating my Avira anti-virus and want to make sur	14	thunder420	143	Today, 10:00 AM Last post by: Tomk
Infections Removal nolink.html virus?	10	Thaiche	253	Today, 08:21 AM Last post by: Tomk
Infections Removal IE will not load and virus scans will not run	3	frustrated_pc	40	Today, 05:49 AM Last post by: LDTate
Infections Removal [Resolved] Need help removing re-generating virus/trojan 12	17	Granny Mouse	255	Today, 05:04 AM Last post by: CatByte