WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

winflyer32 error, please help

Started by iulia , Dec 11 2007 10:54 AM

This topic is locked

14 replies to this topic

#1 iulia

New Member

New Member
8 posts

Posted 11 December 2007 - 10:54 AM

hey, i've read all the faq-s and done all the scans(got a problem though with spybot that couldn't fix a certain win32.bot threat) but the problem's still there: at startup i get an error "could not load c:\windows\system32\winflyer32.dll, specified module not found".

here's the hijackthis log that i saved after all the scanning:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:25 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ime\shared\jp\CLI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.29.3.253:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Nnvidia Control Add] C:\WINDOWS\system32\nvidia\add.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~2\bdswitch.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [CLI] C:\WINDOWS\system32\ime\shared\jp\hide.exe CLI.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...RO_ZBzeb030YYRO
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121870334281
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://selfservice..../cab/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Externtelecom - Unknown owner - C:\WINDOWS\extel.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Programs Compatibility (Programs_Compatibility) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SoundSC - Unknown owner - C:\WINDOWS\inf\iis\services.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12393 bytes

Advertisements

Register to Remove

#2 iulia

New Member

New Member
8 posts

Posted 13 December 2007 - 05:22 AM

why isn't anybody replying? i don't get it.. i posted this problem on 5 sites already and no response..

#3 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 13 December 2007 - 11:50 AM

Hello and Welcome to the forum.

First you need to inform any other forums that you posted at that you're being helped.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
Spyware Begone
Spyware Vanisher

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#4 iulia

New Member

New Member
8 posts

Posted 13 December 2007 - 02:53 PM

ComboFix 07-12-12.3 - Administrator 2007-12-13 22:41:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.141 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\hosts
C:\WINDOWS\system32\drivers\sfsync02.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\nm
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-12 08:12 . 2007-12-12 08:13 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-10 20:28 . 2007-12-11 12:51 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-10 20:11 . 2007-10-11 01:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-10 20:11 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-10 20:11 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-10 20:11 . 2007-10-11 01:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-10 20:11 . 2007-10-11 01:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-10 20:11 . 2007-10-11 01:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-10 20:11 . 2007-10-11 01:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-10 20:11 . 2007-10-11 01:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-10 20:11 . 2007-10-10 12:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-10 20:10 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-10 17:31 . 2007-12-10 17:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-10 17:31 . 2007-12-10 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-10 17:14 . 2007-12-10 17:14 <DIR> d-------- C:\Program Files\CCleaner
2007-12-09 19:50 . 2006-08-21 11:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-09 19:50 . 2006-08-21 11:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-09 19:50 . 2006-08-21 14:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-09 19:47 . 2007-12-09 19:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-09 15:38 . 2007-07-09 15:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-09 13:40 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-09 13:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-09 13:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-09 13:40 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-09 12:34 . 2007-12-09 12:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-09 12:32 . 2007-12-09 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-09 12:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-08 21:40 . 2007-12-09 11:40 0 --a------ C:\WINDOWS\system32\Sweeper.cfg
2007-12-08 16:22 . 2007-12-09 12:35 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-08 16:22 . 2007-12-08 16:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-12-01 13:32 . 2007-12-01 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-11-25 14:15 . 2007-11-25 14:15 <DIR> d-------- C:\Program Files\MP3 Player Utilities
2007-11-25 14:14 . 2004-05-14 08:21 6,850 -ra------ C:\WINDOWS\Disktool.INI
2007-11-25 14:14 . 2004-09-29 09:53 6,057 -ra------ C:\WINDOWS\fwupgrade.ini
2007-11-25 14:14 . 2004-05-12 04:28 3,677 -ra------ C:\WINDOWS\PlaySnd.INI
2007-11-20 12:21 . 2007-11-20 12:21 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-20 12:21 . 2007-11-20 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-19 17:29 . 2007-11-19 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2007-11-19 17:13 . 2007-11-27 19:39 <DIR> d-------- C:\xampp
2007-11-19 17:09 . 2007-12-12 20:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE
2007-11-19 17:08 . 2007-12-12 20:12 <DIR> d-------- C:\Program Files\GlobalSCAPE
2007-11-19 16:48 . 2007-11-19 16:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Web Page Maker V2
2007-11-19 15:03 . 2007-11-19 15:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2007-11-17 13:54 . 2007-11-17 13:54 106,496 --a------ C:\WINDOWS\system\admdll.VVdll
2007-11-17 13:54 . 2007-11-17 13:54 106,496 --a------ C:\WINDOWS\system\admdll.V00dll
2007-11-17 13:48 . 2007-11-17 13:48 630,784 --a------ C:\WINDOWS\userinit.Vexe
2007-11-14 15:06 . 2007-11-14 15:06 30,728 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-11-14 15:04 . 2007-11-14 15:04 27,656 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-14 15:03 . 2007-11-14 15:03 33,800 --a------ C:\WINDOWS\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 18:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-11 17:37 --------- d-----w C:\Program Files\Uniblue
2007-12-11 16:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-10 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-10 17:40 --------- d-----w C:\Program Files\BearShare
2007-12-10 15:26 --------- d-----w C:\Program Files\Valve
2007-12-10 15:02 --------- d-----w C:\Program Files\DC++ FasterDownloads
2007-12-10 15:01 --------- d-----w C:\Program Files\Buddy Spy
2007-11-30 11:07 --------- d-----w C:\Program Files\Winamp
2007-11-27 17:41 --------- d-----w C:\Program Files\BitComet Accelerator
2007-11-27 17:41 --------- d-----w C:\Program Files\BitComet
2007-11-20 10:23 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-19 15:55 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-19 15:54 --------- d-----w C:\Program Files\Macromedia
2007-11-13 14:20 --------- d-----w C:\Program Files\FlashGet
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-04 17:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-04 17:51 249,856 ------w C:\WINDOWS\Setup1.exe
2007-05-13 11:27 30,848 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-03-28 15:19 3,012 ----a-w C:\Program Files\INSTALL.LOG
2006-08-03 10:08 14 ----a-w C:\Documents and Settings\Administrator\getfile.dat
2006-06-11 10:13 0 ----a-w C:\Documents and Settings\Administrator\WebExcl.dat
2005-07-15 05:50 9,904,128 ----a-w C:\Program Files\BearShare.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 22:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"MISAggregator"="" []
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-03-16 10:56]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" [2005-04-28 17:59]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 17:27]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-05-13 17:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.exe" [2006-06-15 11:36]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 19:38]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PavPrSrv"=2 (0x2)
"PAVFNSVR"=2 (0x2)

R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\drivers\ShldDrv.sys
R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys
S2 Externtelecom;Externtelecom;"C:\WINDOWS\extel.exe"
S2 Programs_Compatibility;Programs Compatibility;C:\WINDOWS\userinit.exe
S2 SoundSC;SoundSC;C:\WINDOWS\inf\iis\services.exe
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\system32\drivers\CDANT.SYS
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ACB318E1]
mstask64.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 22:46:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 22:48:49 - machine was rebooted
.
2007-12-12 09:33:07 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:52 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.29.3.253:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...RO_ZBzeb030YYRO
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121870334281
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://selfservice..../cab/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Externtelecom - Unknown owner - C:\WINDOWS\extel.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Programs Compatibility (Programs_Compatibility) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SoundSC - Unknown owner - C:\WINDOWS\inf\iis\services.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11606 bytes

thanks a lot for replying.. did the atf scan, waiting for next step

#5 iulia

New Member

New Member
8 posts

Posted 13 December 2007 - 02:56 PM

i forgot to mention that some internet pages look kind of weird, only text and reduced grafic, i don't know if that has anything to do with it

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 13 December 2007 - 03:27 PM

i forgot to mention that some internet pages look kind of weird, only text and reduced grafic, i don't know if that has anything to do with it

Hopefully when your pc is clean it will be OK.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system\admdll.VVdll
C:\WINDOWS\system\admdll.V00dll
C:\WINDOWS\userinit.Vexe

Save this as Save this as "CFScript"

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 iulia

New Member

New Member
8 posts

Posted 13 December 2007 - 03:57 PM

ComboFix 07-12-12.3 - Administrator 2007-12-13 23:51:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.182 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-12 08:12 . 2007-12-12 08:13 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-10 20:28 . 2007-12-11 12:51 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-10 20:11 . 2007-10-11 01:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-10 20:11 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-10 20:11 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-10 20:11 . 2007-10-11 01:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-10 20:11 . 2007-10-11 01:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-10 20:11 . 2007-10-11 01:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-10 20:11 . 2007-10-11 01:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-10 20:11 . 2007-10-11 01:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-10 20:11 . 2007-10-10 12:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-10 20:10 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-10 17:31 . 2007-12-10 17:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-10 17:31 . 2007-12-10 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-10 17:14 . 2007-12-10 17:14 <DIR> d-------- C:\Program Files\CCleaner
2007-12-09 19:50 . 2006-08-21 11:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-09 19:50 . 2006-08-21 11:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-09 19:50 . 2006-08-21 14:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-09 19:47 . 2007-12-09 19:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-09 15:38 . 2007-07-09 15:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-09 13:40 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-09 13:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-09 13:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-09 13:40 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-09 12:34 . 2007-12-09 12:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-09 12:32 . 2007-12-09 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-09 12:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-08 21:40 . 2007-12-09 11:40 0 --a------ C:\WINDOWS\system32\Sweeper.cfg
2007-12-08 16:22 . 2007-12-09 12:35 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-08 16:22 . 2007-12-08 16:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-12-01 13:32 . 2007-12-01 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-11-25 14:15 . 2007-11-25 14:15 <DIR> d-------- C:\Program Files\MP3 Player Utilities
2007-11-25 14:14 . 2004-05-14 08:21 6,850 -ra------ C:\WINDOWS\Disktool.INI
2007-11-25 14:14 . 2004-09-29 09:53 6,057 -ra------ C:\WINDOWS\fwupgrade.ini
2007-11-25 14:14 . 2004-05-12 04:28 3,677 -ra------ C:\WINDOWS\PlaySnd.INI
2007-11-20 12:21 . 2007-11-20 12:21 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-20 12:21 . 2007-11-20 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-19 17:29 . 2007-11-19 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2007-11-19 17:13 . 2007-11-27 19:39 <DIR> d-------- C:\xampp
2007-11-19 17:09 . 2007-12-12 20:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE
2007-11-19 17:08 . 2007-12-12 20:12 <DIR> d-------- C:\Program Files\GlobalSCAPE
2007-11-19 16:48 . 2007-11-19 16:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Web Page Maker V2
2007-11-19 15:03 . 2007-11-19 15:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2007-11-17 13:54 . 2007-11-17 13:54 106,496 --a------ C:\WINDOWS\system\admdll.VVdll
2007-11-17 13:54 . 2007-11-17 13:54 106,496 --a------ C:\WINDOWS\system\admdll.V00dll
2007-11-17 13:48 . 2007-11-17 13:48 630,784 --a------ C:\WINDOWS\userinit.Vexe
2007-11-14 15:06 . 2007-11-14 15:06 30,728 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-11-14 15:04 . 2007-11-14 15:04 27,656 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-14 15:03 . 2007-11-14 15:03 33,800 --a------ C:\WINDOWS\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 18:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-11 17:37 --------- d-----w C:\Program Files\Uniblue
2007-12-11 16:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-10 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-10 17:40 --------- d-----w C:\Program Files\BearShare
2007-12-10 15:26 --------- d-----w C:\Program Files\Valve
2007-12-10 15:02 --------- d-----w C:\Program Files\DC++ FasterDownloads
2007-12-10 15:01 --------- d-----w C:\Program Files\Buddy Spy
2007-11-30 11:07 --------- d-----w C:\Program Files\Winamp
2007-11-27 17:41 --------- d-----w C:\Program Files\BitComet Accelerator
2007-11-27 17:41 --------- d-----w C:\Program Files\BitComet
2007-11-20 10:23 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-19 15:55 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-19 15:54 --------- d-----w C:\Program Files\Macromedia
2007-11-13 14:20 --------- d-----w C:\Program Files\FlashGet
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 15:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-04 17:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-04 17:51 249,856 ------w C:\WINDOWS\Setup1.exe
2007-05-13 11:27 30,848 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-03-28 15:19 3,012 ----a-w C:\Program Files\INSTALL.LOG
2006-08-03 10:08 14 ----a-w C:\Documents and Settings\Administrator\getfile.dat
2006-06-11 10:13 0 ----a-w C:\Documents and Settings\Administrator\WebExcl.dat
2005-07-15 05:50 9,904,128 ----a-w C:\Program Files\BearShare.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_22.47.39.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 14:04:32 1,523,536 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2007-11-21 00:04:14 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
+ 2007-12-13 20:57:13 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 22:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"MISAggregator"="" []
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-03-16 10:56]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" [2005-04-28 17:59]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 17:27]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-05-13 17:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.exe" [2006-06-15 11:36]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 19:38]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PavPrSrv"=2 (0x2)
"PAVFNSVR"=2 (0x2)

R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\drivers\ShldDrv.sys
R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys
S2 Externtelecom;Externtelecom;"C:\WINDOWS\extel.exe"
S2 Programs_Compatibility;Programs Compatibility;C:\WINDOWS\userinit.exe
S2 SoundSC;SoundSC;C:\WINDOWS\inf\iis\services.exe
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\system32\drivers\CDANT.SYS
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ACB318E1]
mstask64.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 23:54:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 23:55:27
C:\ComboFix2.txt ... 2007-12-13 22:48
.
2007-12-12 09:33:07 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:25 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.29.3.253:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...RO_ZBzeb030YYRO
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121870334281
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://selfservice..../cab/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Externtelecom - Unknown owner - C:\WINDOWS\extel.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Programs Compatibility (Programs_Compatibility) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SoundSC - Unknown owner - C:\WINDOWS\inf\iis\services.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11689 bytes

computer running ok, sites are ok

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 13 December 2007 - 04:10 PM

Try that again as it didn't work.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system\admdll.VVdll
C:\WINDOWS\system\admdll.V00dll
C:\WINDOWS\userinit.Vexe

Save this as Save this as "CFScript"

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 iulia

New Member

New Member
8 posts

Posted 13 December 2007 - 04:19 PM

ComboFix 07-12-12.3 - Administrator 2007-12-14 0:13:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.140 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system\admdll.V00dll
C:\WINDOWS\system\admdll.VVdll
C:\WINDOWS\userinit.Vexe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\imsins.BAK
C:\WINDOWS\system\admdll.V00dll
C:\WINDOWS\system\admdll.VVdll
C:\WINDOWS\userinit.Vexe

.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-10 20:28 . 2007-12-11 12:51 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-10 20:11 . 2007-10-11 01:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-10 20:11 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-10 20:11 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-10 20:11 . 2007-10-11 01:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-10 20:11 . 2007-10-11 01:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-10 20:11 . 2007-10-11 01:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-10 20:11 . 2007-10-11 01:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-10 20:11 . 2007-10-11 01:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-10 20:11 . 2007-10-10 12:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-10 20:10 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-10 17:31 . 2007-12-10 17:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-10 17:31 . 2007-12-10 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-10 17:14 . 2007-12-10 17:14 <DIR> d-------- C:\Program Files\CCleaner
2007-12-09 19:50 . 2006-08-21 11:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-09 19:50 . 2006-08-21 11:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-09 19:50 . 2006-08-21 14:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-09 19:47 . 2007-12-09 19:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-09 15:38 . 2007-07-09 15:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-09 13:40 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-09 13:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-09 13:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-09 13:40 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-09 12:34 . 2007-12-09 12:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-09 12:32 . 2007-12-09 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-09 12:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-08 21:40 . 2007-12-09 11:40 0 --a------ C:\WINDOWS\system32\Sweeper.cfg
2007-12-08 16:22 . 2007-12-09 12:35 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-08 16:22 . 2007-12-08 16:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-12-01 13:32 . 2007-12-01 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-11-25 14:15 . 2007-11-25 14:15 <DIR> d-------- C:\Program Files\MP3 Player Utilities
2007-11-25 14:14 . 2004-05-14 08:21 6,850 -ra------ C:\WINDOWS\Disktool.INI
2007-11-25 14:14 . 2004-09-29 09:53 6,057 -ra------ C:\WINDOWS\fwupgrade.ini
2007-11-25 14:14 . 2004-05-12 04:28 3,677 -ra------ C:\WINDOWS\PlaySnd.INI
2007-11-20 12:21 . 2007-11-20 12:21 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-20 12:21 . 2007-11-20 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-19 17:29 . 2007-11-19 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2007-11-19 17:13 . 2007-11-27 19:39 <DIR> d-------- C:\xampp
2007-11-19 17:09 . 2007-12-12 20:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE
2007-11-19 17:08 . 2007-12-12 20:12 <DIR> d-------- C:\Program Files\GlobalSCAPE
2007-11-19 16:48 . 2007-11-19 16:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Web Page Maker V2
2007-11-19 15:03 . 2007-11-19 15:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2007-11-14 15:06 . 2007-11-14 15:06 30,728 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-11-14 15:04 . 2007-11-14 15:04 27,656 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-14 15:03 . 2007-11-14 15:03 33,800 --a------ C:\WINDOWS\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 18:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-11 17:37 --------- d-----w C:\Program Files\Uniblue
2007-12-11 16:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-10 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-10 17:40 --------- d-----w C:\Program Files\BearShare
2007-12-10 15:26 --------- d-----w C:\Program Files\Valve
2007-12-10 15:02 --------- d-----w C:\Program Files\DC++ FasterDownloads
2007-12-10 15:01 --------- d-----w C:\Program Files\Buddy Spy
2007-11-30 11:07 --------- d-----w C:\Program Files\Winamp
2007-11-27 17:41 --------- d-----w C:\Program Files\BitComet Accelerator
2007-11-27 17:41 --------- d-----w C:\Program Files\BitComet
2007-11-20 10:23 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-19 15:55 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-19 15:54 --------- d-----w C:\Program Files\Macromedia
2007-11-13 14:20 --------- d-----w C:\Program Files\FlashGet
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 15:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-04 17:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-04 17:51 249,856 ------w C:\WINDOWS\Setup1.exe
2007-05-13 11:27 30,848 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-03-28 15:19 3,012 ----a-w C:\Program Files\INSTALL.LOG
2006-08-03 10:08 14 ----a-w C:\Documents and Settings\Administrator\getfile.dat
2006-06-11 10:13 0 ----a-w C:\Documents and Settings\Administrator\WebExcl.dat
2005-07-15 05:50 9,904,128 ----a-w C:\Program Files\BearShare.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_22.47.39.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 14:04:32 1,523,536 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2007-11-21 00:04:14 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
+ 2007-12-13 20:57:13 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 22:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"MISAggregator"="" []
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-03-16 10:56]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" [2005-04-28 17:59]
"USIUDF_Eject_Monitor"="C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 17:27]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-05-13 17:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.exe" [2006-06-15 11:36]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 19:38]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PavPrSrv"=2 (0x2)
"PAVFNSVR"=2 (0x2)

R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\drivers\ShldDrv.sys
R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys
S2 Externtelecom;Externtelecom;"C:\WINDOWS\extel.exe"
S2 Programs_Compatibility;Programs Compatibility;C:\WINDOWS\userinit.exe
S2 SoundSC;SoundSC;C:\WINDOWS\inf\iis\services.exe
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\system32\drivers\CDANT.SYS
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ACB318E1]
mstask64.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 00:15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-14 0:16:47
C:\ComboFix2.txt ... 2007-12-13 23:55
C:\ComboFix3.txt ... 2007-12-13 22:48
.
2007-12-12 09:33:07 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:14 AM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
E:\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.29.3.253:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...RO_ZBzeb030YYRO
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121870334281
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://selfservice..../cab/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Externtelecom - Unknown owner - C:\WINDOWS\extel.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Programs Compatibility (Programs_Compatibility) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SoundSC - Unknown owner - C:\WINDOWS\inf\iis\services.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11692 bytes

this time the combofix did something different, deleted some files i think.. computer running ok, no visible changes

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 13 December 2007 - 04:28 PM

O23 - Service: Externtelecom - Unknown owner - C:\WINDOWS\extel.exe (file missing)

Turns off anti-virus applications
Modifies data on the computer
Deletes files off the computer
Steals information
Drops more malware
Downloads code from the internet

Thats not a good thing.
Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#11 iulia

New Member

New Member
8 posts

Posted 13 December 2007 - 04:33 PM

I don't have any accounts that can be accesed through internet., my only passwords are those from yahoo, some online games and that's it, and as for information, nothing that is crucial.. i would prefere not to delete everything and i can take the risk that the problem can't be 100% removed.

#12 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 13 December 2007 - 04:34 PM

I suggest you do this:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#13 iulia

New Member

New Member
8 posts

Posted 13 December 2007 - 04:37 PM

thanks very much for your help, i'll do that tomorrow, because now i have to get some sleep(i'm from romania, night time here), i'll post back tomorrow after all of that.

#14 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 13 December 2007 - 04:38 PM

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 13 December 2007 - 05:38 PM

iulia,
Please follow the help you're receiving from Noviciate

http://www.castlecop...1-.html#1033461

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme