Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Cannot boot into Safe Mode - Smitfraud Infection

Started by Chris.B , Apr 07 2008 08:34 AM

  • This topic is locked This topic is locked
24 replies to this topic

#16 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 April 2008 - 02:45 AM

Run a new Combofix scan.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#17 Chris.B

Chris.B

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 20 April 2008 - 11:34 AM

OK LDTate...as you say.

Could you tell me if "killVBS.vbs" is safe or not? It's there on all my flash drives, and my old anti-virus (NOD32) kept saying it's bad, but there are no such issues with AVG.

Combofix log:

ComboFix 08-04-18.3 - AR 2008-04-20 20:34:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1550 [GMT 4:00]
Running from: C:\Documents and Settings\AR\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin.A\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 09:26 . 2008-04-19 09:26 <DIR> d-------- C:\Documents and Settings\AR\Application Data\Ubisoft
2008-04-19 09:26 . 2008-04-19 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-19 09:17 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-04-19 09:17 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-04-19 09:17 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-04-19 09:17 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-04-19 09:17 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-04-19 09:17 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-04-19 09:16 . 2008-04-19 09:17 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-19 08:50 . 2008-04-19 08:50 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-04-19 00:32 . 2008-04-19 00:32 <DIR> d-------- C:\fsaua.data
2008-04-14 17:21 . 2008-04-14 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-14 17:21 . 2008-04-14 17:21 <DIR> d-------- C:\Documents and Settings\AR\Application Data\Malwarebytes
2008-04-14 17:21 . 2008-04-14 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 11:14 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-11 11:14 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-11 11:14 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-11 11:14 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-11 11:14 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-11 11:14 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-11 11:14 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-11 11:00 . 2008-04-11 11:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-10 18:00 . 2008-04-10 18:00 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-07 18:30 . 2008-04-07 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 19:00 . 2008-04-06 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-05 19:34 . 2008-04-11 11:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-05 19:34 . 2008-04-11 11:16 <DIR> d-------- C:\Documents and Settings\AR\Application Data\SUPERAntiSpyware.com
2008-04-05 19:34 . 2008-04-05 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 19:10 . 2008-04-11 11:14 2,212 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-05 18:21 . 2008-03-18 08:26 97 --a------ C:\Extractor.bat
2008-04-03 21:43 . 2008-04-03 21:43 <DIR> d-------- C:\Puzzle Quest
2008-03-28 10:40 . 2008-03-28 10:40 <DIR> d-------- C:\WINDOWS\Puzzle Quest
2008-03-28 10:40 . 2008-04-15 20:34 <DIR> d-------- C:\Program Files\Puzzle Quest
2008-03-28 10:40 . 2008-03-28 10:40 <DIR> d-------- C:\Program Files\OpenAL
2008-03-28 10:06 . 2008-03-28 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hyperballoid2
2008-03-28 10:05 . 2008-03-28 10:05 <DIR> d-------- C:\WINDOWS\Hyperballoid 2i
2008-03-28 10:05 . 2008-03-28 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
2008-03-28 09:43 . 2008-03-28 09:43 <DIR> d-------- C:\WINDOWS\Great Secrets Da Vinci
2008-03-28 09:43 . 2008-03-28 10:18 <DIR> d-------- C:\Program Files\Great Secrets Da Vinci
2008-03-28 09:30 . 2008-03-28 09:30 <DIR> d-------- C:\WINDOWS\Finders Keepers
2008-03-28 09:30 . 2008-03-28 10:18 <DIR> d-------- C:\Program Files\Finders Keepers
2008-03-28 08:27 . 2008-03-28 08:27 <DIR> d-------- C:\WINDOWS\Elements
2008-03-28 08:27 . 2008-03-28 08:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QB9 S.R.L
2008-03-27 10:15 . 2008-03-27 10:15 <DIR> d-------- C:\Documents and Settings\AR\Application Data\Meridian93
2008-03-27 10:11 . 2008-03-27 10:11 <DIR> d-------- C:\WINDOWS\Destiny Architect
2008-03-27 10:11 . 2008-03-27 10:19 <DIR> d-------- C:\Program Files\Destiny Architect
2008-03-27 10:07 . 2008-03-27 10:07 <DIR> d-------- C:\WINDOWS\Cryptex of Time
2008-03-27 10:02 . 2008-03-27 10:02 <DIR> d-------- C:\WINDOWS\Brainiversity
2008-03-27 10:02 . 2008-03-27 10:07 <DIR> d-------- C:\Program Files\Brainiversity
2008-03-27 08:56 . 2008-03-27 08:56 <DIR> d-------- C:\WINDOWS\Around the World in 80 Days
2008-03-26 06:57 . 2008-03-26 06:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-26 06:56 . 2008-03-26 06:56 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-26 06:56 . 2008-03-26 06:56 <DIR> d-------- C:\9256c81281f4767069c7ef
2008-03-26 06:56 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-26 06:55 . 2008-03-26 06:56 <DIR> d-------- C:\b60a297ce08ebac18ea8200a88c5bc
2008-03-20 21:44 . 2008-03-20 21:44 <DIR> d-------- C:\WINDOWS\Age of Emerald
2008-03-20 21:44 . 2008-03-21 10:35 <DIR> d-------- C:\Program Files\Age of Emerald
2008-03-20 17:21 . 2008-03-20 17:21 <DIR> d-------- C:\WINDOWS\Action Ball 2
2008-03-20 17:21 . 2008-03-20 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rionix
2008-03-20 13:20 . 2008-03-20 13:20 <DIR> d-------- C:\WINDOWS\Abundante
2008-03-20 13:20 . 2008-03-20 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MythPeople

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 16:29 --------- d-----w C:\Documents and Settings\AR\Application Data\uTorrent
2008-04-19 04:40 --------- d-----w C:\Program Files\eMule
2008-04-18 13:22 --------- d-----w C:\Program Files\Warcraft III
2008-04-11 18:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 15:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-06 13:45 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-04-06 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-06 13:24 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-29 14:04 --------- d-----w C:\Program Files\Trojan Remover
2008-03-28 06:40 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-28 06:40 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-27 02:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-21 05:36 12,424 ----a-w C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-03-21 05:36 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-03-21 04:06 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-20 06:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 06:50 --------- d-----w C:\Program Files\Ubisoft
2008-03-12 14:02 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-07 06:20 --------- d-----w C:\Program Files\BFG
2008-02-29 15:20 --------- d-----w C:\Documents and Settings\AR\Application Data\Nokia Multimedia Player
2008-02-29 15:11 --------- d-----w C:\Program Files\Nokia
2008-02-29 15:11 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-02-29 15:11 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-29 12:34 --------- d-----w C:\Documents and Settings\AR\Application Data\ScummVM
2008-02-29 05:57 --------- d-----w C:\Program Files\Zone Labs
2008-02-29 05:55 81,465 ----a-w C:\WINDOWS\system32\drivers\klif.cab
2008-02-29 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-02-29 05:11 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-02-29 05:10 --------- d-----w C:\Program Files\AVG
2008-02-29 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-02-27 17:40 --------- d-----w C:\Program Files\Oxygen
2008-02-27 15:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-02-27 15:33 --------- d-----w C:\Documents and Settings\AR\Application Data\Nokia
2008-02-27 15:32 --------- d-----w C:\Documents and Settings\AR\Application Data\PC Suite
2008-02-27 15:20 33,856 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys
2008-02-27 15:16 --------- d-----w C:\Program Files\DIFX
2008-02-27 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-27 15:15 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-02-27 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-22 03:13 --------- d-----w C:\Program Files\QT Lite
2008-02-22 03:13 --------- d-----w C:\Documents and Settings\AR\Application Data\Apple Computer
2008-02-22 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 03:08 --------- d-----w C:\Program Files\Hasbro
2007-11-09 16:28 47,360 ----a-w C:\Documents and Settings\AR\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_17.36.15.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-20 16:30:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 11:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 11:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 12:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 11:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2007-03-30 05:55:44 2,722 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2004-08-04 01:07:00 2,000 ----a-w C:\WINDOWS\system\KEYBOARD.DRV
+ 2004-08-04 01:07:00 2,032 ----a-w C:\WINDOWS\system\MOUSE.DRV
+ 2004-08-04 01:07:00 1,744 ----a-w C:\WINDOWS\system\SOUND.DRV
+ 2004-08-04 01:07:00 2,176 ----a-w C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 01:07:00 1,788 ----a-w C:\WINDOWS\system32\Dcache.bin
+ 2001-08-17 09:12:12 2,944 -c--a-w C:\WINDOWS\system32\dllcache\brfilt.sys
+ 2004-08-03 19:07:58 2,944 -c--a-w C:\WINDOWS\system32\dllcache\drmkaud.sys
+ 2001-08-17 10:02:50 2,688 -c--a-w C:\WINDOWS\system32\dllcache\hidswvd.sys
+ 2004-08-04 01:07:00 2,000 -c--a-w C:\WINDOWS\system32\dllcache\keyboard.drv
+ 2004-08-04 01:07:00 2,560 -c--a-w C:\WINDOWS\system32\dllcache\lz32.dll
+ 2004-08-04 01:07:00 2,032 -c--a-w C:\WINDOWS\system32\dllcache\mouse.drv
+ 2001-08-17 10:00:04 2,944 -c--a-w C:\WINDOWS\system32\dllcache\msmpu401.sys
+ 2004-08-04 01:07:00 2,944 -c--a-w C:\WINDOWS\system32\dllcache\null.sys
+ 2004-08-04 01:07:00 1,744 -c--a-w C:\WINDOWS\system32\dllcache\sound.drv
+ 2004-08-04 01:07:00 2,176 -c--a-w C:\WINDOWS\system32\dllcache\vga.drv
+ 2004-08-04 01:07:00 2,864 -c--a-w C:\WINDOWS\system32\dllcache\winsock.dll
+ 2004-08-04 01:07:00 2,112 -c--a-w C:\WINDOWS\system32\dllcache\winspool.exe
+ 2004-08-04 01:07:00 2,736 -c--a-w C:\WINDOWS\system32\dllcache\wowdeb.exe
+ 2004-08-03 19:07:58 2,944 ----a-w C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2004-08-04 01:07:00 2,944 ----a-w C:\WINDOWS\system32\drivers\null.sys
+ 2004-08-04 01:07:00 2,000 ----a-w C:\WINDOWS\system32\keyboard.drv
+ 2004-08-04 01:07:00 2,560 ----a-w C:\WINDOWS\system32\lz32.dll
+ 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-04-19 05:20:11 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2004-08-04 01:07:00 2,032 ----a-w C:\WINDOWS\system32\mouse.drv
+ 2004-08-04 01:07:00 2,656 ----a-w C:\WINDOWS\system32\netware.drv
- 2008-04-15 13:30:42 94,780 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-20 16:34:43 103,100 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-15 13:30:43 463,428 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-20 16:34:43 480,016 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-08-04 01:07:00 1,744 ----a-w C:\WINDOWS\system32\sound.drv
+ 2004-09-15 01:51:40 2,293 ----a-w C:\WINDOWS\system32\TS_Free.bat
+ 2004-08-04 01:07:00 2,176 ----a-w C:\WINDOWS\system32\vga.drv
+ 2004-08-04 01:07:00 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
+ 2004-08-04 01:07:00 2,112 ----a-w C:\WINDOWS\system32\winspool.exe
+ 2004-08-04 01:07:00 2,736 ----a-w C:\WINDOWS\system32\wowdeb.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:07 15360]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-02-16 00:17 177152]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 17:08 136136]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe" [2006-11-24 12:26 2209792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"DSL Monitor"="C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE" [2002-01-18 16:50 856064]
"P17Helper"="P17.dll" [2006-03-17 16:11 81408 C:\WINDOWS\system32\P17.dll]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 17:22 81920]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 01:22 3739648]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-12 06:20 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:07 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\AR\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UserId"= B:?=98H
"UserIdNo"= 264 (0x108)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\AR\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-03-21 09:36]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-02-29 09:11]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-02-27 19:20]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-21 08:06]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-21 08:06]
R2 enampdat;SpeedStream DSL AMP Protocol Driver for Windows 2000;C:\WINDOWS\system32\DRIVERS\enampdat.sys [2002-01-18 16:50]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2006-10-27 19:18]
R3 EfntRfc1483MP;Efficient Networks RFC 1483 Virtual Miniport;C:\WINDOWS\system32\DRIVERS\efnt1483.sys [2002-01-18 16:50]
R3 en4060;SpeedStream 4060 ATM/ADSL Driver;C:\WINDOWS\system32\DRIVERS\en4060.sys [2002-01-18 16:50]
R3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 18:34]
S3 EfntRFC1483;Efficient Networks RFC 1483 Intermediate Driver;C:\WINDOWS\system32\DRIVERS\efnt1483.sys [2002-01-18 16:50]
S3 en4060load;Efficient Networks 4060 USB Load Service;C:\WINDOWS\system32\DRIVERS\en4060ld.sys [2002-01-18 16:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb0654e-5e35-11dc-a941-0020ea2f47cd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 20:36:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-04-20 20:37:45
ComboFix-quarantined-files.txt 2008-04-20 16:37:35
ComboFix2.txt 2008-04-16 17:43:10
ComboFix3.txt 2008-04-15 13:36:30

Pre-Run: 11,590,262,784 bytes free
Post-Run: 11,686,207,488 bytes free

269

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:39 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204428723139
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopc...oad/SOPCORE.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.share....RichUpload.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{97538A78-3F61-4D81-BD18-3FC86442215C}: NameServer = 213.42.20.20 195.229.241.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10621 bytes

Edited by Chris.B, 27 April 2008 - 08:08 AM.

#18 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 April 2008 - 02:20 PM

Delete this file if listed here.
C:\Windows\System32\killVBS.vbs

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#19 Chris.B

Chris.B

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 21 April 2008 - 07:28 AM

The file wasn't there in that location. I ran a search on my entire hard disk and that file wasn't found anywhere. Am I all clear now? :unsure:

#20 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 April 2008 - 07:48 AM

Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb0654e-5e35-11dc-a941-0020ea2f47cd}]


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#21 Chris.B

Chris.B

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 23 April 2008 - 11:23 AM

OK LDTate...here it is. Let's hope for the best.

Combofix log

ComboFix 08-04-18.3 - Allister Rebeiro 2008-04-23 21:16:52.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1556 [GMT 4:00]
Running from: C:\Documents and Settings\Allister Rebeiro\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Allister Rebeiro\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-19 09:26 . 2008-04-19 09:26 <DIR> d-------- C:\Documents and Settings\Allister Rebeiro\Application Data\Ubisoft
2008-04-19 09:26 . 2008-04-19 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-19 09:17 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-04-19 09:17 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-04-19 09:17 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-04-19 09:17 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-04-19 09:17 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-04-19 09:17 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-04-19 09:16 . 2008-04-19 09:17 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-19 08:50 . 2008-04-19 08:50 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-04-19 00:32 . 2008-04-19 00:32 <DIR> d-------- C:\fsaua.data
2008-04-14 17:21 . 2008-04-14 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-14 17:21 . 2008-04-14 17:21 <DIR> d-------- C:\Documents and Settings\Allister Rebeiro\Application Data\Malwarebytes
2008-04-14 17:21 . 2008-04-14 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 11:14 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-11 11:14 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-11 11:14 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-11 11:14 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-11 11:14 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-11 11:14 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-11 11:14 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-11 11:00 . 2008-04-11 11:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-10 18:00 . 2008-04-10 18:00 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-07 18:30 . 2008-04-07 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 19:00 . 2008-04-06 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-05 19:34 . 2008-04-11 11:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-05 19:34 . 2008-04-11 11:16 <DIR> d-------- C:\Documents and Settings\Allister Rebeiro\Application Data\SUPERAntiSpyware.com
2008-04-05 19:34 . 2008-04-05 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 19:10 . 2008-04-11 11:14 2,212 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-05 18:21 . 2008-03-18 08:26 97 --a------ C:\Extractor.bat
2008-04-03 21:43 . 2008-04-03 21:43 <DIR> d-------- C:\Puzzle Quest
2008-03-28 10:40 . 2008-03-28 10:40 <DIR> d-------- C:\WINDOWS\Puzzle Quest
2008-03-28 10:40 . 2008-04-15 20:34 <DIR> d-------- C:\Program Files\Puzzle Quest
2008-03-28 10:40 . 2008-03-28 10:40 <DIR> d-------- C:\Program Files\OpenAL
2008-03-28 10:06 . 2008-03-28 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hyperballoid2
2008-03-28 10:05 . 2008-03-28 10:05 <DIR> d-------- C:\WINDOWS\Hyperballoid 2i
2008-03-28 10:05 . 2008-03-28 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
2008-03-28 09:43 . 2008-03-28 09:43 <DIR> d-------- C:\WINDOWS\Great Secrets Da Vinci
2008-03-28 09:43 . 2008-03-28 10:18 <DIR> d-------- C:\Program Files\Great Secrets Da Vinci
2008-03-28 09:30 . 2008-03-28 09:30 <DIR> d-------- C:\WINDOWS\Finders Keepers
2008-03-28 09:30 . 2008-03-28 10:18 <DIR> d-------- C:\Program Files\Finders Keepers
2008-03-28 08:27 . 2008-03-28 08:27 <DIR> d-------- C:\WINDOWS\Elements
2008-03-28 08:27 . 2008-03-28 08:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QB9 S.R.L
2008-03-27 10:15 . 2008-03-27 10:15 <DIR> d-------- C:\Documents and Settings\Allister Rebeiro\Application Data\Meridian93
2008-03-27 10:11 . 2008-03-27 10:11 <DIR> d-------- C:\WINDOWS\Destiny Architect
2008-03-27 10:11 . 2008-03-27 10:19 <DIR> d-------- C:\Program Files\Destiny Architect
2008-03-27 10:07 . 2008-03-27 10:07 <DIR> d-------- C:\WINDOWS\Cryptex of Time
2008-03-27 10:02 . 2008-03-27 10:02 <DIR> d-------- C:\WINDOWS\Brainiversity
2008-03-27 10:02 . 2008-03-27 10:07 <DIR> d-------- C:\Program Files\Brainiversity
2008-03-27 08:56 . 2008-03-27 08:56 <DIR> d-------- C:\WINDOWS\Around the World in 80 Days
2008-03-26 06:57 . 2008-03-26 06:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-26 06:56 . 2008-03-26 06:56 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-26 06:56 . 2008-03-26 06:56 <DIR> d-------- C:\9256c81281f4767069c7ef
2008-03-26 06:56 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-26 06:55 . 2008-03-26 06:56 <DIR> d-------- C:\b60a297ce08ebac18ea8200a88c5bc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 17:16 --------- d-----w C:\Documents and Settings\Allister Rebeiro\Application Data\uTorrent
2008-04-23 04:48 --------- d-----w C:\Program Files\eMule
2008-04-18 13:22 --------- d-----w C:\Program Files\Warcraft III
2008-04-11 18:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 15:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-06 13:45 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-04-06 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-06 13:24 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-29 14:04 --------- d-----w C:\Program Files\Trojan Remover
2008-03-28 06:40 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-28 06:40 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-27 02:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-21 06:35 --------- d-----w C:\Program Files\Age of Emerald
2008-03-21 05:36 12,424 ----a-w C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-03-21 05:36 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-03-21 04:06 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-20 13:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\rionix
2008-03-20 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\MythPeople
2008-03-20 06:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 06:50 --------- d-----w C:\Program Files\Ubisoft
2008-03-12 14:02 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-07 06:20 --------- d-----w C:\Program Files\BFG
2008-02-29 15:20 --------- d-----w C:\Documents and Settings\Allister Rebeiro\Application Data\Nokia Multimedia Player
2008-02-29 15:11 --------- d-----w C:\Program Files\Nokia
2008-02-29 15:11 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-02-29 15:11 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-29 12:34 --------- d-----w C:\Documents and Settings\Allister Rebeiro\Application Data\ScummVM
2008-02-29 05:57 --------- d-----w C:\Program Files\Zone Labs
2008-02-29 05:55 81,465 ----a-w C:\WINDOWS\system32\drivers\klif.cab
2008-02-29 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-02-29 05:11 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-02-29 05:10 --------- d-----w C:\Program Files\AVG
2008-02-29 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-02-27 17:40 --------- d-----w C:\Program Files\Oxygen
2008-02-27 15:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-02-27 15:33 --------- d-----w C:\Documents and Settings\Allister Rebeiro\Application Data\Nokia
2008-02-27 15:32 --------- d-----w C:\Documents and Settings\Allister Rebeiro\Application Data\PC Suite
2008-02-27 15:20 33,856 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys
2008-02-27 15:16 --------- d-----w C:\Program Files\DIFX
2008-02-27 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-27 15:15 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-02-27 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-11-09 16:28 47,360 ----a-w C:\Documents and Settings\Allister Rebeiro\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot_2008-04-20_20.37.26.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 16:30:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 12:00:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-20 16:34:43 103,100 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-23 12:04:46 104,700 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-20 16:34:43 480,016 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-23 12:04:46 483,206 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:07 15360]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-02-16 00:17 177152]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 17:08 136136]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe" [2006-11-24 12:26 2209792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"DSL Monitor"="C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE" [2002-01-18 16:50 856064]
"P17Helper"="P17.dll" [2006-03-17 16:11 81408 C:\WINDOWS\system32\P17.dll]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 17:22 81920]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 01:22 3739648]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-12 06:20 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:07 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Allister Rebeiro\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UserId"= B:?=98H
"UserIdNo"= 264 (0x108)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Allister Rebeiro\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-03-21 09:36]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-02-29 09:11]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-02-27 19:20]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-21 08:06]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-21 08:06]
R2 enampdat;SpeedStream DSL AMP Protocol Driver for Windows 2000;C:\WINDOWS\system32\DRIVERS\enampdat.sys [2002-01-18 16:50]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2006-10-27 19:18]
R3 EfntRfc1483MP;Efficient Networks RFC 1483 Virtual Miniport;C:\WINDOWS\system32\DRIVERS\efnt1483.sys [2002-01-18 16:50]
R3 en4060;SpeedStream 4060 ATM/ADSL Driver;C:\WINDOWS\system32\DRIVERS\en4060.sys [2002-01-18 16:50]
R3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 18:34]
S3 EfntRFC1483;Efficient Networks RFC 1483 Intermediate Driver;C:\WINDOWS\system32\DRIVERS\efnt1483.sys [2002-01-18 16:50]
S3 en4060load;Efficient Networks 4060 USB Load Service;C:\WINDOWS\system32\DRIVERS\en4060ld.sys [2002-01-18 16:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1550d6e0-ee4f-11dc-aa6c-0020ea2f47cd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorcr.exe
\Shell\Explore\command - I:\explorcr.exe
\Shell\Open\command - I:\explorcr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb0654e-5e35-11dc-a941-0020ea2f47cd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorcr.exe
\Shell\Explore\command - explorcr.exe
\Shell\Open\command - explorcr.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 21:19:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-04-23 21:20:31
ComboFix-quarantined-files.txt 2008-04-23 17:20:21
ComboFix2.txt 2008-04-20 16:37:45
ComboFix3.txt 2008-04-16 17:43:10
ComboFix4.txt 2008-04-15 13:36:30

Pre-Run: 11,677,216,768 bytes free
Post-Run: 11,721,396,224 bytes free

226


HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:52 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204428723139
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopc...oad/SOPCORE.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.share....RichUpload.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{97538A78-3F61-4D81-BD18-3FC86442215C}: NameServer = 213.42.20.20 195.229.241.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10535 bytes

#22 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 April 2008 - 05:09 PM

You need to update SunJava.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 5
    The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on 6-windowsi586-p.exe to install the newest version.
Once installed you can test to see that it is in fact installed
Sun Java Test
http://www.java.com/...d/installed.jsp

After the above:

Good job :thumbup:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image


    Here's my usual all clean post

    Log looks good :D


    You need to create a new Clean restore point.

    Note: This will remove all previous Restore Points

    Click Start Menu > Run > copy and paste

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Check "Hide file extensions for known file types."
    Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
    Check "Hide protected operating system files."
    Click Apply, and then click OK.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Note: I no longer suggest Zone Alarm

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Winpatrol

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#23 Chris.B

Chris.B

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 25 April 2008 - 08:45 PM

OK LDTate, all done! My system is working fine right now, all thanks to you :thumbup: U da man :notworthy: As I dont anticipate any further posts, shall we close the thread?

#24 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 27 April 2008 - 02:57 PM

Great job :thumbup: You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#25 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 27 April 2008 - 02:57 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·