Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91738 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] oh man my computer is messd up


  • This topic is locked This topic is locked
18 replies to this topic

#1 xplicitzr

xplicitzr

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 08 June 2008 - 09:46 PM

my computer is screwd

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:03 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\444.470
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\A9F1.tmp
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\rcntkkdm.exe
C:\WINDOWS\system32\lphc10oj0ecbr.exe
C:\Program Files\shc70oj0ecbr\shc70oj0ecbr.exe
E:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\13334.exe
C:\DOCUME~1\xplicitz\APPLIC~1\CURITY~1\chkdsk.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\??sks\l?gonui.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\13334.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
E:\SpywareGuard\sgmain.exe
E:\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\SpywareGuard\dlprotect.dll
O2 - BHO: mysidesearch browser optimizer - {4a7496e7-c57f-6134-82ee-f457ec6e421c} - C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {AA49EB1C-5689-0E09-FB35-70A2E2EB42C4} - C:\WINDOWS\system32\vcdzp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AFF07893-7B45-4F42-887F-8129790B6CBB} - C:\Program Files\MSN Gaming Zone\hysizyfum66225.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [{62-2E-E9-91-DW}] C:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rcntkkdm.exe DWram
O4 - HKLM\..\Run: [lphc10oj0ecbr] C:\WINDOWS\system32\lphc10oj0ecbr.exe
O4 - HKLM\..\Run: [SMshc70oj0ecbr] C:\Program Files\shc70oj0ecbr\shc70oj0ecbr.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA1114] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2628] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\13334.exe
O4 - HKCU\..\Run: [Rihl] "C:\DOCUME~1\xplicitz\APPLIC~1\CURITY~1\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [Vycn] "C:\Program Files\Common Files\??sks\l?gonui.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD987] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntkkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: SpywareGuard.lnk = E:\SpywareGuard\sgmain.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1212733332078
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.solidstat...lidstateion.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10374 bytes



please help me fix it !

    Advertisements

Register to Remove


#2 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 09 June 2008 - 05:34 AM

Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#3 xplicitzr

xplicitzr

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 09 June 2008 - 11:31 AM

ComboFix 08-06-08.8 - xplicitz 2008-06-09 8:29:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.167 [GMT -7:00]
Running from: C:\Documents and Settings\xplicitz\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\xplicitz\Application Data\CURITY~1
C:\Documents and Settings\xplicitz\Application Data\CURITY~1\??crosoft\
C:\Documents and Settings\xplicitz\Application Data\CURITY~1\chkdsk.exe
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\13334.exe
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\7Office Sales Management Standalone v2.2 for Windows.torrent
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\7Office Sales Management Standalone v2.2 for Windows.zip
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\Fusion Assault v2.0 for CounterStrike.torrent
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\Fusion Assault v2.0 for CounterStrike.zip
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\Internet Download Manager 5.12 crack.zip~
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\Resident Evil 2 v1.04 by DBC.torrent
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\Resident Evil 2 v1.04 by DBC.zip
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\tuneup.utilities.2007.keygen-tsrh.torrent
C:\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\tuneup.utilities.2007.keygen-tsrh.zip
C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\sks~1
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\homepage.html
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\index.html
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\promo1.html
C:\WINDOWS\promo2.html
C:\WINDOWS\promo3.html
C:\WINDOWS\promo4.html
C:\WINDOWS\promo5.html
C:\WINDOWS\promo6.html
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\promogif3.gif
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\000050.exe
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\adult.txt
C:\WINDOWS\system32\crypts.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nic13944.sys
C:\WINDOWS\system32\finance.txt
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\other.txt
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pharma.txt
C:\WINDOWS\system32\rcntkkdm.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\sn.txt
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\vcdzp.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe
C:\Program Files\Common Files\sks~1\l?gonui.exe . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NIC13944
-------\Legacy_SYSREST.SYS
-------\Legacy_TNIDRIVER
-------\Service_MsSecurity1.209.4
-------\Service_nic13944
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-09 08:34 . 2008-06-09 08:34 135,168 --a------ C:\WINDOWS\TEK76.exe
2008-06-09 08:33 . 2008-06-09 08:33 49,194 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-06-09 08:33 . 2008-06-09 08:33 93 --a------ C:\WINDOWS\system32\msnav32.ax
2008-06-09 08:23 . 2008-06-09 08:23 49,180 --a------ C:\WINDOWS\system32\jjwnw64k.exe
2008-06-09 08:23 . 2008-06-09 08:23 23,040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-06-09 08:23 . 2008-06-09 08:23 15,328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-06-08 22:47 . 2008-06-08 22:56 63,918 --a------ C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll-uninst.exe
2008-06-08 22:46 . 2008-06-08 22:47 401,963 --a------ C:\WINDOWS\system32\g88.exe
2008-06-08 21:47 . 2008-06-08 21:37 52,736 --a------ C:\WINDOWS\system32\519.tmp
2008-06-08 20:46 . 2008-06-08 20:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 14:08 . 2008-06-08 14:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-08 13:57 . 2008-06-08 20:35 513 --a------ C:\WINDOWS\wininit.ini
2008-06-08 13:15 . 2008-06-08 13:15 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-06-08 11:14 . 2008-06-08 11:14 55,808 --a------ C:\WINDOWS\portsv.exe
2008-06-08 10:33 . 2008-06-08 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 10:25 . 2008-06-08 10:25 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-08 10:19 . 2008-06-08 10:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 10:18 . 2008-06-08 10:18 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\shc70oj0ecbr
2008-06-08 10:18 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-08 10:17 . 2008-06-08 10:18 <DIR> d-------- C:\Program Files\shc70oj0ecbr
2008-06-08 10:17 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-08 10:17 . 2008-06-08 10:17 92,160 --a------ C:\WINDOWS\system32\lphc10oj0ecbr.exe
2008-06-08 10:17 . 2008-06-09 08:33 90,838 --a------ C:\WINDOWS\system32\phc10oj0ecbr.bmp
2008-06-08 10:17 . 2008-06-09 08:33 52,736 --a------ C:\WINDOWS\system32\blphc10oj0ecbr.scr
2008-06-08 10:15 . 2008-06-08 20:48 95,833 --a------ C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll-uninst.exe
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\WINDOWS\system32\xrem
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\WINDOWS\system32\inet2
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\WINDOWS\system32\expo
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\WINDOWS\system32\btz
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\WINDOWS\system32\105772
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d--hs---- C:\WINDOWS\eHBsaWNpdHo
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\Program Files\uTorrent
2008-06-08 10:14 . 2008-06-09 08:31 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\uTorrent
2008-06-08 10:14 . 2008-06-08 10:14 30,728 --a------ C:\WINDOWS\444.470
2008-06-08 10:13 . 2008-06-08 10:13 87,511 --a------ C:\WINDOWS\system32\iftuyszv.exe
2008-06-08 10:13 . 2008-06-08 10:13 49,158 --a------ C:\WINDOWS\444.0
2008-06-07 18:35 . 2008-06-09 08:29 <DIR> d-------- C:\Temp
2008-06-07 18:35 . 2008-06-07 18:35 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Syntrillium
2008-06-07 18:35 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-06-07 18:35 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-06-07 18:35 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-06-07 18:35 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-06-07 18:35 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-06-07 18:35 . 2008-06-07 18:35 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-06-07 18:31 . 2008-06-07 18:31 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-06-06 10:57 . 2008-06-06 10:57 <DIR> d-------- C:\WINDOWS\system32\SolidStateNetworks
2008-06-06 00:47 . 2008-06-06 00:47 <DIR> d-------- C:\mGame
2008-06-06 00:47 . 2008-06-06 00:47 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\InstallShield
2008-06-06 00:44 . 2008-06-06 00:44 <DIR> d-------- C:\WINDOWS\Setup2K
2008-06-06 00:44 . 2008-06-06 00:44 <DIR> d-------- C:\Program Files\DSC Driver
2008-06-06 00:44 . 2002-10-01 14:43 119,798 --a------ C:\WINDOWS\system32\drivers\SPCA561.SYS
2008-06-06 00:44 . 2002-09-12 15:37 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2008-06-06 00:44 . 2002-10-10 17:06 53,248 --a------ C:\WINDOWS\ap561.exe
2008-06-06 00:44 . 2002-08-13 18:01 14,385 --a------ C:\WINDOWS\Tw561a.ini
2008-06-06 00:44 . 2002-09-20 19:44 14,336 --a------ C:\WINDOWS\system32\dshow508.ax
2008-06-06 00:44 . 2002-08-13 18:01 7,431 --a------ C:\WINDOWS\Tw561a.src
2008-06-06 00:44 . 2002-10-11 14:27 180 --a------ C:\WINDOWS\ap561.ini
2008-06-06 00:44 . 2002-03-19 14:11 81 --a------ C:\WINDOWS\Setup8a.ini
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\WINDOWS\PixArt
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\Program Files\Common Files\PAC207
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\Program Files\Basic Webcam
2008-06-06 00:39 . 2006-11-03 10:59 48,128 --a------ C:\WINDOWS\system32\Remove.exe
2008-06-06 00:39 . 2007-03-16 00:10 316 --a------ C:\WINDOWS\system32\Remover.ini
2008-06-06 00:38 . 2008-06-06 00:42 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Yahoo!
2008-06-06 00:38 . 2008-06-06 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-06 00:36 . 2008-06-06 00:36 <DIR> d-------- C:\webcam driver pack
2008-06-06 00:32 . 2008-06-06 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-06 00:31 . 2008-06-06 00:31 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-06 00:25 . 2008-06-06 00:25 <DIR> d-------- C:\Program Files\Google
2008-06-06 00:11 . 2008-06-06 00:17 <DIR> d-------- C:\WINDOWS\PAC207
2008-06-06 00:11 . 2008-06-06 00:11 <DIR> d-------- C:\Program Files\Common Files\PXIINSTC
2008-06-06 00:11 . 2008-06-06 00:11 <DIR> d-------- C:\Program Files\Common Files\PXIINST64C
2008-06-05 23:50 . 2004-08-03 23:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-06-05 23:50 . 2004-08-03 23:15 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-06-05 23:50 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-06-05 23:50 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-06-05 23:50 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-06-05 23:50 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2008-06-05 23:50 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-06-05 23:50 . 2004-08-03 23:07 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-06-05 23:49 . 2008-06-05 23:49 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-05 23:40 . 2008-05-22 08:12 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-06-05 23:39 . 2008-06-05 23:39 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-06-05 23:39 . 2008-06-05 23:39 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Winamp
2008-06-05 23:38 . 2008-06-05 23:38 <DIR> d-------- C:\WINDOWS\Logs
2008-06-05 23:38 . 2008-06-05 23:38 <DIR> d-------- C:\Program Files\Realtek
2008-06-05 23:38 . 2008-03-05 18:07 520,192 -ra------ C:\WINDOWS\RtlExUpd.dll
2008-06-05 23:38 . 2008-06-05 23:38 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-06-05 23:38 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-05 23:36 . 2008-06-06 00:47 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-05 23:35 . 2008-06-06 00:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-05 23:31 . 2008-06-05 23:32 <DIR> d-------- C:\Program Files\middle_man
2008-06-05 23:27 . 2008-06-05 23:27 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Aim
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-05 23:24 . 2008-06-05 23:31 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-05 23:24 . 2008-06-05 23:29 <DIR> d-------- C:\Program Files\AOD
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-05 23:24 . 2004-02-25 13:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-06-05 23:23 . 2008-06-05 23:23 <DIR> d-------- C:\WINDOWS\nview
2008-06-05 23:23 . 2008-06-06 00:44 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-05 23:23 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-05 23:23 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-05 23:23 . 2008-06-09 08:33 182,038 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-05 23:23 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-06-05 23:23 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-06-05 23:23 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-06-05 23:23 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-06-05 23:23 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-05 23:21 . 2008-06-05 23:21 <DIR> d---s---- C:\Documents and Settings\xplicitz\UserData
2008-06-05 23:18 . 2008-06-05 23:18 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-05 23:07 . 2007-03-19 16:18 104,064 --a------ C:\WINDOWS\system32\drivers\viamraid.sys
2008-06-05 23:00 . 2008-06-08 09:08 <DIR> d-------- C:\Documents and Settings\xplicitz
2008-05-27 06:38 . 2008-05-27 06:38 372,736 --a------ C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll
2008-05-20 14:05 . 2008-05-20 14:05 32,768 --a------ C:\WINDOWS\system32\vntiho06\vntiho061083.exe
2008-05-19 06:55 . 2008-05-19 06:55 439,808 --a------ C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 00:01 70,144 ----a-w C:\WINDOWS\system32\userinit.exe
2008-06-06 05:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-28 13:22 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-28 13:22 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-28 13:21 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-28 13:21 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-22 15:12 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-22 15:12 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-21 00:53 4,800,000 ----a-r C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-16 21:39 16,862,720 ----a-r C:\WINDOWS\RTHDCPL.exe
2008-04-02 16:27 1,196,032 ----a-r C:\WINDOWS\RtlUpd.exe
2005-08-02 23:46 187,904 --sha-r C:\WINDOWS\eHBsaWNpdHo\asappsrv.dll
2005-08-02 23:58 293,888 --sha-r C:\WINDOWS\eHBsaWNpdHo\command.exe
2005-07-29 23:24 472 --sha-r C:\WINDOWS\eHBsaWNpdHo\yJ1PuqhDxJC.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BF8538B-1C21-4276-0091-E9E81C65E0F3}]
2008-06-09 08:34 70144 --a------ C:\Program Files\Internet Explorer\zysihytuk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a7496e7-c57f-6134-82ee-f457ec6e421c}]
2008-05-19 06:55 439808 --a------ C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA49EB1C-5689-0E09-FB35-70A2E2EB42C4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF07893-7B45-4F42-887F-8129790B6CBB}]
2008-02-27 18:54 217088 --a------ C:\Program Files\MSN Gaming Zone\hysizyfum66225.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d64a876e-1b7c-7755-906f-b4288eb982bd}]
2008-05-27 06:38 372736 --a------ C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="E:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-06-06 00:25 171448]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Rihl"="C:\DOCUME~1\xplicitz\APPLIC~1\CURITY~1\chkdsk.exe" [ ]
"Vycn"="C:\Program Files\Common Files\??sks\l?gonui.exe" [ ]
"SpybotSD TeaTimer"="e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD987"="cmd /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"{62-2E-E9-91-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-06-09 08:33 49194]
"lphc10oj0ecbr"="C:\WINDOWS\system32\lphc10oj0ecbr.exe" [2008-06-08 10:17 92160]
"SMshc70oj0ecbr"="C:\Program Files\shc70oj0ecbr\shc70oj0ecbr.exe" [2008-06-02 07:55 1564672]
"{9e550fc6-82f4-83e0-4687-2713c0def7b2}"="C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll" [2008-05-27 06:38 372736]

C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\
SpywareGuard.lnk - E:\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe [2008-06-06 00:44:38 65536]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\dicovunej.html
FriendlyName=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18677:TCP"= 18677:TCP:*:Disabled:SolidNetworkManager
"18677:UDP"= 18677:UDP:*:Disabled:SolidNetworkManager
"58740:TCP"= 58740:TCP:*:Disabled:SolidNetworkManager
"58740:UDP"= 58740:UDP:*:Disabled:SolidNetworkManager
"30324:TCP"= 30324:TCP:*:Disabled:SolidNetworkManager
"30324:UDP"= 30324:UDP:*:Disabled:SolidNetworkManager

S3 XDva168;XDva168;C:\WINDOWS\system32\XDva168.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 08:34:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\blphc10oj0ecbr.scr
E:\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-06-09 8:37:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 15:36:51

Pre-Run: 26,630,049,792 bytes free
Post-Run: 27,017,715,712 bytes free

386

#4 xplicitzr

xplicitzr

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 09 June 2008 - 11:44 AM

i just added restore console loading combo and restarting :)

#5 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 09 June 2008 - 12:31 PM

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\Common Files\sks~1\l?gonui.exe
C:\WINDOWS\TEK76.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\jjwnw64k.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll-uninst.exe
C:\WINDOWS\system32\g88.exe
C:\WINDOWS\system32\519.tmp
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\lphc10oj0ecbr.exe
C:\WINDOWS\system32\phc10oj0ecbr.bmp
C:\WINDOWS\system32\blphc10oj0ecbr.scr
C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll-uninst.exe
C:\WINDOWS\444.470
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\444.0
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll
C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll

Folder::
C:\WINDOWS\eHBsaWNpdHo
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\xrem
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\btz
C:\WINDOWS\system32\105772
C:\Program Files\shc70oj0ecbr

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#6 xplicitzr

xplicitzr

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 09 June 2008 - 02:02 PM

ComboFix 08-06-08.8 - xplicitz 2008-06-09 12:45:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.201 [GMT -7:00]
Running from: C:\Documents and Settings\xplicitz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\xplicitz\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\444.0
C:\WINDOWS\444.470
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll-uninst.exe
C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll
C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll-uninst.exe
C:\WINDOWS\system32\519.tmp
C:\WINDOWS\system32\blphc10oj0ecbr.scr
C:\WINDOWS\system32\g88.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\jjwnw64k.exe
C:\WINDOWS\system32\lphc10oj0ecbr.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\phc10oj0ecbr.bmp
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\TEK76.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\xplicitz\Application Data\MBOLS~1
C:\Documents and Settings\xplicitz\Application Data\MBOLS~1\??mbols\
C:\Documents and Settings\xplicitz\Application Data\MBOLS~1\services.exe
C:\Documents and Settings\xplicitz\Application Data\SpeedRunner
C:\Documents and Settings\xplicitz\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\xplicitz\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\xplicitz\Application Data\SpeedRunner\SRUninstall.exe
C:\Documents and Settings\xplicitz\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Program Files\AntiSpywareMaster
C:\Program Files\AntiSpywareMaster\asm.exe
C:\Program Files\Common Files\qmfk
C:\Program Files\Common Files\qmfk\qmfka.exe
C:\Program Files\Common Files\qmfk\qmfka.lck
C:\Program Files\Common Files\qmfk\qmfkd\class-barrel
C:\Program Files\Common Files\qmfk\qmfkd\qmfkc.dll
C:\Program Files\Common Files\qmfk\qmfkd\vocabulary
C:\Program Files\Common Files\qmfk\qmfkl.exe
C:\Program Files\Common Files\qmfk\qmfkl.lck
C:\Program Files\Common Files\qmfk\qmfkm.exe
C:\Program Files\Common Files\qmfk\qmfkm.lck
C:\Program Files\Common Files\qmfk\qmfkp.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\inetget2\SRInstaller.exe
C:\Program Files\Internet Explorer\dicovunej.html
C:\Program Files\Internet Explorer\zysihytuk.dll
C:\Program Files\Internet Explorer\zysihytuk427.dll
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\shc70oj0ecbr
C:\Program Files\shc70oj0ecbr\database.dat
C:\Program Files\shc70oj0ecbr\license.txt
C:\Program Files\shc70oj0ecbr\MFC71.dll
C:\Program Files\shc70oj0ecbr\MFC71ENU.DLL
C:\Program Files\shc70oj0ecbr\msvcp71.dll
C:\Program Files\shc70oj0ecbr\msvcr71.dll
C:\Program Files\shc70oj0ecbr\shc70oj0ecbr.exe
C:\Program Files\shc70oj0ecbr\shc70oj0ecbr.exe.local
C:\Program Files\shc70oj0ecbr\shc70oj0ecbrSkin.dll
C:\Program Files\shc70oj0ecbr\Uninstall.exe
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\Svconr
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\444.0
C:\WINDOWS\444.470
C:\WINDOWS\b103.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\b157.exe
C:\WINDOWS\eHBsaWNpdHo
C:\WINDOWS\eHBsaWNpdHo\asappsrv.dll
C:\WINDOWS\eHBsaWNpdHo\command.exe
C:\WINDOWS\eHBsaWNpdHo\yJ1PuqhDxJC.vbs
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\muotr.so
C:\WINDOWS\portsv.exe
C:\WINDOWS\qmfk
C:\WINDOWS\qmfk\qmfk.dat
C:\WINDOWS\qmfk\wu
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll-uninst.exe
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll
C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll-uninst.exe
C:\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll
C:\WINDOWS\system32\105772
C:\WINDOWS\system32\105772\dllsockt.exe
C:\WINDOWS\system32\519.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\blphc10oj0ecbr.scr
C:\WINDOWS\system32\btz
C:\WINDOWS\system32\btz\L3pars2.exe
C:\WINDOWS\system32\dgOXwyxx.ini
C:\WINDOWS\system32\dgOXwyxx.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\parvdmm.sys
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\expo\mtcon66225.exe
C:\WINDOWS\system32\ffeal.dll
C:\WINDOWS\system32\g88.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\inet2\xVXdll.exe
C:\WINDOWS\system32\irlbgcww.ini
C:\WINDOWS\system32\jjwnw64k.exe
C:\WINDOWS\system32\khfDvSll.dll
C:\WINDOWS\system32\lphc10oj0ecbr.exe
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mbols~1\i?xplore.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nnnmjgge.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\phc10oj0ecbr.bmp
C:\WINDOWS\system32\rcntkkdm.exe
C:\WINDOWS\system32\rqRKAtTk.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\vntiho06\vntiho061083.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wwcgblri.dll
C:\WINDOWS\system32\xrem
C:\WINDOWS\system32\xrem\imapIP95.exe
C:\WINDOWS\system32\xxywXOgd.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TEK76.exe
C:\WINDOWS\uninstall_nmon.vbs

Infected copy of C:\WINDOWS\system32\userinit.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Legacy_PARVDMM
-------\Service_cmdService
-------\Service_MsSecurity1.209.4
-------\Service_Network Monitor
-------\Service_parvdmm


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-09 12:42 . 2008-06-09 12:42 43,065 --a------ C:\WINDOWS\acdt-pid76.exe
2008-06-09 11:01 . 2008-06-09 11:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\WINDOWS\system32\vntiho01
2008-06-09 10:24 . 2008-06-09 10:14 52,736 --a------ C:\WINDOWS\system32\36.tmp
2008-06-09 10:14 . 2008-06-09 10:04 52,736 --a------ C:\WINDOWS\system32\30.tmp
2008-06-09 09:54 . 2008-06-09 09:44 52,736 --a------ C:\WINDOWS\system32\27.tmp
2008-06-09 09:44 . 2008-06-09 09:34 52,736 --a------ C:\WINDOWS\system32\23.tmp
2008-06-09 09:34 . 2008-06-09 09:24 52,736 --a------ C:\WINDOWS\system32\1F.tmp
2008-06-09 09:24 . 2008-06-09 09:14 52,736 --a------ C:\WINDOWS\system32\1C.tmp
2008-06-09 09:14 . 2008-06-09 09:04 52,736 --a------ C:\WINDOWS\system32\19.tmp
2008-06-09 09:04 . 2008-06-09 08:53 52,736 --a------ C:\WINDOWS\system32\15.tmp
2008-06-09 08:53 . 2008-06-09 08:43 52,736 --a------ C:\WINDOWS\system32\12.tmp
2008-06-08 20:46 . 2008-06-08 20:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 14:08 . 2008-06-08 14:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-08 13:57 . 2008-06-08 20:35 513 --a------ C:\WINDOWS\wininit.ini
2008-06-08 13:15 . 2008-06-08 13:15 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-06-08 10:33 . 2008-06-08 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 10:25 . 2008-06-08 10:25 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-08 10:19 . 2008-06-08 10:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 10:18 . 2008-06-08 10:18 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\shc70oj0ecbr
2008-06-08 10:18 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-08 10:17 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\Program Files\uTorrent
2008-06-08 10:14 . 2008-06-09 08:31 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\uTorrent
2008-06-07 18:35 . 2008-06-09 12:46 <DIR> d-------- C:\Temp
2008-06-07 18:35 . 2008-06-07 18:35 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Syntrillium
2008-06-07 18:35 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-06-07 18:35 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-06-07 18:35 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-06-07 18:35 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-06-07 18:35 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-06-07 18:35 . 2008-06-07 18:35 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-06-07 18:31 . 2008-06-07 18:31 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-06-06 10:57 . 2008-06-06 10:57 <DIR> d-------- C:\WINDOWS\system32\SolidStateNetworks
2008-06-06 00:47 . 2008-06-06 00:47 <DIR> d-------- C:\mGame
2008-06-06 00:47 . 2008-06-06 00:47 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\InstallShield
2008-06-06 00:44 . 2008-06-06 00:44 <DIR> d-------- C:\WINDOWS\Setup2K
2008-06-06 00:44 . 2008-06-06 00:44 <DIR> d-------- C:\Program Files\DSC Driver
2008-06-06 00:44 . 2002-10-01 14:43 119,798 --a------ C:\WINDOWS\system32\drivers\SPCA561.SYS
2008-06-06 00:44 . 2002-09-12 15:37 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2008-06-06 00:44 . 2002-10-10 17:06 53,248 --a------ C:\WINDOWS\ap561.exe
2008-06-06 00:44 . 2002-08-13 18:01 14,385 --a------ C:\WINDOWS\Tw561a.ini
2008-06-06 00:44 . 2002-09-20 19:44 14,336 --a------ C:\WINDOWS\system32\dshow508.ax
2008-06-06 00:44 . 2002-08-13 18:01 7,431 --a------ C:\WINDOWS\Tw561a.src
2008-06-06 00:44 . 2002-10-11 14:27 180 --a------ C:\WINDOWS\ap561.ini
2008-06-06 00:44 . 2002-03-19 14:11 81 --a------ C:\WINDOWS\Setup8a.ini
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\WINDOWS\PixArt
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\Program Files\Common Files\PAC207
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\Program Files\Basic Webcam
2008-06-06 00:39 . 2006-11-03 10:59 48,128 --a------ C:\WINDOWS\system32\Remove.exe
2008-06-06 00:39 . 2007-03-16 00:10 316 --a------ C:\WINDOWS\system32\Remover.ini
2008-06-06 00:38 . 2008-06-06 00:42 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Yahoo!
2008-06-06 00:38 . 2008-06-06 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-06 00:36 . 2008-06-06 00:36 <DIR> d-------- C:\webcam driver pack
2008-06-06 00:32 . 2008-06-06 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-06 00:31 . 2008-06-06 00:31 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-06 00:25 . 2008-06-06 00:25 <DIR> d-------- C:\Program Files\Google
2008-06-06 00:11 . 2008-06-06 00:17 <DIR> d-------- C:\WINDOWS\PAC207
2008-06-06 00:11 . 2008-06-06 00:11 <DIR> d-------- C:\Program Files\Common Files\PXIINSTC
2008-06-06 00:11 . 2008-06-06 00:11 <DIR> d-------- C:\Program Files\Common Files\PXIINST64C
2008-06-05 23:50 . 2004-08-03 23:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-06-05 23:50 . 2004-08-03 23:15 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-06-05 23:50 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-06-05 23:50 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-06-05 23:50 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-06-05 23:50 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2008-06-05 23:50 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-06-05 23:50 . 2004-08-03 23:07 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-06-05 23:49 . 2008-06-05 23:49 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-05 23:40 . 2008-05-22 08:12 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-06-05 23:39 . 2008-06-05 23:39 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-06-05 23:39 . 2008-06-05 23:39 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Winamp
2008-06-05 23:38 . 2008-06-05 23:38 <DIR> d-------- C:\WINDOWS\Logs
2008-06-05 23:38 . 2008-06-05 23:38 <DIR> d-------- C:\Program Files\Realtek
2008-06-05 23:38 . 2008-03-05 18:07 520,192 -ra------ C:\WINDOWS\RtlExUpd.dll
2008-06-05 23:38 . 2008-06-05 23:38 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-06-05 23:38 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-05 23:36 . 2008-06-06 00:47 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-05 23:35 . 2008-06-06 00:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-05 23:31 . 2008-06-05 23:32 <DIR> d-------- C:\Program Files\middle_man
2008-06-05 23:27 . 2008-06-05 23:27 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Aim
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-05 23:24 . 2008-06-05 23:31 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-05 23:24 . 2008-06-05 23:29 <DIR> d-------- C:\Program Files\AOD
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-05 23:24 . 2004-02-25 13:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-06-05 23:23 . 2008-06-05 23:23 <DIR> d-------- C:\WINDOWS\nview
2008-06-05 23:23 . 2008-06-06 00:44 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-05 23:23 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-05 23:23 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-05 23:23 . 2008-06-09 12:52 182,038 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-05 23:23 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-06-05 23:23 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-06-05 23:23 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-06-05 23:23 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-06-05 23:23 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-05 23:21 . 2008-06-05 23:21 <DIR> d---s---- C:\Documents and Settings\xplicitz\UserData
2008-06-05 23:18 . 2008-06-05 23:18 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-05 23:07 . 2007-03-19 16:18 104,064 --a------ C:\WINDOWS\system32\drivers\viamraid.sys
2008-06-05 23:00 . 2008-06-08 09:08 <DIR> d-------- C:\Documents and Settings\xplicitz
2008-05-20 14:02 . 2008-05-20 14:02 32,768 --a------ C:\WINDOWS\system32\vntiho01\vntiho011065.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 05:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-28 13:22 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-28 13:22 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-28 13:21 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-28 13:21 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-22 15:12 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-22 15:12 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-21 00:53 4,800,000 ----a-r C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-16 21:39 16,862,720 ----a-r C:\WINDOWS\RTHDCPL.exe
2008-04-26 09:41 142 ----a-w C:\Program Files\page.html
2008-04-02 16:27 1,196,032 ----a-r C:\WINDOWS\RtlUpd.exe
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2006-06-08 07:02 2,048 ----a-w C:\Program Files\func.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_ 8.36.33.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 15:32:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 19:50:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-07-15 00:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-06-07 00:01:46 70,144 ----a-w C:\WINDOWS\system32\userinit.exe
+ 2004-08-04 12:00:00 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF07893-7B45-4F42-887F-8129790B6CBB}]
2008-02-27 18:54 217088 --a------ C:\Program Files\MSN Gaming Zone\hysizyfum66225.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rihl"="C:\DOCUME~1\xplicitz\APPLIC~1\MBOLS~1\services.exe" [ ]
"AIM"="E:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"{9e550fc6-82f4-83e0-4687-2713c0def7b2}"="C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Icatch(VI) SnapDetect.lnk
backup=C:\WINDOWS\pss\Icatch(VI) SnapDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^xplicitz^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^xplicitz^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^xplicitz^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 E:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\rcntkkdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc10oj0ecbr]
C:\WINDOWS\system32\lphc10oj0ecbr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qmfk]
C:\Program Files\Common Files\qmfk\qmfkm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rihl]
C:\DOCUME~1\xplicitz\APPLIC~1\MBOLS~1\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMshc70oj0ecbr]
C:\Program Files\shc70oj0ecbr\shc70oj0ecbr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedRunner]
C:\Documents and Settings\xplicitz\Application Data\SpeedRunner\SpeedRunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Svconr]
C:\Program Files\Svconr\Svconr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-06 00:25 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vycn]
C:\Program Files\Common Files\??sks\l?gonui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zmarrn]
C:\WINDOWS\system32\??mbols\i?xplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{62-2E-E9-91-DW}]
c:\windows\system32\jjwnw64k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9e550fc6-82f4-83e0-4687-2713c0def7b2}]
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"Network Monitor"=2 (0x2)
"MsSecurity1.209.4"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18677:TCP"= 18677:TCP:*:Disabled:SolidNetworkManager
"18677:UDP"= 18677:UDP:*:Disabled:SolidNetworkManager
"58740:TCP"= 58740:TCP:*:Disabled:SolidNetworkManager
"58740:UDP"= 58740:UDP:*:Disabled:SolidNetworkManager
"30324:TCP"= 30324:TCP:*:Disabled:SolidNetworkManager
"30324:UDP"= 30324:UDP:*:Disabled:SolidNetworkManager

S3 XDva168;XDva168;C:\WINDOWS\system32\XDva168.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 12:51:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-09 12:53:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 19:53:25
ComboFix2.txt 2008-06-09 15:37:07

Pre-Run: 26,907,942,912 bytes free
Post-Run: 26,947,522,560 bytes free

419

#7 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 09 June 2008 - 03:15 PM

Post the SDFix log as well

#8 xplicitzr

xplicitzr

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 09 June 2008 - 03:31 PM

sory forgot about that


SDFix: Version 1.190
Run by Administrator on Mon 06/09/2008 at 02:26 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\PROGRA~1\INTERN~1\ZYSIHY~1.DLL - Deleted
C:\PROGRA~1\MSNGAM~1\HYSIZY~1.DLL - Deleted
C:\WINDOWS\system32\vntiho01\vntiho011065.exe - Deleted
C:\WINDOWS\system32\23.tmp - Deleted
C:\WINDOWS\system32\27.tmp - Deleted
C:\WINDOWS\system32\12.tmp - Deleted
C:\WINDOWS\system32\15.tmp - Deleted
C:\WINDOWS\system32\19.tmp - Deleted
C:\WINDOWS\system32\1C.tmp - Deleted
C:\WINDOWS\system32\1F.tmp - Deleted



Folder C:\WINDOWS\system32\vntiho01 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 14:29:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\Program Files\\AIM\\aim.exe"="E:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:潡orrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\Program Files\\AIM\\aim.exe"="E:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 9 Jun 2008 211 A.SH. --- "C:\BOOT.BAK"

Finished!

#9 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 09 June 2008 - 04:22 PM

Such a mess

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\acdt-pid76.exe
C:\WINDOWS\system32\vntiho01
C:\WINDOWS\system32\36.tmp
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\27.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\1F.tmp
C:\WINDOWS\system32\1C.tmp
C:\WINDOWS\system32\19.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\12.tmp
C:\Program Files\page.html
C:\WINDOWS\RtlUpd.exe
C:\Program Files\func.js
C:\Program Files\Del.js
C:\Program Files\func.exe
C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\Deewoo.lnk
C:\WINDOWS\pss\Deewoo.lnkStartup
C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\pss\DW_Start.lnkStartup
C:\WINDOWS\system32\rcntkkdm.exe
C:\WINDOWS\system32\lphc10oj0ecbr.exe
C:\DOCUME~1\xplicitz\APPLIC~1\MBOLS~1\services.exe
C:\WINDOWS\mrofinu572.exe
c:\windows\system32\jjwnw64k.exe
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll

Folder::
C:\Program Files\JavaCore
C:\Program Files\Common Files\qmfk
C:\Program Files\shc70oj0ecbr
C:\Documents and Settings\xplicitz\Application Data\SpeedRunner
C:\Program Files\Svconr
C:\Program Files\Common Files\??sks
C:\WINDOWS\system32\??mbols

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^xplicitz^Start Menu^Programs^Startup^Deewoo.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^xplicitz^Start Menu^Programs^Startup^DW_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc10oj0ecbr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qmfk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rihl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMshc70oj0ecbr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedRunner]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Svconr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vycn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zmarrn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{62-2E-E9-91-DW}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9e550fc6-82f4-83e0-4687-2713c0def7b2}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=-
"MsSecurity1.209.4"=-

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Reboot and do this

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#10 xplicitzr

xplicitzr

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 09 June 2008 - 06:53 PM

ComboFix 08-06-08.8 - xplicitz 2008-06-09 16:41:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.207 [GMT -7:00]
Running from: C:\Documents and Settings\xplicitz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\xplicitz\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\DOCUME~1\xplicitz\APPLIC~1\MBOLS~1\services.exe
C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Del.js
C:\Program Files\func.exe
C:\Program Files\func.js
C:\Program Files\page.html
C:\WINDOWS\acdt-pid76.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\pss\Deewoo.lnkStartup
C:\WINDOWS\pss\DW_Start.lnkStartup
C:\WINDOWS\RtlUpd.exe
C:\WINDOWS\system32\{1d619cc7-79b9-257f-d140-6158e753a647}.dll
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\19.tmp
C:\WINDOWS\system32\1C.tmp
C:\WINDOWS\system32\1F.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\27.tmp
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\36.tmp
c:\windows\system32\jjwnw64k.exe
C:\WINDOWS\system32\lphc10oj0ecbr.exe
C:\WINDOWS\system32\rcntkkdm.exe
C:\WINDOWS\system32\vntiho01
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Internet Explorer\dicovunej.html
C:\WINDOWS\pss\Deewoo.lnkStartup
C:\WINDOWS\pss\DW_Start.lnkStartup
C:\WINDOWS\RtlUpd.exe
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\36.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-09 14:23 . 2008-06-09 14:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-09 14:20 . 2008-06-09 14:32 <DIR> d-------- C:\SDFix
2008-06-09 13:03 . 2008-06-09 13:03 135,168 --a------ C:\WINDOWS\TEK76.exe
2008-06-09 11:01 . 2008-06-09 11:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2008-06-08 20:46 . 2008-06-08 20:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 14:08 . 2008-06-08 14:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-08 13:57 . 2008-06-08 20:35 513 --a------ C:\WINDOWS\wininit.ini
2008-06-08 13:15 . 2008-06-08 13:15 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-06-08 10:33 . 2008-06-08 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 10:25 . 2008-06-08 10:25 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-08 10:19 . 2008-06-08 10:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 10:18 . 2008-06-08 10:18 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\shc70oj0ecbr
2008-06-08 10:18 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-08 10:17 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\Program Files\uTorrent
2008-06-08 10:14 . 2008-06-09 08:31 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\uTorrent
2008-06-07 18:35 . 2008-06-09 12:46 <DIR> d-------- C:\Temp
2008-06-07 18:35 . 2008-06-07 18:35 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Syntrillium
2008-06-07 18:35 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-06-07 18:35 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-06-07 18:35 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-06-07 18:35 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-06-07 18:35 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-06-07 18:35 . 2008-06-07 18:35 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-06-07 18:31 . 2008-06-07 18:31 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-06-06 10:57 . 2008-06-06 10:57 <DIR> d-------- C:\WINDOWS\system32\SolidStateNetworks
2008-06-06 00:47 . 2008-06-06 00:47 <DIR> d-------- C:\mGame
2008-06-06 00:47 . 2008-06-06 00:47 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\InstallShield
2008-06-06 00:44 . 2008-06-06 00:44 <DIR> d-------- C:\WINDOWS\Setup2K
2008-06-06 00:44 . 2008-06-06 00:44 <DIR> d-------- C:\Program Files\DSC Driver
2008-06-06 00:44 . 2002-10-01 14:43 119,798 --a------ C:\WINDOWS\system32\drivers\SPCA561.SYS
2008-06-06 00:44 . 2002-09-12 15:37 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2008-06-06 00:44 . 2002-10-10 17:06 53,248 --a------ C:\WINDOWS\ap561.exe
2008-06-06 00:44 . 2002-08-13 18:01 14,385 --a------ C:\WINDOWS\Tw561a.ini
2008-06-06 00:44 . 2002-09-20 19:44 14,336 --a------ C:\WINDOWS\system32\dshow508.ax
2008-06-06 00:44 . 2002-08-13 18:01 7,431 --a------ C:\WINDOWS\Tw561a.src
2008-06-06 00:44 . 2002-10-11 14:27 180 --a------ C:\WINDOWS\ap561.ini
2008-06-06 00:44 . 2002-03-19 14:11 81 --a------ C:\WINDOWS\Setup8a.ini
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\WINDOWS\PixArt
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\Program Files\Common Files\PAC207
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\Program Files\Basic Webcam
2008-06-06 00:39 . 2006-11-03 10:59 48,128 --a------ C:\WINDOWS\system32\Remove.exe
2008-06-06 00:39 . 2007-03-16 00:10 316 --a------ C:\WINDOWS\system32\Remover.ini
2008-06-06 00:38 . 2008-06-06 00:42 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Yahoo!
2008-06-06 00:38 . 2008-06-06 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-06 00:36 . 2008-06-06 00:36 <DIR> d-------- C:\webcam driver pack
2008-06-06 00:32 . 2008-06-06 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-06 00:31 . 2008-06-06 00:31 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-06 00:25 . 2008-06-06 00:25 <DIR> d-------- C:\Program Files\Google
2008-06-06 00:11 . 2008-06-06 00:17 <DIR> d-------- C:\WINDOWS\PAC207
2008-06-06 00:11 . 2008-06-06 00:11 <DIR> d-------- C:\Program Files\Common Files\PXIINSTC
2008-06-06 00:11 . 2008-06-06 00:11 <DIR> d-------- C:\Program Files\Common Files\PXIINST64C
2008-06-05 23:50 . 2004-08-03 23:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-06-05 23:50 . 2004-08-03 23:15 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-06-05 23:50 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-06-05 23:50 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-06-05 23:50 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-06-05 23:50 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2008-06-05 23:50 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-06-05 23:50 . 2004-08-03 23:07 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-06-05 23:49 . 2008-06-05 23:49 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-05 23:40 . 2008-05-22 08:12 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-06-05 23:39 . 2008-06-05 23:39 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-06-05 23:39 . 2008-06-05 23:39 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Winamp
2008-06-05 23:38 . 2008-06-05 23:38 <DIR> d-------- C:\WINDOWS\Logs
2008-06-05 23:38 . 2008-06-05 23:38 <DIR> d-------- C:\Program Files\Realtek
2008-06-05 23:38 . 2008-03-05 18:07 520,192 -ra------ C:\WINDOWS\RtlExUpd.dll
2008-06-05 23:38 . 2008-06-05 23:38 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-06-05 23:38 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-05 23:36 . 2008-06-06 00:47 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-05 23:35 . 2008-06-06 00:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-05 23:31 . 2008-06-05 23:32 <DIR> d-------- C:\Program Files\middle_man
2008-06-05 23:27 . 2008-06-05 23:27 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Aim
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-05 23:24 . 2008-06-05 23:31 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-05 23:24 . 2008-06-05 23:29 <DIR> d-------- C:\Program Files\AOD
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-05 23:24 . 2004-02-25 13:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-06-05 23:23 . 2008-06-05 23:23 <DIR> d-------- C:\WINDOWS\nview
2008-06-05 23:23 . 2008-06-06 00:44 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-05 23:23 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-05 23:23 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-05 23:23 . 2008-06-09 16:45 182,038 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-05 23:23 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-06-05 23:23 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-06-05 23:23 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-06-05 23:23 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-06-05 23:23 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-05 23:21 . 2008-06-05 23:21 <DIR> d---s---- C:\Documents and Settings\xplicitz\UserData
2008-06-05 23:18 . 2008-06-05 23:18 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-05 23:07 . 2007-03-19 16:18 104,064 --a------ C:\WINDOWS\system32\drivers\viamraid.sys
2008-06-05 23:00 . 2008-06-08 09:08 <DIR> d-------- C:\Documents and Settings\xplicitz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 05:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-28 13:22 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-28 13:22 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-28 13:21 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-28 13:21 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-22 15:12 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-22 15:12 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-21 00:53 4,800,000 ----a-r C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-16 21:39 16,862,720 ----a-r C:\WINDOWS\RTHDCPL.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_ 8.36.33.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 15:32:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 23:43:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 21:23:22 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-09 21:24:05 1,748,992 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-09 21:24:05 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-09 21:23:22 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-09 21:24:01 1,748,992 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-09 21:24:01 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2001-07-15 00:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-06-07 00:01:46 70,144 ----a-w C:\WINDOWS\system32\userinit.exe
+ 2004-08-04 12:00:00 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF07893-7B45-4F42-887F-8129790B6CBB}]
C:\Program Files\MSN Gaming Zone\hysizyfum66225.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF50658C-051C-4F12-D49B-3AD6CCF87F02}]
C:\Program Files\Internet Explorer\zysihytuk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="E:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Icatch(VI) SnapDetect.lnk
backup=C:\WINDOWS\pss\Icatch(VI) SnapDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^xplicitz^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 E:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-06 00:25 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18677:TCP"= 18677:TCP:*:Disabled:SolidNetworkManager
"18677:UDP"= 18677:UDP:*:Disabled:SolidNetworkManager
"58740:TCP"= 58740:TCP:*:Disabled:SolidNetworkManager
"58740:UDP"= 58740:UDP:*:Disabled:SolidNetworkManager
"30324:TCP"= 30324:TCP:*:Disabled:SolidNetworkManager
"30324:UDP"= 30324:UDP:*:Disabled:SolidNetworkManager

S3 XDva168;XDva168;C:\WINDOWS\system32\XDva168.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 16:43:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-09 16:46:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 23:46:30
ComboFix2.txt 2008-06-09 19:53:35
ComboFix3.txt 2008-06-09 15:37:07

Pre-Run: 26,794,102,784 bytes free
Post-Run: 26,911,281,152 bytes free

243









--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 09, 2008 19:26:50
Records in database: 844518
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 27672
Threat name: 48
Infected objects: 66
Suspicious objects: 0
Duration of the scan: 00:50:28


File name / Threat name / Threats count
C:\Documents and Settings\xplicitz\Application Data\Microsoft\Windows\ekgantg.exe Infected: Trojan-Downloader.Win32.Agent.qqn 1
C:\QooBox\Quarantine\C\Documents and Settings\xplicitz\Application Data\CURITY~1\chkdsk.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg 1
C:\QooBox\Quarantine\C\Documents and Settings\xplicitz\Application Data\MBOLS~1\services.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj 1
C:\QooBox\Quarantine\C\Documents and Settings\xplicitz\Application Data\Microsoft\dtsc\13334.exe.vir Infected: Trojan-Downloader.Win32.Agent.shg 1
C:\QooBox\Quarantine\C\Documents and Settings\xplicitz\Application Data\SpeedRunner\SpeedRunner.exe.vir Infected: Trojan-Downloader.Win32.Agent.pbq 1
C:\QooBox\Quarantine\C\Program Files\AntiSpywareMaster\asm.exe.vir Infected: not-a-virus:FraudTool.Win32.AntiSpywareMaster 1
C:\QooBox\Quarantine\C\Program Files\Common Files\qmfk\qmfka.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.l 1
C:\QooBox\Quarantine\C\Program Files\Common Files\qmfk\qmfkl.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.r 1
C:\QooBox\Quarantine\C\Program Files\Common Files\qmfk\qmfkm.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.n 1
C:\QooBox\Quarantine\C\Program Files\Common Files\qmfk\qmfkp.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.f 1
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir Infected: Trojan.Win32.Scapur.k 1
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\QooBox\Quarantine\C\Program Files\InetGet2\SRInstaller.exe.vir Infected: Trojan-Downloader.Win32.Agent.nfz 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\zysihytuk.dll.vir Infected: Trojan.Win32.BHO.ab 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\zysihytuk427.dll.vir Infected: Trojan.Win32.BHO.ab 1
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.c 1
C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a 1
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\QooBox\Quarantine\C\Program Files\shc70oj0ecbr\shc70oj0ecbr.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareProtector.a 1
C:\QooBox\Quarantine\C\Program Files\Svconr\Svconr.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.g 1
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\QooBox\Quarantine\C\WINDOWS\444.470.vir Infected: Trojan-Downloader.Win32.Small.wsi 1
C:\QooBox\Quarantine\C\WINDOWS\b103.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.d 1
C:\QooBox\Quarantine\C\WINDOWS\b116.exe.vir Infected: Trojan-Downloader.Win32.Agent.ezc 1
C:\QooBox\Quarantine\C\WINDOWS\b152.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.c 1
C:\QooBox\Quarantine\C\WINDOWS\b155.exe.vir Infected: Trojan.Win32.BHO.bkm 1
C:\QooBox\Quarantine\C\WINDOWS\b156.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.j 1
C:\QooBox\Quarantine\C\WINDOWS\b157.exe.vir Infected: Trojan-Downloader.Win32.Agent.jih 1
C:\QooBox\Quarantine\C\WINDOWS\eHBsaWNpdHo\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\QooBox\Quarantine\C\WINDOWS\eHBsaWNpdHo\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.cvz 1
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.tmp.vir Infected: Trojan-Downloader.Win32.Homles.br 1
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1
C:\QooBox\Quarantine\C\WINDOWS\mrofinu72.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1
C:\QooBox\Quarantine\C\WINDOWS\system32\000050.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\QooBox\Quarantine\C\WINDOWS\system32\105772\dllsockt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\btz\L3pars2.exe.vir Infected: Trojan-Downloader.Win32.Small.buy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\crypts.dll.vir Infected: Trojan-Downloader.Win32.Agent.rhg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\nic13944.sys.zip Infected: Rootkit.Win32.Agent.aol 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\parvdmm.sys.zip Infected: Rootkit.Win32.Agent.aol 1
C:\QooBox\Quarantine\C\WINDOWS\system32\expo\mtcon66225.exe.vir Infected: not-a-virus:AdWare.Win32.TTC.e 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ffeal.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if 1
C:\QooBox\Quarantine\C\WINDOWS\system32\g88.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\iftuyszv.exe.vir Infected: not-virus:Hoax.Win32.Renos.cvz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\inet2\xVXdll.exe.vir Infected: Trojan.Win32.Agent.lom 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jjwnw64k.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\khfDvSll.dll.vir Infected: Trojan-Downloader.Win32.ConHook.aek 1
C:\QooBox\Quarantine\C\WINDOWS\system32\MBOLS~1\iеxplore.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.id 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnmjgge.dll.vir Infected: Trojan-Downloader.Win32.ConHook.aek 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rcntkkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRKAtTk.dll.vir Infected: Trojan-Downloader.Win32.ConHook.aek 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sockins32.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.awz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sysrest.sys.vir Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sysrest32.exe.vir Infected: Trojan.Win32.Pakes.czg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vcdzp.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vntiho06\vntiho061083.exe.vir Infected: Trojan-Downloader.Win32.VB.epp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xrem\imapIP95.exe.vir Infected: Trojan.Win32.DNSChanger.ebg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\{a2ac4b12-8775-5d94-2c0d-f0514d50175d}.dll.vir Infected: Trojan.Win32.BHO.cmd 1
C:\QooBox\Quarantine\C\WINDOWS\TEK76.exe.vir Infected: Trojan.Win32.BHO.ab 1
C:\SDFix\backups\backups.zip Infected: not-a-virus:AdWare.Win32.TTC.e 1
C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.VB.epp 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.BHO.ab 1
C:\WINDOWS\TEK76.exe Infected: Trojan.Win32.BHO.ab 1

The selected area was scanned.

    Advertisements

Register to Remove


#11 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 10 June 2008 - 05:48 AM

Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\Remove.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\xplicitz\Application Data\Microsoft\Windows\ekgantg.exe
C:\WINDOWS\TEK76.exe

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log

#12 xplicitzr

xplicitzr

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 10 June 2008 - 11:31 AM

Antivirus Version Last Update Result
AhnLab-V3 2008.6.11.0 2008.06.10 -
AntiVir 7.8.0.55 2008.06.10 -
Authentium 5.1.0.4 2008.06.10 -
Avast 4.8.1195.0 2008.06.10 -
AVG 7.5.0.516 2008.06.10 -
BitDefender 7.2 2008.06.10 -
CAT-QuickHeal 9.50 2008.06.10 -
ClamAV 0.92.1 2008.06.10 -
DrWeb 4.44.0.09170 2008.06.10 -
eSafe 7.0.15.0 2008.06.10 -
eTrust-Vet 31.6.5862 2008.06.10 -
Ewido 4.0 2008.06.10 -
F-Prot 4.4.4.56 2008.06.10 -
F-Secure 6.70.13260.0 2008.06.10 -
Fortinet 3.14.0.0 2008.06.10 -
GData 2.0.7306.1023 2008.06.10 -
Ikarus T3.1.1.26.0 2008.06.10 -
Kaspersky 7.0.0.125 2008.06.10 -
McAfee 5314 2008.06.10 -
Microsoft 1.3604 2008.06.10 -
NOD32v2 3173 2008.06.10 -
Norman 5.80.02 2008.06.09 -
Panda 9.0.0.4 2008.06.09 -
Prevx1 V2 2008.06.10 -
Rising 20.48.12.00 2008.06.10 -
Sophos 4.30.0 2008.06.10 -
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.10 -
TheHacker 6.2.92.341 2008.06.10 -
VBA32 3.12.6.7 2008.06.10 -
VirusBuster 4.3.26:9 2008.06.10 -
Webwasher-Gateway 6.6.2 2008.06.10 -



ComboFix 08-06-08.8 - xplicitz 2008-06-10 10:22:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.208 [GMT -7:00]
Running from: C:\Documents and Settings\xplicitz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\xplicitz\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\xplicitz\Application Data\Microsoft\Windows\ekgantg.exe
C:\WINDOWS\TEK76.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\xplicitz\Application Data\Microsoft\Windows\ekgantg.exe
C:\WINDOWS\TEK76.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-10 10:18 . 2008-06-10 10:18 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Malwarebytes
2008-06-10 10:18 . 2008-06-10 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-10 10:18 . 2008-06-09 20:13 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 10:18 . 2008-06-09 20:13 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-09 19:57 . 2008-06-09 19:57 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Talkback
2008-06-09 19:56 . 2008-06-09 19:56 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Thunderbird
2008-06-09 19:56 . 2008-06-09 19:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-09 16:50 . 2008-06-09 16:50 <DIR> d-------- C:\WINDOWS\Sun
2008-06-09 16:50 . 2008-06-09 16:50 <DIR> d-------- C:\Program Files\Sun
2008-06-09 16:50 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-09 16:49 . 2008-06-09 16:50 <DIR> d-------- C:\Program Files\Java
2008-06-09 16:48 . 2008-06-09 16:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-09 14:23 . 2008-06-09 14:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-09 14:20 . 2008-06-09 14:32 <DIR> d-------- C:\SDFix
2008-06-09 11:01 . 2008-06-09 11:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2008-06-08 20:46 . 2008-06-08 20:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 14:08 . 2008-06-08 14:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-08 13:57 . 2008-06-08 20:35 513 --a------ C:\WINDOWS\wininit.ini
2008-06-08 13:15 . 2008-06-08 13:15 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-06-08 10:33 . 2008-06-08 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 10:25 . 2008-06-08 10:25 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-08 10:19 . 2008-06-09 19:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 10:18 . 2008-06-08 10:18 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\shc70oj0ecbr
2008-06-08 10:18 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-08 10:17 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-08 10:14 . 2008-06-08 10:14 <DIR> d-------- C:\Program Files\uTorrent
2008-06-08 10:14 . 2008-06-09 08:31 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\uTorrent
2008-06-07 18:35 . 2008-06-09 12:46 <DIR> d-------- C:\Temp
2008-06-07 18:35 . 2008-06-07 18:35 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Syntrillium
2008-06-07 18:35 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-06-07 18:35 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-06-07 18:35 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-06-07 18:35 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-06-07 18:35 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-06-07 18:35 . 2008-06-07 18:35 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-06-07 18:31 . 2008-06-07 18:31 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-06-06 10:57 . 2008-06-06 10:57 <DIR> d-------- C:\WINDOWS\system32\SolidStateNetworks
2008-06-06 00:47 . 2008-06-06 00:47 <DIR> d-------- C:\mGame
2008-06-06 00:47 . 2008-06-06 00:47 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\InstallShield
2008-06-06 00:44 . 2008-06-06 00:44 <DIR> d-------- C:\WINDOWS\Setup2K
2008-06-06 00:44 . 2008-06-06 00:44 <DIR> d-------- C:\Program Files\DSC Driver
2008-06-06 00:44 . 2002-10-01 14:43 119,798 --a------ C:\WINDOWS\system32\drivers\SPCA561.SYS
2008-06-06 00:44 . 2002-09-12 15:37 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2008-06-06 00:44 . 2002-10-10 17:06 53,248 --a------ C:\WINDOWS\ap561.exe
2008-06-06 00:44 . 2002-08-13 18:01 14,385 --a------ C:\WINDOWS\Tw561a.ini
2008-06-06 00:44 . 2002-09-20 19:44 14,336 --a------ C:\WINDOWS\system32\dshow508.ax
2008-06-06 00:44 . 2002-08-13 18:01 7,431 --a------ C:\WINDOWS\Tw561a.src
2008-06-06 00:44 . 2002-10-11 14:27 180 --a------ C:\WINDOWS\ap561.ini
2008-06-06 00:44 . 2002-03-19 14:11 81 --a------ C:\WINDOWS\Setup8a.ini
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\WINDOWS\PixArt
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\Program Files\Common Files\PAC207
2008-06-06 00:39 . 2008-06-06 00:39 <DIR> d-------- C:\Program Files\Basic Webcam
2008-06-06 00:39 . 2006-11-03 10:59 48,128 --a------ C:\WINDOWS\system32\Remove.exe
2008-06-06 00:39 . 2007-03-16 00:10 316 --a------ C:\WINDOWS\system32\Remover.ini
2008-06-06 00:38 . 2008-06-06 00:42 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Yahoo!
2008-06-06 00:38 . 2008-06-06 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-06 00:36 . 2008-06-06 00:36 <DIR> d-------- C:\webcam driver pack
2008-06-06 00:32 . 2008-06-06 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-06 00:31 . 2008-06-06 00:31 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-06 00:25 . 2008-06-06 00:25 <DIR> d-------- C:\Program Files\Google
2008-06-06 00:11 . 2008-06-06 00:17 <DIR> d-------- C:\WINDOWS\PAC207
2008-06-06 00:11 . 2008-06-06 00:11 <DIR> d-------- C:\Program Files\Common Files\PXIINSTC
2008-06-06 00:11 . 2008-06-06 00:11 <DIR> d-------- C:\Program Files\Common Files\PXIINST64C
2008-06-05 23:50 . 2004-08-03 23:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-06-05 23:50 . 2004-08-03 23:15 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-06-05 23:50 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-06-05 23:50 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-06-05 23:50 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-06-05 23:50 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2008-06-05 23:50 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-06-05 23:50 . 2004-08-03 23:07 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-06-05 23:49 . 2008-06-05 23:49 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-05 23:40 . 2008-05-22 08:12 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-06-05 23:39 . 2008-06-05 23:39 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-06-05 23:39 . 2008-06-05 23:39 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Winamp
2008-06-05 23:38 . 2008-06-05 23:38 <DIR> d-------- C:\WINDOWS\Logs
2008-06-05 23:38 . 2008-06-05 23:38 <DIR> d-------- C:\Program Files\Realtek
2008-06-05 23:38 . 2008-03-05 18:07 520,192 -ra------ C:\WINDOWS\RtlExUpd.dll
2008-06-05 23:38 . 2008-06-05 23:38 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-06-05 23:38 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-05 23:36 . 2008-06-06 00:47 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-05 23:35 . 2008-06-06 00:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-05 23:31 . 2008-06-05 23:32 <DIR> d-------- C:\Program Files\middle_man
2008-06-05 23:27 . 2008-06-05 23:27 <DIR> d-------- C:\Documents and Settings\xplicitz\Application Data\Aim
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-05 23:24 . 2008-06-05 23:31 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-05 23:24 . 2008-06-05 23:29 <DIR> d-------- C:\Program Files\AOD
2008-06-05 23:24 . 2008-06-05 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-05 23:24 . 2004-02-25 13:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-06-05 23:23 . 2008-06-05 23:23 <DIR> d-------- C:\WINDOWS\nview
2008-06-05 23:23 . 2008-06-06 00:44 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-05 23:23 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-05 23:23 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-05 23:23 . 2008-06-10 10:13 182,038 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-05 23:23 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-06-05 23:23 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-06-05 23:23 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-06-05 23:23 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-06-05 23:23 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-05 23:21 . 2008-06-05 23:21 <DIR> d---s---- C:\Documents and Settings\xplicitz\UserData
2008-06-05 23:18 . 2008-06-05 23:18 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-05 23:07 . 2007-03-19 16:18 104,064 --a------ C:\WINDOWS\system32\drivers\viamraid.sys
2008-06-05 23:00 . 2008-06-08 09:08 <DIR> d-------- C:\Documents and Settings\xplicitz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 05:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-28 13:22 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-28 13:22 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-28 13:21 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-28 13:21 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-22 15:12 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-22 15:12 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-21 00:53 4,800,000 ----a-r C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-16 21:39 16,862,720 ----a-r C:\WINDOWS\RTHDCPL.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_ 8.36.33.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 15:32:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 17:12:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 21:23:22 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-09 21:24:05 1,748,992 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-09 21:24:05 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-09 21:23:22 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-09 21:24:01 1,748,992 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-09 21:24:01 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2001-07-15 00:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-06-07 00:01:46 70,144 ----a-w C:\WINDOWS\system32\userinit.exe
+ 2004-08-04 12:00:00 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF07893-7B45-4F42-887F-8129790B6CBB}]
C:\Program Files\MSN Gaming Zone\hysizyfum66225.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF50658C-051C-4F12-D49B-3AD6CCF87F02}]
C:\Program Files\Internet Explorer\zysihytuk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="E:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Icatch(VI) SnapDetect.lnk
backup=C:\WINDOWS\pss\Icatch(VI) SnapDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^xplicitz^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\xplicitz\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 E:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-06 00:25 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18677:TCP"= 18677:TCP:*:Disabled:SolidNetworkManager
"18677:UDP"= 18677:UDP:*:Disabled:SolidNetworkManager
"58740:TCP"= 58740:TCP:*:Disabled:SolidNetworkManager
"58740:UDP"= 58740:UDP:*:Disabled:SolidNetworkManager
"30324:TCP"= 30324:TCP:*:Disabled:SolidNetworkManager
"30324:UDP"= 30324:UDP:*:Disabled:SolidNetworkManager

S3 XDva168;XDva168;C:\WINDOWS\system32\XDva168.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 10:23:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-10 10:24:57
ComboFix-quarantined-files.txt 2008-06-10 17:24:44
ComboFix2.txt 2008-06-09 23:46:42
ComboFix3.txt 2008-06-09 19:53:35
ComboFix4.txt 2008-06-09 15:37:07

Pre-Run: 25,126,240,256 bytes free
Post-Run: 26,742,276,096 bytes free

225



Malwarebytes' Anti-Malware 1.16
Database version: 845

10:30:50 AM 6/10/2008
mbam-log-6-10-2008 (10-30-47).txt

Scan type: Quick Scan
Objects scanned: 36753
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mySearchAssistant (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\Software\SpeedRunner (Adware.SurfAccuracy) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spcron (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\xplicitz\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:29 AM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AFF07893-7B45-4F42-887F-8129790B6CBB} - C:\Program Files\MSN Gaming Zone\hysizyfum66225.dll (file missing)
O2 - BHO: 0 - {BF50658C-051C-4F12-D49B-3AD6CCF87F02} - C:\Program Files\Internet Explorer\zysihytuk.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1212733332078
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.solidstat...lidstateion.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5446 bytes

#13 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 10 June 2008 - 05:58 PM

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {AFF07893-7B45-4F42-887F-8129790B6CBB} - C:\Program Files\MSN Gaming Zone\hysizyfum66225.dll (file missing)
O2 - BHO: 0 - {BF50658C-051C-4F12-D49B-3AD6CCF87F02} - C:\Program Files\Internet Explorer\zysihytuk.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log

#14 xplicitzr

xplicitzr

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 10 June 2008 - 09:33 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:39 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: 0 - {BF50658C-051C-4F12-D49B-3AD6CCF87F02} - C:\Program Files\Internet Explorer\zysihytuk.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1212733332078
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.solidstat...lidstateion.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4601 bytes

#15 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 11 June 2008 - 05:44 AM

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: 0 - {BF50658C-051C-4F12-D49B-3AD6CCF87F02} - C:\Program Files\Internet Explorer\zysihytuk.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users