Jump to content

Nearly Clean but...


Recommended Posts

Hello fellow victims and samaritans

I am helping a friend clean a Winbook laptop that was multiple infected with Malware. Initially Malwarebytes (my saviour from a previous encounter) would not load nor would the browser permit access to any AV sites. I managed to get AVG installed which cleaned the machine sufficiently for Malwarebytes to execute.

Despite the machine appearing clean to malwarebytes and AVG, I am occasionally getting 'Generic Host Process for Win32 Services has encountered a problem and needs to close'. There is also one odd looking BHO entry in the Hijackthis log. Program load times are taking minutes instead of seconds too. I have attached relevant log information and would appreciate any advice you may be able to offer to resolve the problem.

Many thanks in anticipation...

Log 1 - this is what malwarebytes identified and dealt with

Malwarebytes' Anti-Malware 1.34

Database version: 1814

Windows 5.1.2600 Service Pack 2

02/03/2009 08:51:50

mbam-log-2009-03-02 (08-51-50).txt

Scan type: Quick Scan

Objects scanned: 84598

Time elapsed: 19 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 48

Registry Values Infected: 14

Registry Data Items Infected: 0

Folders Infected: 11

Files Infected: 59

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} (Trojan.Network.Monitor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ahwqnk (Trojan.Fakealert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati6uexx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati6uexx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati6uexx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati6uexx (Rootkit.Agent) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fci (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fci (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fci (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fci (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2009 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\081dd9ec (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

C:\Documents and Settings\Winner\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Winner\Application Data\VirusRemover2008 (Rogue.VirusRemover) -> Quarantined and deleted successfully.

C:\Documents and Settings\Winner\Application Data\VirusRemover2008\Logs (Rogue.VirusRemover) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2009 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\ahwqnk.dll (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\ati6uexx.sys (Rootkit.Agent) -> Delete on reboot.

C:\Documents and Settings\Winner\Local Settings\Temp\cnwrmsoaxe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Winner\Local Settings\Temp\cwroxensam.tmp (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Winner\Local Settings\Temp\TDSSa0c8.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Winner\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\ajp1A.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rcy1C.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\uls11.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\xwd1E.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\yrm17.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\chb12.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\gqn1D.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\gzk10.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN15.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\hyw9.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\jro18.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\kdcF.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\mfhC.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090222215507421.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Winner\Application Data\VirusRemover2008\Logs\scns.log (Rogue.VirusRemover) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\atmtd.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\atmtd.dll._ (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN19.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svchost.exe:ext.exe (Rootkit.ADS) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Winner\Local Settings\Temp\TDSSa03c.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Quarantined and deleted successfully.

===========================

Log 2 - After Malwarebytes repair

Malwarebytes' Anti-Malware 1.34

Database version: 1819

Windows 5.1.2600 Service Pack 3

05/03/2009 13:33:24

mbam-log-2009-03-05 (13-33-24).txt

Scan type: Full Scan (C:\|)

Objects scanned: 137934

Time elapsed: 1 hour(s), 16 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

======================

Log 3 - Hijack this output - post repair

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:36:27, on 05/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Fix_trouble\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe,

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [WebPlus7.exe] F:\WEBPLU~1.EXE /r

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235984590390

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: atorui.dll hxmwbf.dll xvhneq.dll wutliv.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: awtsTNGy - awtsTNGy.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 6980 bytes

Link to post
Share on other sites

Hi. B)

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the Scan All Users checkbox on the toolbar.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).

Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Link to post
Share on other sites

Open open notepad and copy and paste in the following:

MD "%USERPROFILE%"\desktop\malware
xcopy C:\WINDOWS\system32\fqydegxk.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy C:\WINDOWS\system32\drivers\1eb6ce68.sys "%USERPROFILE%"\desktop\malware /c /q /r /h /y
Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

Save it as getmalware.bat to the desktop and double-click on it to run it. It will create a folder called malware on your desktop. Please zip up this folder and attach it here in a new topic with a link to this thread. I will get back to you once they have been analyzed.

Link to post
Share on other sites

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

ComboFix 09-03-06.02 - Winner 2009-03-08 10:27:08.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.39 [GMT 0:00]

Running from: c:\fix_trouble\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\gkexrxaj.ini

c:\windows\system32\ijrcvmoy.ini

c:\windows\system32\puilonkc.ini

c:\windows\system32\rvgsbgjp.ini

c:\windows\system32\SBHOnXyb.ini

c:\windows\system32\SBHOnXyb.ini2

c:\windows\system32\TDSSlrvd.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FCI

-------\Legacy_ICF

-------\Legacy_TDSSSERV.SYS

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))

.

2009-03-08 00:24 . 2009-03-08 00:24 <DIR> d-------- c:\documents and settings\Winner\jmeeting

2009-03-04 23:05 . 2009-03-04 23:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-03-04 21:27 . 2009-03-08 09:50 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-03-04 21:27 . 2009-03-04 21:27 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-03-04 21:27 . 2009-03-04 21:27 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-03-04 21:27 . 2009-03-04 21:27 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-03-04 20:33 . 2009-03-04 20:33 42 --a------ c:\windows\system32\AK083E209605E394C.lie

2009-03-03 16:24 . 2008-04-14 00:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll

2009-03-03 16:24 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe

2009-03-03 16:24 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-03-03 16:24 . 2008-04-14 00:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll

2009-03-03 16:24 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe

2009-03-03 16:23 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe

2009-03-03 16:23 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys

2009-03-03 16:23 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys

2009-03-03 16:23 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys

2009-03-03 16:23 . 2008-04-14 00:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll

2009-03-03 16:22 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys

2009-03-03 16:22 . 2004-08-03 22:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys

2009-03-03 16:22 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys

2009-03-03 16:22 . 2008-04-13 18:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys

2009-03-03 16:21 . 2001-08-17 13:28 701,386 --a--c--- c:\windows\system32\dllcache\wdhaalba.sys

2009-03-03 16:21 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll

2009-03-03 16:21 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\wiamsmud.dll

2009-03-03 16:21 . 2001-08-17 12:10 35,871 --a--c--- c:\windows\system32\dllcache\wbfirdma.sys

2009-03-03 16:21 . 2008-04-13 18:45 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys

2009-03-03 16:21 . 2004-08-03 22:29 23,615 --a--c--- c:\windows\system32\dllcache\wch7xxnt.sys

2009-03-03 16:20 . 2001-08-17 13:28 64,605 --a--c--- c:\windows\system32\dllcache\vvoice.sys

2009-03-03 16:20 . 2004-08-03 22:29 33,599 --a--c--- c:\windows\system32\dllcache\watv04nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 29,311 --a--c--- c:\windows\system32\dllcache\watv01nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 19,551 --a--c--- c:\windows\system32\dllcache\watv02nt.sys

2009-03-03 16:20 . 2001-08-17 12:13 19,528 --a--c--- c:\windows\system32\dllcache\w840nd.sys

2009-03-03 16:20 . 2001-08-17 12:13 19,016 --a--c--- c:\windows\system32\dllcache\w926nd.sys

2009-03-03 16:20 . 2001-08-17 12:13 16,925 --a--c--- c:\windows\system32\dllcache\w940nd.sys

2009-03-03 16:20 . 2004-08-03 22:29 12,415 --a--c--- c:\windows\system32\dllcache\wadv01nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 12,127 --a--c--- c:\windows\system32\dllcache\wadv02nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 11,775 --a--c--- c:\windows\system32\dllcache\wadv05nt.sys

2009-03-03 16:19 . 2001-08-17 13:28 604,253 --a--c--- c:\windows\system32\dllcache\vmodem.sys

2009-03-03 16:19 . 2001-08-17 13:28 397,502 --a--c--- c:\windows\system32\dllcache\vpctcom.sys

2009-03-03 16:19 . 2001-08-17 12:14 249,402 --a--c--- c:\windows\system32\dllcache\vinwm.sys

2009-03-03 16:19 . 2001-08-17 13:49 24,576 --a--c--- c:\windows\system32\dllcache\viairda.sys

2009-03-03 16:19 . 2008-04-13 18:40 5,376 --a--c--- c:\windows\system32\dllcache\viaide.sys

2009-03-03 16:18 . 2001-08-17 13:28 794,399 --a--c--- c:\windows\system32\dllcache\usr1806v.sys

2009-03-03 16:18 . 2001-08-17 13:28 793,598 --a--c--- c:\windows\system32\dllcache\usr1806.sys

2009-03-03 16:18 . 2001-08-17 13:28 765,884 --a--c--- c:\windows\system32\dllcache\usrti.sys

2009-03-03 16:18 . 2001-08-17 13:28 687,999 --a--c--- c:\windows\system32\dllcache\usrwdxjs.sys

2009-03-03 16:18 . 2001-08-17 13:28 224,802 --a--c--- c:\windows\system32\dllcache\usr1807a.sys

2009-03-03 16:18 . 2001-08-17 13:28 113,762 --a--c--- c:\windows\system32\dllcache\usrpda.sys

2009-03-03 16:18 . 2001-08-17 13:28 7,556 --a--c--- c:\windows\system32\dllcache\usroslba.sys

2009-03-03 16:17 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys

2009-03-03 16:17 . 2001-08-17 22:36 94,720 --a--c--- c:\windows\system32\dllcache\umaxud32.dll

2009-03-03 16:17 . 2001-08-17 22:36 69,632 --a--c--- c:\windows\system32\dllcache\umaxu12.dll

2009-03-03 16:17 . 2004-08-03 22:31 32,384 --a--c--- c:\windows\system32\dllcache\usb101et.sys

2009-03-03 16:17 . 2001-08-17 22:36 28,160 --a--c--- c:\windows\system32\dllcache\umaxu40.dll

2009-03-03 16:17 . 2001-08-17 22:36 26,624 --a--c--- c:\windows\system32\dllcache\umaxu22.dll

2009-03-03 16:17 . 2008-04-13 18:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys

2009-03-03 16:17 . 2008-04-13 18:45 20,608 --a--c--- c:\windows\system32\dllcache\usbuhci.sys

2009-03-03 16:17 . 2008-04-13 18:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2009-03-03 16:16 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll

2009-03-03 16:16 . 2001-08-17 22:36 211,968 --a--c--- c:\windows\system32\dllcache\um54scan.dll

2009-03-03 16:16 . 2001-08-17 22:36 50,688 --a--c--- c:\windows\system32\dllcache\umaxscan.dll

2009-03-03 16:16 . 2001-08-17 22:36 50,176 --a--c--- c:\windows\system32\dllcache\umaxp60.dll

2009-03-03 16:16 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\umaxcam.dll

2009-03-03 16:16 . 2001-08-17 13:52 36,736 --a--c--- c:\windows\system32\dllcache\ultra.sys

2009-03-03 16:16 . 2001-08-17 13:58 22,912 --a--c--- c:\windows\system32\dllcache\umaxpcls.sys

2009-03-03 16:16 . 2001-08-17 13:48 11,520 --a--c--- c:\windows\system32\dllcache\twotrack.sys

2009-03-03 16:15 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll

2009-03-03 16:15 . 2001-08-17 14:56 440,576 --a--c--- c:\windows\system32\dllcache\tridkb.dll

2009-03-03 16:15 . 2001-08-17 14:56 315,520 --a--c--- c:\windows\system32\dllcache\trid3d.dll

2009-03-03 16:15 . 2001-08-17 12:51 222,336 --a--c--- c:\windows\system32\dllcache\trid3dm.sys

2009-03-03 16:15 . 2001-08-17 12:51 166,784 --a--c--- c:\windows\system32\dllcache\tridxpm.sys

2009-03-03 16:15 . 2001-08-17 12:51 159,232 --a--c--- c:\windows\system32\dllcache\tridkbm.sys

2009-03-03 16:14 . 2001-08-17 14:01 241,664 --a--c--- c:\windows\system32\dllcache\tosdvd02.sys

2009-03-03 16:14 . 2001-08-17 14:02 230,912 --a--c--- c:\windows\system32\dllcache\tosdvd03.sys

2009-03-03 16:14 . 2008-04-14 00:12 82,944 --a--c--- c:\windows\system32\dllcache\tp4mon.exe

2009-03-03 16:14 . 2001-08-17 22:35 42,496 --a--c--- c:\windows\system32\dllcache\tp4res.dll

2009-03-03 16:14 . 2001-08-17 12:12 34,375 --a--c--- c:\windows\system32\dllcache\tpro4.sys

2009-03-03 16:14 . 2001-08-17 22:36 31,744 --a--c--- c:\windows\system32\dllcache\tp4.dll

2009-03-03 16:14 . 2001-08-17 12:10 28,232 --a--c--- c:\windows\system32\dllcache\tos4mo.sys

2009-03-03 16:14 . 2001-08-17 13:51 4,992 --a--c--- c:\windows\system32\dllcache\toside.sys

2009-03-03 16:13 . 2008-04-13 18:40 149,376 --a--c--- c:\windows\system32\dllcache\tffsport.sys

2009-03-03 16:13 . 2001-08-17 12:51 138,528 --a--c--- c:\windows\system32\dllcache\tgiulnt5.sys

2009-03-03 16:13 . 2001-08-17 12:14 123,995 --a--c--- c:\windows\system32\dllcache\tjisdn.sys

2009-03-03 16:13 . 2001-08-17 14:56 81,408 --a--c--- c:\windows\system32\dllcache\tgiul50.dll

2009-03-03 16:13 . 2001-08-17 12:13 37,961 --a--c--- c:\windows\system32\dllcache\tdk100b.sys

2009-03-03 16:13 . 2001-08-17 12:13 17,129 --a--c--- c:\windows\system32\dllcache\tdkcd31.sys

2009-03-03 16:12 . 2001-08-17 14:56 172,768 --a--c--- c:\windows\system32\dllcache\t2r4disp.dll

2009-03-03 16:12 . 2001-08-17 12:50 36,640 --a--c--- c:\windows\system32\dllcache\t2r4mini.sys

2009-03-03 16:12 . 2001-08-17 14:07 32,640 --a--c--- c:\windows\system32\dllcache\symc8xx.sys

2009-03-03 16:12 . 2001-08-17 13:49 30,464 --a--c--- c:\windows\system32\dllcache\tbatm155.sys

2009-03-03 16:12 . 2001-08-17 14:07 16,256 --a--c--- c:\windows\system32\dllcache\symc810.sys

2009-03-03 16:12 . 2001-08-17 13:52 7,040 --a--c--- c:\windows\system32\dllcache\tandqic.sys

2009-03-03 16:11 . 2001-08-17 13:50 103,936 --a--c--- c:\windows\system32\dllcache\sx.sys

2009-03-03 16:11 . 2001-08-17 22:36 94,293 --a--c--- c:\windows\system32\dllcache\sxports.dll

2009-03-03 16:11 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\sw_wheel.dll

2009-03-03 16:11 . 2001-08-17 22:36 41,472 --a--c--- c:\windows\system32\dllcache\sw_effct.dll

2009-03-03 16:11 . 2001-08-17 14:07 30,688 --a--c--- c:\windows\system32\dllcache\sym_u3.sys

2009-03-03 16:11 . 2001-08-17 14:07 28,384 --a--c--- c:\windows\system32\dllcache\sym_hi.sys

2009-03-03 16:11 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpidflt.dll

2009-03-03 16:11 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpdflt2.dll

2009-03-03 16:11 . 2001-08-17 14:02 3,968 --a--c--- c:\windows\system32\dllcache\swusbflt.sys

2009-03-03 16:10 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys

2009-03-03 16:10 . 2001-08-17 22:36 155,648 --a--c--- c:\windows\system32\dllcache\stlnprop.dll

2009-03-03 16:10 . 2001-08-17 22:36 99,328 --a--c--- c:\windows\system32\dllcache\srusd.dll

2009-03-03 16:10 . 2001-08-17 22:36 53,248 --a--c--- c:\windows\system32\dllcache\stlncoin.dll

2009-03-03 16:10 . 2001-08-17 12:11 48,736 --a--c--- c:\windows\system32\dllcache\srwlnd5.sys

2009-03-03 16:10 . 2001-08-17 13:51 16,896 --a--c--- c:\windows\system32\dllcache\stcusb.sys

2009-03-03 16:09 . 2001-08-17 22:36 114,688 --a--c--- c:\windows\system32\dllcache\sonypi.dll

2009-03-03 16:09 . 2001-08-17 22:36 106,584 --a--c--- c:\windows\system32\dllcache\spdports.dll

2009-03-03 16:09 . 2001-08-17 13:51 61,824 --a--c--- c:\windows\system32\dllcache\speed.sys

2009-03-03 16:09 . 2001-08-17 12:51 37,040 --a--c--- c:\windows\system32\dllcache\sonypi.sys

2009-03-03 16:09 . 2001-08-17 22:36 24,660 --a--c--- c:\windows\system32\dllcache\spxupchk.dll

2009-03-03 16:09 . 2001-08-17 12:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys

2009-03-03 16:09 . 2001-08-17 14:07 19,072 --a--c--- c:\windows\system32\dllcache\sparrow.sys

2009-03-03 16:09 . 2001-08-17 13:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys

2009-03-03 16:09 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys

2009-03-03 16:08 . 2001-08-17 14:56 147,200 --a--c--- c:\windows\system32\dllcache\smidispb.dll

2009-03-03 16:08 . 2004-08-04 12:00 143,422 --a--c--- c:\windows\system32\dllcache\softkey.dll

2009-03-03 16:08 . 2001-08-17 12:51 58,368 --a--c--- c:\windows\system32\dllcache\smiminib.sys

2009-03-03 16:08 . 2001-08-17 12:10 35,913 --a--c--- c:\windows\system32\dllcache\smcirda.sys

2009-03-03 16:08 . 2001-08-17 12:12 25,034 --a--c--- c:\windows\system32\dllcache\smcpwr2n.sys

2009-03-03 16:08 . 2001-08-17 12:12 24,576 --a--c--- c:\windows\system32\dllcache\smc8000n.sys

2009-03-03 16:08 . 2008-04-13 18:36 16,000 --a--c--- c:\windows\system32\dllcache\smbbatt.sys

2009-03-03 16:08 . 2008-04-13 18:40 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys

2009-03-03 16:08 . 2001-08-17 13:53 7,040 --a--c--- c:\windows\system32\dllcache\snyaitmc.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-04 12:23 --------- d-----w c:\program files\LimeWire

2006-11-01 08:29 21,184 ----a-w c:\documents and settings\Winner\Application Data\GDIPFONTCACHEV1.DAT

2006-06-10 15:09 24,192 ----a-w c:\documents and settings\Winner\usbsermptxp.sys

2006-06-10 15:09 22,768 ----a-w c:\documents and settings\Winner\usbsermpt.sys

2005-07-29 16:24 472 --sha-r c:\windows\V2lubmVy\pZ5RvApV.vbs

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 57344]

"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-08 729178]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 40960]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-04 1932568]

"SoundMan"="SOUNDMAN.EXE" [2005-08-18 c:\windows\SOUNDMAN.EXE]

"AGRSMMSG"="AGRSMMSG.exe" [2005-07-01 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-09-21 114688]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-03-04 21:27 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= pvmjpg21.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpy21.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-04 325640]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-04 107912]

S0 Winpy21;Winpy21;c:\windows\system32\Drivers\Winpy21.sys --> c:\windows\system32\Drivers\Winpy21.sys [?]

S1 1eb6ce68;1eb6ce68;c:\windows\system32\drivers\1eb6ce68.sys [2008-12-22 0]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]

S3 V0090VID;Creative WebCam Vista Plus;c:\windows\system32\drivers\V0090Vid.sys [2007-08-31 138112]

--- Other Services/Drivers In Memory ---

*Deregistered* - 6to4

*Deregistered* - ALG

*Deregistered* - Apple Mobile Device

*Deregistered* - Ati HotKey Poller

*Deregistered* - AudioSrv

*Deregistered* - avg8wd

*Deregistered* - Bonjour Service

*Deregistered* - Browser

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - helpsvc

*Deregistered* - HTTPFilter

*Deregistered* - ImapiService

*Deregistered* - iPod Service

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LmHosts

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - NwSapAgent

*Deregistered* - PolicyAgent

*Deregistered* - ProtectedStorage

*Deregistered* - RasMan

*Deregistered* - RemoteAccess

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Spooler

*Deregistered* - srservice

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - TapiSrv

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - UMWdf

*Deregistered* - VeAtvexhi

*Deregistered* - W32Time

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

VeAtvexhi

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23d2bcee-4923-11dc-9579-00173f4e5a8b}]

\Shell\AutoRun\command - E:\fooool.exe

\Shell\explore\Command - E:\fooool.exe

\Shell\open\Command - E:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25727b75-c2b7-11db-9452-00173f4e5a8b}]

\Shell\AutoRun\command - F:\fooool.exe

\Shell\explore\Command - F:\fooool.exe

\Shell\open\Command - F:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dc465df-b62e-11db-9441-00173f4e5a8b}]

\Shell\AutoRun\command - E:\fooool.exe

\Shell\explore\Command - E:\fooool.exe

\Shell\open\Command - E:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{527cf452-7c3f-11dd-98cd-00173f4e5a8b}]

\Shell\AutoRun\command - E:\fooool.exe

\Shell\explore\Command - E:\fooool.exe

\Shell\open\Command - E:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5448d71a-4c6e-11dd-9839-00173f4e5a8b}]

\Shell\AutoRun\command - E:\fooool.exe

\Shell\explore\Command - E:\fooool.exe

\Shell\open\Command - E:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58fe9e88-b6dc-11dd-9966-00142a993dfb}]

\Shell\AutoRun\command - E:\fooool.exe

\Shell\explore\Command - E:\fooool.exe

\Shell\open\Command - E:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9b25aa-37fa-11dd-9801-00173f4e5a8b}]

\Shell\AutoRun\command - E:\fooool.exe

\Shell\explore\Command - E:\fooool.exe

\Shell\open\Command - E:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8f88350-9c11-11dc-9678-00142a993dfb}]

\Shell\AutoRun\command - E:\fooool.exe

\Shell\explore\Command - E:\fooool.exe

\Shell\open\Command - E:\fooool.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-08 c:\windows\Tasks\uptmoupp.job

- c:\windows\system32\jkkKdCRh.dll []

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)

HKCU-Run-WebPlus7.exe - F:\WEBPLU~1.EXE

Notify-awtsTNGy - awtsTNGy.dll

SafeBoot-ati6uexx.sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-08 10:33:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\2.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\progra~1\AVG\AVG8\avgwdsvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-03-08 10:40:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-08 10:40:36

Pre-Run: 26,325,028,864 bytes free

Post-Run: 26,483,482,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

368 --- E O F --- 2009-03-03 22:19:40

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:50:23, on 08/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Fix_trouble\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235984590390

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 6857 bytes

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\2.tmp

c:\windows\Tasks\uptmoupp.job

c:\windows\system32\drivers\1eb6ce68.sys

c:\windows\system32\Drivers\Winpy21.sys

c:\windows\system32\jkkKdCRh.dll

E:\fooool.exe

Folder::

c:\windows\V2lubmVy\

Driver::

MEMSWEEP2

1eb6ce68

Winpy21

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23d2bcee-4923-11dc-9579-00173f4e5a8b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25727b75-c2b7-11db-9452-00173f4e5a8b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dc465df-b62e-11db-9441-00173f4e5a8b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{527cf452-7c3f-11dd-98cd-00173f4e5a8b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5448d71a-4c6e-11dd-9839-00173f4e5a8b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58fe9e88-b6dc-11dd-9966-00142a993dfb}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9b25aa-37fa-11dd-9801-00173f4e5a8b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8f88350-9c11-11dc-9678-00142a993dfb}]

[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

ComboFix 09-03-06.02 - Winner 2009-03-08 22:41:03.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.46 [GMT 0:00]

Running from: c:\fix_trouble\ComboFix.exe

Command switches used :: c:\fix_trouble\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\system32\2.tmp

c:\windows\system32\drivers\1eb6ce68.sys

c:\windows\system32\Drivers\Winpy21.sys

c:\windows\system32\jkkKdCRh.dll

c:\windows\Tasks\uptmoupp.job

E:\fooool.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\1eb6ce68.sys

c:\windows\Tasks\uptmoupp.job

c:\windows\V2lubmVy\

c:\windows\V2lubmVy\\pZ5RvApV.vbs

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MEMSWEEP2

-------\Legacy_WINPY21

-------\Service_1eb6ce68

-------\Service_Winpy21

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))

.

2009-03-08 00:24 . 2009-03-08 00:24 <DIR> d-------- c:\documents and settings\Winner\jmeeting

2009-03-04 23:05 . 2009-03-04 23:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-03-04 21:27 . 2009-03-08 09:50 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-03-04 21:27 . 2009-03-04 21:27 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-03-04 21:27 . 2009-03-04 21:27 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-03-04 21:27 . 2009-03-04 21:27 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-03-04 20:33 . 2009-03-04 20:33 42 --a------ c:\windows\system32\AK083E209605E394C.lie

2009-03-03 16:24 . 2008-04-14 00:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll

2009-03-03 16:24 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe

2009-03-03 16:24 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-03-03 16:24 . 2008-04-14 00:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll

2009-03-03 16:24 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe

2009-03-03 16:23 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe

2009-03-03 16:23 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys

2009-03-03 16:23 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys

2009-03-03 16:23 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys

2009-03-03 16:23 . 2008-04-14 00:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll

2009-03-03 16:22 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys

2009-03-03 16:22 . 2004-08-03 22:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys

2009-03-03 16:22 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys

2009-03-03 16:22 . 2008-04-13 18:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys

2009-03-03 16:21 . 2001-08-17 13:28 701,386 --a--c--- c:\windows\system32\dllcache\wdhaalba.sys

2009-03-03 16:21 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll

2009-03-03 16:21 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\wiamsmud.dll

2009-03-03 16:21 . 2001-08-17 12:10 35,871 --a--c--- c:\windows\system32\dllcache\wbfirdma.sys

2009-03-03 16:21 . 2008-04-13 18:45 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys

2009-03-03 16:21 . 2004-08-03 22:29 23,615 --a--c--- c:\windows\system32\dllcache\wch7xxnt.sys

2009-03-03 16:20 . 2001-08-17 13:28 64,605 --a--c--- c:\windows\system32\dllcache\vvoice.sys

2009-03-03 16:20 . 2004-08-03 22:29 33,599 --a--c--- c:\windows\system32\dllcache\watv04nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 29,311 --a--c--- c:\windows\system32\dllcache\watv01nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 19,551 --a--c--- c:\windows\system32\dllcache\watv02nt.sys

2009-03-03 16:20 . 2001-08-17 12:13 19,528 --a--c--- c:\windows\system32\dllcache\w840nd.sys

2009-03-03 16:20 . 2001-08-17 12:13 19,016 --a--c--- c:\windows\system32\dllcache\w926nd.sys

2009-03-03 16:20 . 2001-08-17 12:13 16,925 --a--c--- c:\windows\system32\dllcache\w940nd.sys

2009-03-03 16:20 . 2004-08-03 22:29 12,415 --a--c--- c:\windows\system32\dllcache\wadv01nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 12,127 --a--c--- c:\windows\system32\dllcache\wadv02nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 11,775 --a--c--- c:\windows\system32\dllcache\wadv05nt.sys

2009-03-03 16:19 . 2001-08-17 13:28 604,253 --a--c--- c:\windows\system32\dllcache\vmodem.sys

2009-03-03 16:19 . 2001-08-17 13:28 397,502 --a--c--- c:\windows\system32\dllcache\vpctcom.sys

2009-03-03 16:19 . 2001-08-17 12:14 249,402 --a--c--- c:\windows\system32\dllcache\vinwm.sys

2009-03-03 16:19 . 2001-08-17 13:49 24,576 --a--c--- c:\windows\system32\dllcache\viairda.sys

2009-03-03 16:19 . 2008-04-13 18:40 5,376 --a--c--- c:\windows\system32\dllcache\viaide.sys

2009-03-03 16:18 . 2001-08-17 13:28 794,399 --a--c--- c:\windows\system32\dllcache\usr1806v.sys

2009-03-03 16:18 . 2001-08-17 13:28 793,598 --a--c--- c:\windows\system32\dllcache\usr1806.sys

2009-03-03 16:18 . 2001-08-17 13:28 765,884 --a--c--- c:\windows\system32\dllcache\usrti.sys

2009-03-03 16:18 . 2001-08-17 13:28 687,999 --a--c--- c:\windows\system32\dllcache\usrwdxjs.sys

2009-03-03 16:18 . 2001-08-17 13:28 224,802 --a--c--- c:\windows\system32\dllcache\usr1807a.sys

2009-03-03 16:18 . 2001-08-17 13:28 113,762 --a--c--- c:\windows\system32\dllcache\usrpda.sys

2009-03-03 16:18 . 2001-08-17 13:28 7,556 --a--c--- c:\windows\system32\dllcache\usroslba.sys

2009-03-03 16:17 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys

2009-03-03 16:17 . 2001-08-17 22:36 94,720 --a--c--- c:\windows\system32\dllcache\umaxud32.dll

2009-03-03 16:17 . 2001-08-17 22:36 69,632 --a--c--- c:\windows\system32\dllcache\umaxu12.dll

2009-03-03 16:17 . 2004-08-03 22:31 32,384 --a--c--- c:\windows\system32\dllcache\usb101et.sys

2009-03-03 16:17 . 2001-08-17 22:36 28,160 --a--c--- c:\windows\system32\dllcache\umaxu40.dll

2009-03-03 16:17 . 2001-08-17 22:36 26,624 --a--c--- c:\windows\system32\dllcache\umaxu22.dll

2009-03-03 16:17 . 2008-04-13 18:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys

2009-03-03 16:17 . 2008-04-13 18:45 20,608 --a--c--- c:\windows\system32\dllcache\usbuhci.sys

2009-03-03 16:17 . 2008-04-13 18:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2009-03-03 16:16 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll

2009-03-03 16:16 . 2001-08-17 22:36 211,968 --a--c--- c:\windows\system32\dllcache\um54scan.dll

2009-03-03 16:16 . 2001-08-17 22:36 50,688 --a--c--- c:\windows\system32\dllcache\umaxscan.dll

2009-03-03 16:16 . 2001-08-17 22:36 50,176 --a--c--- c:\windows\system32\dllcache\umaxp60.dll

2009-03-03 16:16 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\umaxcam.dll

2009-03-03 16:16 . 2001-08-17 13:52 36,736 --a--c--- c:\windows\system32\dllcache\ultra.sys

2009-03-03 16:16 . 2001-08-17 13:58 22,912 --a--c--- c:\windows\system32\dllcache\umaxpcls.sys

2009-03-03 16:16 . 2001-08-17 13:48 11,520 --a--c--- c:\windows\system32\dllcache\twotrack.sys

2009-03-03 16:15 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll

2009-03-03 16:15 . 2001-08-17 14:56 440,576 --a--c--- c:\windows\system32\dllcache\tridkb.dll

2009-03-03 16:15 . 2001-08-17 14:56 315,520 --a--c--- c:\windows\system32\dllcache\trid3d.dll

2009-03-03 16:15 . 2001-08-17 12:51 222,336 --a--c--- c:\windows\system32\dllcache\trid3dm.sys

2009-03-03 16:15 . 2001-08-17 12:51 166,784 --a--c--- c:\windows\system32\dllcache\tridxpm.sys

2009-03-03 16:15 . 2001-08-17 12:51 159,232 --a--c--- c:\windows\system32\dllcache\tridkbm.sys

2009-03-03 16:14 . 2001-08-17 14:01 241,664 --a--c--- c:\windows\system32\dllcache\tosdvd02.sys

2009-03-03 16:14 . 2001-08-17 14:02 230,912 --a--c--- c:\windows\system32\dllcache\tosdvd03.sys

2009-03-03 16:14 . 2008-04-14 00:12 82,944 --a--c--- c:\windows\system32\dllcache\tp4mon.exe

2009-03-03 16:14 . 2001-08-17 22:35 42,496 --a--c--- c:\windows\system32\dllcache\tp4res.dll

2009-03-03 16:14 . 2001-08-17 12:12 34,375 --a--c--- c:\windows\system32\dllcache\tpro4.sys

2009-03-03 16:14 . 2001-08-17 22:36 31,744 --a--c--- c:\windows\system32\dllcache\tp4.dll

2009-03-03 16:14 . 2001-08-17 12:10 28,232 --a--c--- c:\windows\system32\dllcache\tos4mo.sys

2009-03-03 16:14 . 2001-08-17 13:51 4,992 --a--c--- c:\windows\system32\dllcache\toside.sys

2009-03-03 16:13 . 2008-04-13 18:40 149,376 --a--c--- c:\windows\system32\dllcache\tffsport.sys

2009-03-03 16:13 . 2001-08-17 12:51 138,528 --a--c--- c:\windows\system32\dllcache\tgiulnt5.sys

2009-03-03 16:13 . 2001-08-17 12:14 123,995 --a--c--- c:\windows\system32\dllcache\tjisdn.sys

2009-03-03 16:13 . 2001-08-17 14:56 81,408 --a--c--- c:\windows\system32\dllcache\tgiul50.dll

2009-03-03 16:13 . 2001-08-17 12:13 37,961 --a--c--- c:\windows\system32\dllcache\tdk100b.sys

2009-03-03 16:13 . 2001-08-17 12:13 17,129 --a--c--- c:\windows\system32\dllcache\tdkcd31.sys

2009-03-03 16:12 . 2001-08-17 14:56 172,768 --a--c--- c:\windows\system32\dllcache\t2r4disp.dll

2009-03-03 16:12 . 2001-08-17 12:50 36,640 --a--c--- c:\windows\system32\dllcache\t2r4mini.sys

2009-03-03 16:12 . 2001-08-17 14:07 32,640 --a--c--- c:\windows\system32\dllcache\symc8xx.sys

2009-03-03 16:12 . 2001-08-17 13:49 30,464 --a--c--- c:\windows\system32\dllcache\tbatm155.sys

2009-03-03 16:12 . 2001-08-17 14:07 16,256 --a--c--- c:\windows\system32\dllcache\symc810.sys

2009-03-03 16:12 . 2001-08-17 13:52 7,040 --a--c--- c:\windows\system32\dllcache\tandqic.sys

2009-03-03 16:11 . 2001-08-17 13:50 103,936 --a--c--- c:\windows\system32\dllcache\sx.sys

2009-03-03 16:11 . 2001-08-17 22:36 94,293 --a--c--- c:\windows\system32\dllcache\sxports.dll

2009-03-03 16:11 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\sw_wheel.dll

2009-03-03 16:11 . 2001-08-17 22:36 41,472 --a--c--- c:\windows\system32\dllcache\sw_effct.dll

2009-03-03 16:11 . 2001-08-17 14:07 30,688 --a--c--- c:\windows\system32\dllcache\sym_u3.sys

2009-03-03 16:11 . 2001-08-17 14:07 28,384 --a--c--- c:\windows\system32\dllcache\sym_hi.sys

2009-03-03 16:11 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpidflt.dll

2009-03-03 16:11 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpdflt2.dll

2009-03-03 16:11 . 2001-08-17 14:02 3,968 --a--c--- c:\windows\system32\dllcache\swusbflt.sys

2009-03-03 16:10 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys

2009-03-03 16:10 . 2001-08-17 22:36 155,648 --a--c--- c:\windows\system32\dllcache\stlnprop.dll

2009-03-03 16:10 . 2001-08-17 22:36 99,328 --a--c--- c:\windows\system32\dllcache\srusd.dll

2009-03-03 16:10 . 2001-08-17 22:36 53,248 --a--c--- c:\windows\system32\dllcache\stlncoin.dll

2009-03-03 16:10 . 2001-08-17 12:11 48,736 --a--c--- c:\windows\system32\dllcache\srwlnd5.sys

2009-03-03 16:10 . 2001-08-17 13:51 16,896 --a--c--- c:\windows\system32\dllcache\stcusb.sys

2009-03-03 16:09 . 2001-08-17 22:36 114,688 --a--c--- c:\windows\system32\dllcache\sonypi.dll

2009-03-03 16:09 . 2001-08-17 22:36 106,584 --a--c--- c:\windows\system32\dllcache\spdports.dll

2009-03-03 16:09 . 2001-08-17 13:51 61,824 --a--c--- c:\windows\system32\dllcache\speed.sys

2009-03-03 16:09 . 2001-08-17 12:51 37,040 --a--c--- c:\windows\system32\dllcache\sonypi.sys

2009-03-03 16:09 . 2001-08-17 22:36 24,660 --a--c--- c:\windows\system32\dllcache\spxupchk.dll

2009-03-03 16:09 . 2001-08-17 12:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys

2009-03-03 16:09 . 2001-08-17 14:07 19,072 --a--c--- c:\windows\system32\dllcache\sparrow.sys

2009-03-03 16:09 . 2001-08-17 13:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys

2009-03-03 16:09 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys

2009-03-03 16:08 . 2001-08-17 14:56 147,200 --a--c--- c:\windows\system32\dllcache\smidispb.dll

2009-03-03 16:08 . 2004-08-04 12:00 143,422 --a--c--- c:\windows\system32\dllcache\softkey.dll

2009-03-03 16:08 . 2001-08-17 12:51 58,368 --a--c--- c:\windows\system32\dllcache\smiminib.sys

2009-03-03 16:08 . 2001-08-17 12:10 35,913 --a--c--- c:\windows\system32\dllcache\smcirda.sys

2009-03-03 16:08 . 2001-08-17 12:12 25,034 --a--c--- c:\windows\system32\dllcache\smcpwr2n.sys

2009-03-03 16:08 . 2001-08-17 12:12 24,576 --a--c--- c:\windows\system32\dllcache\smc8000n.sys

2009-03-03 16:08 . 2008-04-13 18:36 16,000 --a--c--- c:\windows\system32\dllcache\smbbatt.sys

2009-03-03 16:08 . 2008-04-13 18:40 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys

2009-03-03 16:08 . 2001-08-17 13:53 7,040 --a--c--- c:\windows\system32\dllcache\snyaitmc.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-04 12:23 --------- d-----w c:\program files\LimeWire

2006-11-01 08:29 21,184 ----a-w c:\documents and settings\Winner\Application Data\GDIPFONTCACHEV1.DAT

2006-06-10 15:09 24,192 ----a-w c:\documents and settings\Winner\usbsermptxp.sys

2006-06-10 15:09 22,768 ----a-w c:\documents and settings\Winner\usbsermpt.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 57344]

"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-08 729178]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 40960]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-04 1932568]

"SoundMan"="SOUNDMAN.EXE" [2005-08-18 c:\windows\SOUNDMAN.EXE]

"AGRSMMSG"="AGRSMMSG.exe" [2005-07-01 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-09-21 114688]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-03-04 21:27 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= pvmjpg21.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-04 325640]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-04 107912]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-04 298264]

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2005-10-07 14336]

S2 VeAtvexhi;VeAtvexhi;c:\windows\System32\svchost.exe -k netsvcs [2005-10-07 14336]

S3 V0090VID;Creative WebCam Vista Plus;c:\windows\system32\drivers\V0090Vid.sys [2007-08-31 138112]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

VeAtvexhi

.

Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-Winpy21.sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-08 22:47:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-03-08 22:54:38 - machine was rebooted [Winner]

ComboFix-quarantined-files.txt 2009-03-08 22:54:31

ComboFix2.txt 2009-03-08 10:40:47

Pre-Run: 26,467,307,520 bytes free

Post-Run: 26,448,424,960 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

269 --- E O F --- 2009-03-03 22:19:40

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:39:30, on 08/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\WINDOWS\explorer.exe

C:\Fix_trouble\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235984590390

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 6803 bytes

Link to post
Share on other sites

Looking better. :D

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\AK083E209605E394C.lie

Driver::

NwSapAgent

VeAtvexhi

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Hi Tigger

Glad you are nibbling away at this devil. What exactly are you dealing with. Is it remnants of past infections or a variant of some sort?

Many Thanks for your continuing assistance.

ComboFix 09-03-06.02 - Winner 2009-03-10 0:32:31.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.45 [GMT 0:00]

Running from: c:\fix_trouble\ComboFix.exe

Command switches used :: c:\fix_trouble\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\system32\AK083E209605E394C.lie

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\AK083E209605E394C.lie

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NWSAPAGENT

-------\Legacy_VEATVEXHI

-------\Service_NwSapAgent

-------\Service_VeAtvexhi

((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))

.

2009-03-10 00:30 . 2009-03-10 00:30 <DIR> d-------- C:\32788R22FWJFW

2009-03-08 00:24 . 2009-03-08 00:24 <DIR> d-------- c:\documents and settings\Winner\jmeeting

2009-03-04 23:05 . 2009-03-04 23:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-03-04 21:27 . 2009-03-09 10:58 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-03-04 21:27 . 2009-03-04 21:27 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-03-04 21:27 . 2009-03-04 21:27 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-03-04 21:27 . 2009-03-04 21:27 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-03-03 16:24 . 2008-04-14 00:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll

2009-03-03 16:24 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe

2009-03-03 16:24 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-03-03 16:24 . 2008-04-14 00:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll

2009-03-03 16:24 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe

2009-03-03 16:23 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe

2009-03-03 16:23 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys

2009-03-03 16:23 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys

2009-03-03 16:23 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys

2009-03-03 16:23 . 2008-04-14 00:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll

2009-03-03 16:22 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys

2009-03-03 16:22 . 2004-08-03 22:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys

2009-03-03 16:22 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys

2009-03-03 16:22 . 2008-04-13 18:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys

2009-03-03 16:21 . 2001-08-17 13:28 701,386 --a--c--- c:\windows\system32\dllcache\wdhaalba.sys

2009-03-03 16:21 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll

2009-03-03 16:21 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\wiamsmud.dll

2009-03-03 16:21 . 2001-08-17 12:10 35,871 --a--c--- c:\windows\system32\dllcache\wbfirdma.sys

2009-03-03 16:21 . 2008-04-13 18:45 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys

2009-03-03 16:21 . 2004-08-03 22:29 23,615 --a--c--- c:\windows\system32\dllcache\wch7xxnt.sys

2009-03-03 16:20 . 2001-08-17 13:28 64,605 --a--c--- c:\windows\system32\dllcache\vvoice.sys

2009-03-03 16:20 . 2004-08-03 22:29 33,599 --a--c--- c:\windows\system32\dllcache\watv04nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 29,311 --a--c--- c:\windows\system32\dllcache\watv01nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 19,551 --a--c--- c:\windows\system32\dllcache\watv02nt.sys

2009-03-03 16:20 . 2001-08-17 12:13 19,528 --a--c--- c:\windows\system32\dllcache\w840nd.sys

2009-03-03 16:20 . 2001-08-17 12:13 19,016 --a--c--- c:\windows\system32\dllcache\w926nd.sys

2009-03-03 16:20 . 2001-08-17 12:13 16,925 --a--c--- c:\windows\system32\dllcache\w940nd.sys

2009-03-03 16:20 . 2004-08-03 22:29 12,415 --a--c--- c:\windows\system32\dllcache\wadv01nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 12,127 --a--c--- c:\windows\system32\dllcache\wadv02nt.sys

2009-03-03 16:20 . 2004-08-03 22:29 11,775 --a--c--- c:\windows\system32\dllcache\wadv05nt.sys

2009-03-03 16:19 . 2001-08-17 13:28 604,253 --a--c--- c:\windows\system32\dllcache\vmodem.sys

2009-03-03 16:19 . 2001-08-17 13:28 397,502 --a--c--- c:\windows\system32\dllcache\vpctcom.sys

2009-03-03 16:19 . 2001-08-17 12:14 249,402 --a--c--- c:\windows\system32\dllcache\vinwm.sys

2009-03-03 16:19 . 2001-08-17 13:49 24,576 --a--c--- c:\windows\system32\dllcache\viairda.sys

2009-03-03 16:19 . 2008-04-13 18:40 5,376 --a--c--- c:\windows\system32\dllcache\viaide.sys

2009-03-03 16:18 . 2001-08-17 13:28 794,399 --a--c--- c:\windows\system32\dllcache\usr1806v.sys

2009-03-03 16:18 . 2001-08-17 13:28 793,598 --a--c--- c:\windows\system32\dllcache\usr1806.sys

2009-03-03 16:18 . 2001-08-17 13:28 765,884 --a--c--- c:\windows\system32\dllcache\usrti.sys

2009-03-03 16:18 . 2001-08-17 13:28 687,999 --a--c--- c:\windows\system32\dllcache\usrwdxjs.sys

2009-03-03 16:18 . 2001-08-17 13:28 224,802 --a--c--- c:\windows\system32\dllcache\usr1807a.sys

2009-03-03 16:18 . 2001-08-17 13:28 113,762 --a--c--- c:\windows\system32\dllcache\usrpda.sys

2009-03-03 16:18 . 2001-08-17 13:28 7,556 --a--c--- c:\windows\system32\dllcache\usroslba.sys

2009-03-03 16:17 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys

2009-03-03 16:17 . 2001-08-17 22:36 94,720 --a--c--- c:\windows\system32\dllcache\umaxud32.dll

2009-03-03 16:17 . 2001-08-17 22:36 69,632 --a--c--- c:\windows\system32\dllcache\umaxu12.dll

2009-03-03 16:17 . 2004-08-03 22:31 32,384 --a--c--- c:\windows\system32\dllcache\usb101et.sys

2009-03-03 16:17 . 2001-08-17 22:36 28,160 --a--c--- c:\windows\system32\dllcache\umaxu40.dll

2009-03-03 16:17 . 2001-08-17 22:36 26,624 --a--c--- c:\windows\system32\dllcache\umaxu22.dll

2009-03-03 16:17 . 2008-04-13 18:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys

2009-03-03 16:17 . 2008-04-13 18:45 20,608 --a--c--- c:\windows\system32\dllcache\usbuhci.sys

2009-03-03 16:17 . 2008-04-13 18:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2009-03-03 16:16 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll

2009-03-03 16:16 . 2001-08-17 22:36 211,968 --a--c--- c:\windows\system32\dllcache\um54scan.dll

2009-03-03 16:16 . 2001-08-17 22:36 50,688 --a--c--- c:\windows\system32\dllcache\umaxscan.dll

2009-03-03 16:16 . 2001-08-17 22:36 50,176 --a--c--- c:\windows\system32\dllcache\umaxp60.dll

2009-03-03 16:16 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\umaxcam.dll

2009-03-03 16:16 . 2001-08-17 13:52 36,736 --a--c--- c:\windows\system32\dllcache\ultra.sys

2009-03-03 16:16 . 2001-08-17 13:58 22,912 --a--c--- c:\windows\system32\dllcache\umaxpcls.sys

2009-03-03 16:16 . 2001-08-17 13:48 11,520 --a--c--- c:\windows\system32\dllcache\twotrack.sys

2009-03-03 16:15 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll

2009-03-03 16:15 . 2001-08-17 14:56 440,576 --a--c--- c:\windows\system32\dllcache\tridkb.dll

2009-03-03 16:15 . 2001-08-17 14:56 315,520 --a--c--- c:\windows\system32\dllcache\trid3d.dll

2009-03-03 16:15 . 2001-08-17 12:51 222,336 --a--c--- c:\windows\system32\dllcache\trid3dm.sys

2009-03-03 16:15 . 2001-08-17 12:51 166,784 --a--c--- c:\windows\system32\dllcache\tridxpm.sys

2009-03-03 16:15 . 2001-08-17 12:51 159,232 --a--c--- c:\windows\system32\dllcache\tridkbm.sys

2009-03-03 16:14 . 2001-08-17 14:01 241,664 --a--c--- c:\windows\system32\dllcache\tosdvd02.sys

2009-03-03 16:14 . 2001-08-17 14:02 230,912 --a--c--- c:\windows\system32\dllcache\tosdvd03.sys

2009-03-03 16:14 . 2008-04-14 00:12 82,944 --a--c--- c:\windows\system32\dllcache\tp4mon.exe

2009-03-03 16:14 . 2001-08-17 22:35 42,496 --a--c--- c:\windows\system32\dllcache\tp4res.dll

2009-03-03 16:14 . 2001-08-17 12:12 34,375 --a--c--- c:\windows\system32\dllcache\tpro4.sys

2009-03-03 16:14 . 2001-08-17 22:36 31,744 --a--c--- c:\windows\system32\dllcache\tp4.dll

2009-03-03 16:14 . 2001-08-17 12:10 28,232 --a--c--- c:\windows\system32\dllcache\tos4mo.sys

2009-03-03 16:14 . 2001-08-17 13:51 4,992 --a--c--- c:\windows\system32\dllcache\toside.sys

2009-03-03 16:13 . 2008-04-13 18:40 149,376 --a--c--- c:\windows\system32\dllcache\tffsport.sys

2009-03-03 16:13 . 2001-08-17 12:51 138,528 --a--c--- c:\windows\system32\dllcache\tgiulnt5.sys

2009-03-03 16:13 . 2001-08-17 12:14 123,995 --a--c--- c:\windows\system32\dllcache\tjisdn.sys

2009-03-03 16:13 . 2001-08-17 14:56 81,408 --a--c--- c:\windows\system32\dllcache\tgiul50.dll

2009-03-03 16:13 . 2001-08-17 12:13 37,961 --a--c--- c:\windows\system32\dllcache\tdk100b.sys

2009-03-03 16:13 . 2001-08-17 12:13 17,129 --a--c--- c:\windows\system32\dllcache\tdkcd31.sys

2009-03-03 16:12 . 2001-08-17 14:56 172,768 --a--c--- c:\windows\system32\dllcache\t2r4disp.dll

2009-03-03 16:12 . 2001-08-17 12:50 36,640 --a--c--- c:\windows\system32\dllcache\t2r4mini.sys

2009-03-03 16:12 . 2001-08-17 14:07 32,640 --a--c--- c:\windows\system32\dllcache\symc8xx.sys

2009-03-03 16:12 . 2001-08-17 13:49 30,464 --a--c--- c:\windows\system32\dllcache\tbatm155.sys

2009-03-03 16:12 . 2001-08-17 14:07 16,256 --a--c--- c:\windows\system32\dllcache\symc810.sys

2009-03-03 16:12 . 2001-08-17 13:52 7,040 --a--c--- c:\windows\system32\dllcache\tandqic.sys

2009-03-03 16:11 . 2001-08-17 13:50 103,936 --a--c--- c:\windows\system32\dllcache\sx.sys

2009-03-03 16:11 . 2001-08-17 22:36 94,293 --a--c--- c:\windows\system32\dllcache\sxports.dll

2009-03-03 16:11 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\sw_wheel.dll

2009-03-03 16:11 . 2001-08-17 22:36 41,472 --a--c--- c:\windows\system32\dllcache\sw_effct.dll

2009-03-03 16:11 . 2001-08-17 14:07 30,688 --a--c--- c:\windows\system32\dllcache\sym_u3.sys

2009-03-03 16:11 . 2001-08-17 14:07 28,384 --a--c--- c:\windows\system32\dllcache\sym_hi.sys

2009-03-03 16:11 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpidflt.dll

2009-03-03 16:11 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpdflt2.dll

2009-03-03 16:11 . 2001-08-17 14:02 3,968 --a--c--- c:\windows\system32\dllcache\swusbflt.sys

2009-03-03 16:10 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys

2009-03-03 16:10 . 2001-08-17 22:36 155,648 --a--c--- c:\windows\system32\dllcache\stlnprop.dll

2009-03-03 16:10 . 2001-08-17 22:36 99,328 --a--c--- c:\windows\system32\dllcache\srusd.dll

2009-03-03 16:10 . 2001-08-17 22:36 53,248 --a--c--- c:\windows\system32\dllcache\stlncoin.dll

2009-03-03 16:10 . 2001-08-17 12:11 48,736 --a--c--- c:\windows\system32\dllcache\srwlnd5.sys

2009-03-03 16:10 . 2001-08-17 13:51 16,896 --a--c--- c:\windows\system32\dllcache\stcusb.sys

2009-03-03 16:09 . 2001-08-17 22:36 114,688 --a--c--- c:\windows\system32\dllcache\sonypi.dll

2009-03-03 16:09 . 2001-08-17 22:36 106,584 --a--c--- c:\windows\system32\dllcache\spdports.dll

2009-03-03 16:09 . 2001-08-17 13:51 61,824 --a--c--- c:\windows\system32\dllcache\speed.sys

2009-03-03 16:09 . 2001-08-17 12:51 37,040 --a--c--- c:\windows\system32\dllcache\sonypi.sys

2009-03-03 16:09 . 2001-08-17 22:36 24,660 --a--c--- c:\windows\system32\dllcache\spxupchk.dll

2009-03-03 16:09 . 2001-08-17 12:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys

2009-03-03 16:09 . 2001-08-17 14:07 19,072 --a--c--- c:\windows\system32\dllcache\sparrow.sys

2009-03-03 16:09 . 2001-08-17 13:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys

2009-03-03 16:09 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys

2009-03-03 16:08 . 2001-08-17 14:56 147,200 --a--c--- c:\windows\system32\dllcache\smidispb.dll

2009-03-03 16:08 . 2004-08-04 12:00 143,422 --a--c--- c:\windows\system32\dllcache\softkey.dll

2009-03-03 16:08 . 2001-08-17 12:51 58,368 --a--c--- c:\windows\system32\dllcache\smiminib.sys

2009-03-03 16:08 . 2001-08-17 12:10 35,913 --a--c--- c:\windows\system32\dllcache\smcirda.sys

2009-03-03 16:08 . 2001-08-17 12:12 25,034 --a--c--- c:\windows\system32\dllcache\smcpwr2n.sys

2009-03-03 16:08 . 2001-08-17 12:12 24,576 --a--c--- c:\windows\system32\dllcache\smc8000n.sys

2009-03-03 16:08 . 2008-04-13 18:36 16,000 --a--c--- c:\windows\system32\dllcache\smbbatt.sys

2009-03-03 16:08 . 2008-04-13 18:40 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys

2009-03-03 16:08 . 2001-08-17 13:53 7,040 --a--c--- c:\windows\system32\dllcache\snyaitmc.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-04 12:23 --------- d-----w c:\program files\LimeWire

2006-11-01 08:29 21,184 ----a-w c:\documents and settings\Winner\Application Data\GDIPFONTCACHEV1.DAT

2006-06-10 15:09 24,192 ----a-w c:\documents and settings\Winner\usbsermptxp.sys

2006-06-10 15:09 22,768 ----a-w c:\documents and settings\Winner\usbsermpt.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 57344]

"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-08 729178]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 40960]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-04 1932568]

"SoundMan"="SOUNDMAN.EXE" [2005-08-18 c:\windows\SOUNDMAN.EXE]

"AGRSMMSG"="AGRSMMSG.exe" [2005-07-01 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-09-21 114688]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-03-04 21:27 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= pvmjpg21.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-04 325640]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-04 107912]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-04 298264]

S3 V0090VID;Creative WebCam Vista Plus;c:\windows\system32\drivers\V0090Vid.sys [2007-08-31 138112]

.

Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-10 00:38:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-03-10 0:45:54 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-10 00:45:48

ComboFix2.txt 2009-03-08 10:40:47

Pre-Run: 26,482,860,032 bytes free

Post-Run: 26,463,768,576 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

255 --- E O F --- 2009-03-03 22:19:40

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:54:28, on 10/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Fix_trouble\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235984590390

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 6742 bytes

Link to post
Share on other sites

Hi. Glad to see everything's running good. :D

You can fix the following with HijackThis to speed up the boot of your computer and maybe the performance overall:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.