Jump to content

ThUnDeR

Anti-Spyware Brigade
  • Content Count

    5,800
  • Joined

  • Last visited

Everything posted by ThUnDeR

  1. do you still log into YIM anymore?
  2. Anyone play it? I've been playing a lot of gun game on a really decent server. A Pit game would be decent if theres enough people.
  3. Thats a pretty awesome deal you both have received. Good part on Bruce. Nothing like trying to spread around the knowledge with a little help. I never ventured into Linux, but thats the way to start. Just a simple machine to toy around with.
  4. everything is doing alright so far. Computer is no longer having issues with popups. I appreciate the help very much!
  5. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:17:46 PM, on 11/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\program files\steam\steam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Documents and Settings\Ahmad\Desktop\Ahmad.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll O2 - BHO: (no name) - {639DB5AF-9415-468F-B596-AFBF8BC2DD07} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - (no file) O2 - BHO: (no name) - {DBDEC6D9-121B-4613-8A49-F809F9DD5951} - (no file) O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - Winlogon Notify: fymsrkwy - C:\WINDOWS\ O20 - Winlogon Notify: wvuvttr - C:\WINDOWS\ O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 6669 bytes
  6. ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, November 23, 2007 9:15:04 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 23/11/2007 Kaspersky Anti-Virus database records: 464543 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan Statistics: Total number of scanned objects: 67032 Number of viruses found: 9 Number of infected objects: 40 Number of suspicious objects: 0 Duration of the scan process: 01:12:26 C:\Documents and Settings\Ahmad\Desktop\backups\backup-20071121-112724-809.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped C:\Documents and Settings\Ahmad\Desktop\backups\backup-20071121-195253-445.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped C:\Documents and Settings\Ahmad\Desktop\backups\backup-20071122-110621-335.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped C:\Documents and Settings\Ahmad\Desktop\backups\backup-20071122-120041-215.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\Documents and Settings\Ahmad\Desktop\backups\backup-20071122-130210-244.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\Documents and Settings\Ahmad\Desktop\backups\backup-20071122-130412-238.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\Documents and Settings\Ahmad\Desktop\backups\backup-20071122-130423-256.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\Documents and Settings\Ahmad\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe/WISE0026.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe WiseSFX: infected - 2 skipped C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe WiseSFX Dropper: infected - 2 skipped C:\Program Files\Steam\Steam.log Object is locked skipped C:\qoobox\Quarantine\C\WINDOWS\system32\ydftyata.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped C:\qoobox\Quarantine\catchme2007-11-22_121346.29.zip/wvuvttr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped C:\qoobox\Quarantine\catchme2007-11-22_121346.29.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{327927C2-E094-4FFF-9034-E8B02AD12AB4}\RP2\A0001001.exe Infected: Trojan.Win32.Obfuscated.kp skipped C:\System Volume Information\_restore{327927C2-E094-4FFF-9034-E8B02AD12AB4}\RP2\A0002230.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\System Volume Information\_restore{327927C2-E094-4FFF-9034-E8B02AD12AB4}\RP2\A0002231.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\System Volume Information\_restore{327927C2-E094-4FFF-9034-E8B02AD12AB4}\RP6\A0002489.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped C:\System Volume Information\_restore{327927C2-E094-4FFF-9034-E8B02AD12AB4}\RP6\change.log Object is locked skipped C:\_OTMoveIt\MovedFiles\SDFix\backups\backups.zip/backups/b128.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped C:\_OTMoveIt\MovedFiles\SDFix\backups\backups.zip/backups/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped C:\_OTMoveIt\MovedFiles\SDFix\backups\backups.zip ZIP: infected - 2 skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\cppzuaod.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\efiaxqgt.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\fymsrkwy.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\hcstljfi.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\hvpftrut.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\injnuxjt.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\mghfdndu.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\wqxmflum.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\_OTMoveIt\MovedFiles\WINDOWS\Fonts\svchost.exe Infected: Trojan.Win32.Agent.cmn skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system32\conajbhy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system32\eywpiwus.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system32\jkkiiji.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arv skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system32\kjolkvmc.exe Infected: Trojan.Win32.Obfuscated.kp skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system32\nnnonll.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arv skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system32\yayaywt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system32\yaywutq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped Scan process completed. continuing with your instructions right now
  7. I don't know how I can paste the kaspersky log. Its incredibly massive. If i had to guess, it'd be over 10 posts if not more. Is there a more efficient way?
  8. Well... File IconC989D247.exe received on 11.23.2007 15:07:25 (CET) Antivirus Version Last Update Result AhnLab-V3 2007.11.23.1 2007.11.23 - AntiVir 7.6.0.34 2007.11.23 - Authentium 4.93.8 2007.11.21 - Avast 4.7.1074.0 2007.11.22 - AVG 7.5.0.503 2007.11.23 - BitDefender 7.2 2007.11.23 - CAT-QuickHeal 9.00 2007.11.22 - ClamAV 0.91.2 2007.11.23 - DrWeb 4.44.0.09170 2007.11.23 - eSafe 7.0.15.0 2007.11.21 - eTrust-Vet 31.3.5318 2007.11.23 - Ewido 4.0 2007.11.23 - FileAdvisor 1 2007.11.23 - Fortinet 3.14.0.0 2007.11.23 - F-Prot 4.4.2.54 2007.11.22 - F-Secure 6.70.13030.0 2007.11.23 - Ikarus T3.1.1.12 2007.11.23 - Kaspersky 7.0.0.125 2007.11.21 - McAfee 5169 2007.11.22 - Microsoft 1.3007 2007.11.23 - NOD32v2 2681 2007.11.23 - Norman 5.80.02 2007.11.22 - Panda 9.0.0.4 2007.11.23 - Prevx1 V2 2007.11.23 - Rising 20.19.41.00 2007.11.23 - Sophos 4.23.0 2007.11.23 - Sunbelt 2.2.907.0 2007.11.22 - Symantec 10 2007.11.23 - TheHacker 6.2.9.138 2007.11.22 - VBA32 3.12.2.5 2007.11.23 - VirusBuster 4.3.26:9 2007.11.23 - Webwasher-Gateway 6.0.1 2007.11.23 - Additional information File size: 4608 bytes MD5: 756ecd7a63948637e6c95f0f4ea560c4 SHA1: fc026cea6bce5e213e187cce9eed79c399d38f78 it did not find the first file you asked me to look for. So far with Kaspersky, its up to 9 viruses and 40 infected files. I noticed the number of viruses jumped when it searched the System Volume Information folder.
  9. I'm currently scanning with Kaspersky... its taking quite a while, only 30% through, but it so far as shown 4 viruses and 14 infected objects
  10. I might have spoken too soon Seems combofix found those files again, and deleted them. ComboFix 07-11-19.3 - Ahmad 2007-11-23 7:09:31.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.313 [GMT -6:00] Running from: C:\Documents and Settings\Ahmad\Desktop\ComboFix(2).exe Command switches used :: C:\Documents and Settings\Ahmad\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\fiotyyao.dll C:\WINDOWS\system32\hcstljfi.dll C:\WINDOWS\system32\kycqfolt.ini C:\WINDOWS\system32\mghfdndu.dll C:\WINDOWS\system32\ydftyata.dll C:\WINDOWS\system32\yhbjanoc.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\fiotyyao.dll C:\WINDOWS\system32\kycqfolt.ini C:\WINDOWS\system32\ydftyata.dll C:\WINDOWS\system32\yhbjanoc.ini . ((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 ))))))))))))))))))))))))))))))) . 2007-11-21 19:48 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire 2007-11-21 12:57 <DIR> d-------- C:\Program Files\Sun 2007-11-21 12:56 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-11-21 12:55 5,097 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log 2007-11-21 12:53 <DIR> d-------- C:\Program Files\Java 2007-11-21 12:53 <DIR> d-------- C:\Program Files\Common Files\Java 2007-11-21 11:57 <DIR> d-------- C:\WINDOWS\ERUNT 2007-11-20 06:29 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-11-20 06:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-20 06:29 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-19 17:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire 2007-11-19 16:46 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Grisoft 2007-11-19 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-19 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-19 14:28 2,110 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-19 14:28 0 --a------ C:\WINDOWS\system32\tmp.txt 2007-11-18 23:04 681,286 ---hs---- C:\WINDOWS\system32\ghqfvkho.ini 2007-11-18 19:26 <DIR> d-------- C:\Program Files\Steam 2007-11-18 13:59 <DIR> d-------- C:\Program Files\Webroot 2007-11-18 13:59 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared 2007-11-18 13:59 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Webroot 2007-11-18 13:59 56,832 --a------ C:\WINDOWS\Unwash6.exe 2007-11-18 11:57 <DIR> d-------- C:\Program Files\Advanced Windows Cleaner 2007-11-18 10:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-18 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-11-04 11:27 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor 2007-11-04 11:27 374,752 --a------ C:\WINDOWS\system32\WUSBGXP.sys 2007-11-04 11:27 339,488 --a------ C:\WINDOWS\system32\WUSB20XP.sys 2007-11-04 11:27 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll 2007-11-04 11:27 31,930 --a------ C:\WINDOWS\system32\GTNDIS3.VXD 2007-11-04 11:27 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys 2007-11-04 11:27 8,090 --a------ C:\WINDOWS\system32\WUSB54G.cat 2007-11-04 11:27 1,668 --a------ C:\WINDOWS\system32\WLAN.INI 2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime 2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime 2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime 2007-11-01 21:28 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2007-11-01 21:28 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime 2007-11-01 21:28 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls 2007-11-01 21:27 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime 2007-11-01 21:27 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll 2007-11-01 21:27 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys 2007-11-01 21:27 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll 2007-11-01 21:26 101,888 --a--c--- C:\WINDOWS\system32\dllcache\evntagnt.dll 2007-11-01 21:26 92,160 --a--c--- C:\WINDOWS\system32\dllcache\evntwin.exe 2007-11-01 21:26 57,856 --a--c--- C:\WINDOWS\system32\dllcache\esuimgd.dll 2007-11-01 21:26 45,056 --a--c--- C:\WINDOWS\system32\dllcache\esunid.dll 2007-11-01 21:26 31,744 --a--c--- C:\WINDOWS\system32\dllcache\esucmd.dll 2007-11-01 21:26 25,856 --a--c--- C:\WINDOWS\system32\dllcache\et4000.sys 2007-11-01 21:26 24,632 --a--c--- C:\WINDOWS\system32\dllcache\fpadmcgi.exe 2007-11-01 21:26 24,064 --a--c--- C:\WINDOWS\system32\dllcache\evntcmd.exe 2007-11-01 21:26 20,541 --a--c--- C:\WINDOWS\system32\dllcache\fpadmdll.dll 2007-11-01 21:25 189,440 --a--c--- C:\WINDOWS\system32\dllcache\smtpadm.dll 2007-11-01 21:25 188,494 --a--c--- C:\WINDOWS\system32\dllcache\fpcount.exe 2007-11-01 21:25 76,800 --a--c--- C:\WINDOWS\system32\dllcache\logui.ocx 2007-11-01 21:25 68,608 --a--c--- C:\WINDOWS\system32\dllcache\iisext51.dll 2007-11-01 21:25 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll 2007-11-01 21:25 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll 2007-11-01 21:25 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe 2007-11-01 21:25 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll 2007-11-01 21:25 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll 2007-11-01 21:24 20,540 --a--c--- C:\WINDOWS\system32\dllcache\author.dll 2007-11-01 21:24 16,439 --a--c--- C:\WINDOWS\system32\dllcache\author.exe 2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest 2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2007-11-01 21:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2007-11-01 21:13 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2007-11-01 21:13 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-11-01 21:13 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2007-11-01 21:12 1,042,903 --a--c--- C:\WINDOWS\system32\dllcache\SP2.CAT 2007-11-01 21:12 31,281 --a--c--- C:\WINDOWS\system32\dllcache\FP4.CAT 2007-11-01 21:12 13,753 --a--c--- C:\WINDOWS\system32\dllcache\IMS.CAT 2007-11-01 21:12 13,472 --a--c--- C:\WINDOWS\system32\dllcache\HPCRDP.CAT 2007-11-01 21:12 9,581 --a--c--- C:\WINDOWS\system32\dllcache\MSMSGS.CAT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-23 12:10 --------- d-----w C:\Program Files\Al Muhaddith 2007-11-21 20:51 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Xfire 2007-11-21 02:17 --------- d-s---w C:\Program Files\Xfire 2007-11-18 18:21 --------- d-----w C:\Program Files\iTunes 2007-11-18 16:28 --------- d-----w C:\Program Files\Lavasoft 2007-11-18 16:28 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Lavasoft 2007-11-18 16:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-18 16:21 --------- d-----w C:\Program Files\Viewpoint 2007-11-18 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-11-18 16:20 --------- d-----w C:\Program Files\The Weather Channel FW 2007-11-18 16:19 --------- d-----w C:\Program Files\Maxthon 2007-11-18 16:19 --------- d-----w C:\Program Files\Google 2007-11-18 16:19 --------- d-----w C:\Program Files\EA SPORTS 2007-11-18 16:18 --------- d-----w C:\Program Files\Air France TravelDesk 2007-11-18 16:15 --------- d-----w C:\Program Files\Alitalia TravelDesk 2007-11-18 16:14 --------- d-----w C:\Program Files\Pcsx2 2007-11-04 17:27 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2007-11-04 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information 2006-08-20 03:28 19,952 -c--a-w C:\Documents and Settings\Younes\Application Data\GDIPFONTCACHEV1.DAT 2006-03-21 01:06 24 -c--a-w C:\Documents and Settings\Ahmad\mylist.dat 2006-03-25 22:34 80 -csha-r C:\WINDOWS\system32\E92AFCCAC8.dll . ((((((((((((((((((((((((((((( [email protected]_12.14.31.03 ))))))))))))))))))))))))))))))))))))))))) . - 2007-08-14 19:02:52 65,390 ----a-w C:\WINDOWS\AisAAAg.dat + 2007-08-15 14:13:48 65,795 ----a-w C:\WINDOWS\AisAAAg.dat - 2007-11-21 17:57:28 4,820,992 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2007-11-22 21:02:41 4,993,024 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat - 2007-11-21 17:57:28 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-11-22 21:02:41 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-11-22 22:54:02 4,608 ----a-r C:\WINDOWS\Installer\{F34D9A5F-484A-4E31-A9D3-908CB265B289}\IconC989D247.exe + 2004-10-16 00:17:02 60,496 ----a-w C:\WINDOWS\system32\drivers\Teefer.sys + 2004-10-16 00:32:38 14,568 ----a-w C:\WINDOWS\system32\drivers\wg3n.sys + 2004-10-16 00:32:40 14,568 ----a-w C:\WINDOWS\system32\drivers\wg4n.sys + 2004-10-16 00:32:42 14,568 ----a-w C:\WINDOWS\system32\drivers\wg5n.sys + 2004-10-16 00:32:44 14,568 ----a-w C:\WINDOWS\system32\drivers\wg6n.sys + 2004-10-16 00:18:46 21,075 ----a-w C:\WINDOWS\system32\drivers\wpsdrvnt.sys + 2004-10-16 00:31:58 99,480 ----a-w C:\WINDOWS\system32\FwsVpn.dll + 2004-10-16 00:31:56 218,264 ----a-w C:\WINDOWS\system32\SetAid.dll + 2004-10-16 00:32:10 83,096 ----a-w C:\WINDOWS\system32\SSSensor.dll + 2007-11-23 13:13:46 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_694.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [] "AIM"="C:\Program Files\AIM\aim.exe" [2004-04-27 16:18] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00] "Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-03-08 10:02] "Steam"="c:\program files\steam\steam.exe" [2007-11-18 19:26] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06] "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 06:00 C:\WINDOWS\system32\rundll32.exe] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] Prayer Times.lnk - C:\HAD\PTW.EXE [2006-05-27 09:46:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] C:\Program Files\D-Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -scheduler [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2006-02-23 15:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] 2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys S3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\C:\WINDOWS\system32\Drivers\Aldebaran.sys S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\Madden06.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \Shell\AutoRun\command - I:\RunGame.exe *Newly Created Service* - GTNDIS5 . Contents of the 'Scheduled Tasks' folder "2007-11-22 01:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-23 07:14:50 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-23 7:16:57 - machine was rebooted C:\ComboFix2.txt ... 2007-11-22 15:11 C:\ComboFix3.txt ... 2007-11-22 12:26 . --- E O F ---
  11. alrighty, i'll get on it. As for the firewall, you might have noticed I did get one instead of using windows. I had been using sygate PF for a while, then stopped after i had some issues with it. Now its all good. I'll run the scans here and post the logs.
  12. I actually think I have this thing pinned. Heres my latest log. Its not reappearing anymore after i nailed it with redoing all of your instructions, and on top of that, doing a boot time scan with avast. I've been clean for most of this evening (which is a good sign, usually i'm back to infected in less than an hour) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:23:07 PM, on 11/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\program files\steam\steam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Xfire\Xfire.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Ahmad\Desktop\Ahmad.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 6687 bytes hows that look?
  13. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:01:21 PM, on 11/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Ahmad\Desktop\Ahmad.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mghfdndu.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mghfdndu.dll O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - Winlogon Notify: mghfdndu - C:\WINDOWS\SYSTEM32\mghfdndu.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 6541 bytes
  14. ComboFix 07-11-19.3 - Ahmad 2007-11-22 12:18:35.4 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.365 [GMT -6:00] Running from: C:\Documents and Settings\Ahmad\Desktop\ComboFix(2).exe Command switches used :: C:\Documents and Settings\Ahmad\Desktop\CFScript.txt FILE C:\WINDOWS\system32\ddayw.dll C:\WINDOWS\system32\wvuvttr.dll C:\WINDOWS\system32\wyadd.ini2 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\mghfdndu.dllbox . ((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 ))))))))))))))))))))))))))))))) . 2007-11-22 11:13 85,056 --a------ C:\WINDOWS\system32\ydftyata.dll 2007-11-22 11:01 145,984 --a------ C:\WINDOWS\system32\mghfdndu.dll 2007-11-22 11:01 145,984 --a------ C:\WINDOWS\system32\hcstljfi.dll 2007-11-21 19:48 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire 2007-11-21 12:57 <DIR> d-------- C:\Program Files\Sun 2007-11-21 12:56 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-11-21 12:55 5,097 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log 2007-11-21 12:53 <DIR> d-------- C:\Program Files\Java 2007-11-21 12:53 <DIR> d-------- C:\Program Files\Common Files\Java 2007-11-21 11:57 <DIR> d-------- C:\WINDOWS\ERUNT 2007-11-20 23:35 657,841 ---hs---- C:\WINDOWS\system32\yhbjanoc.ini 2007-11-20 06:29 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-11-19 23:19 816,368 ---hs---- C:\WINDOWS\system32\kycqfolt.ini 2007-11-19 17:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire 2007-11-19 16:46 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Grisoft 2007-11-19 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-19 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-18 19:26 <DIR> d-------- C:\Program Files\Steam 2007-11-18 13:59 <DIR> d-------- C:\Program Files\Webroot 2007-11-18 13:59 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared 2007-11-18 13:59 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Webroot 2007-11-18 13:59 56,832 --a------ C:\WINDOWS\Unwash6.exe 2007-11-18 11:57 <DIR> d-------- C:\Program Files\Advanced Windows Cleaner 2007-11-18 10:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-18 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-11-04 11:27 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor 2007-11-04 11:27 374,752 --a------ C:\WINDOWS\system32\WUSBGXP.sys 2007-11-04 11:27 339,488 --a------ C:\WINDOWS\system32\WUSB20XP.sys 2007-11-04 11:27 245,376 --a------ C:\WINDOWS\system32\rt2500usb.sys 2007-11-04 11:27 8,090 --a------ C:\WINDOWS\system32\WUSB54G.cat 2007-11-04 11:27 308 --a------ C:\WINDOWS\system32\results.txt 2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime 2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime 2007-11-01 21:28 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime 2007-11-01 21:28 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2007-11-01 21:28 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime 2007-11-01 21:28 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls 2007-11-01 21:27 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime 2007-11-01 21:27 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll 2007-11-01 21:27 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys 2007-11-01 21:27 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll 2007-11-01 21:26 101,888 --a--c--- C:\WINDOWS\system32\dllcache\evntagnt.dll 2007-11-01 21:26 92,160 --a--c--- C:\WINDOWS\system32\dllcache\evntwin.exe 2007-11-01 21:26 57,856 --a--c--- C:\WINDOWS\system32\dllcache\esuimgd.dll 2007-11-01 21:26 45,056 --a--c--- C:\WINDOWS\system32\dllcache\esunid.dll 2007-11-01 21:26 31,744 --a--c--- C:\WINDOWS\system32\dllcache\esucmd.dll 2007-11-01 21:26 25,856 --a--c--- C:\WINDOWS\system32\dllcache\et4000.sys 2007-11-01 21:26 24,632 --a--c--- C:\WINDOWS\system32\dllcache\fpadmcgi.exe 2007-11-01 21:26 24,064 --a--c--- C:\WINDOWS\system32\dllcache\evntcmd.exe 2007-11-01 21:26 20,541 --a--c--- C:\WINDOWS\system32\dllcache\fpadmdll.dll 2007-11-01 21:25 189,440 --a--c--- C:\WINDOWS\system32\dllcache\smtpadm.dll 2007-11-01 21:25 188,494 --a--c--- C:\WINDOWS\system32\dllcache\fpcount.exe 2007-11-01 21:25 76,800 --a--c--- C:\WINDOWS\system32\dllcache\logui.ocx 2007-11-01 21:25 68,608 --a--c--- C:\WINDOWS\system32\dllcache\iisext51.dll 2007-11-01 21:25 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll 2007-11-01 21:25 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll 2007-11-01 21:25 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe 2007-11-01 21:25 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll 2007-11-01 21:25 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll 2007-11-01 21:24 20,540 --a--c--- C:\WINDOWS\system32\dllcache\author.dll 2007-11-01 21:24 16,439 --a--c--- C:\WINDOWS\system32\dllcache\author.exe 2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest 2007-11-01 21:23 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2007-11-01 21:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2007-11-01 21:13 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2007-11-01 21:13 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2007-11-01 21:13 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-11-01 21:13 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2007-11-01 21:12 1,042,903 --a--c--- C:\WINDOWS\system32\dllcache\SP2.CAT 2007-11-01 21:12 31,281 --a--c--- C:\WINDOWS\system32\dllcache\FP4.CAT 2007-11-01 21:12 13,753 --a--c--- C:\WINDOWS\system32\dllcache\IMS.CAT 2007-11-01 21:12 13,472 --a--c--- C:\WINDOWS\system32\dllcache\HPCRDP.CAT 2007-11-01 21:12 9,581 --a--c--- C:\WINDOWS\system32\dllcache\MSMSGS.CAT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-22 17:55 --------- d-----w C:\Program Files\Al Muhaddith 2007-11-22 17:15 80,960 ----a-w C:\WINDOWS\system32\fiotyyao.dll 2007-11-21 20:51 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Xfire 2007-11-21 02:17 --------- d-s---w C:\Program Files\Xfire 2007-11-18 18:21 --------- d-----w C:\Program Files\iTunes 2007-11-18 16:28 --------- d-----w C:\Program Files\Lavasoft 2007-11-18 16:28 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Lavasoft 2007-11-18 16:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-18 16:21 --------- d-----w C:\Program Files\Viewpoint 2007-11-18 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-11-18 16:20 --------- d-----w C:\Program Files\The Weather Channel FW 2007-11-18 16:19 --------- d-----w C:\Program Files\Maxthon 2007-11-18 16:19 --------- d-----w C:\Program Files\Google 2007-11-18 16:19 --------- d-----w C:\Program Files\EA SPORTS 2007-11-18 16:18 --------- d-----w C:\Program Files\Air France TravelDesk 2007-11-18 16:15 --------- d-----w C:\Program Files\Alitalia TravelDesk 2007-11-18 16:14 --------- d-----w C:\Program Files\Pcsx2 2007-11-04 17:27 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2007-11-04 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-04 05:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe 2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-09-06 05:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe 2006-08-20 03:28 19,952 -c--a-w C:\Documents and Settings\Younes\Application Data\GDIPFONTCACHEV1.DAT 2006-03-21 01:06 24 -c--a-w C:\Documents and Settings\Ahmad\mylist.dat 2003-07-31 23:53 147,456 ----a-w C:\WINDOWS\inf\EL2K_XP.sys 2003-07-31 23:50 448,768 ----a-w C:\WINDOWS\inf\EL2K_N64.sys 2003-07-31 23:43 147,456 ----a-w C:\WINDOWS\inf\EL2K_2K.sys 2006-03-25 22:34 80 -csha-r C:\WINDOWS\system32\E92AFCCAC8.dll . ((((((((((((((((((((((((((((( [email protected]_12.14.31.03 ))))))))))))))))))))))))))))))))))))))))) . - 2007-08-14 19:02:52 65,390 ----a-w C:\WINDOWS\AisAAAg.dat + 2007-08-14 19:22:51 65,471 ----a-w C:\WINDOWS\AisAAAg.dat + 2007-11-22 18:22:48 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_650.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-11-22 11:01 145984 --a------ C:\WINDOWS\system32\mghfdndu.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\mghfdndu.dll [2007-11-22 11:01 145984] [HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [] "AIM"="C:\Program Files\AIM\aim.exe" [2004-04-27 16:18] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00] "Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-03-08 10:02] "Steam"="c:\program files\steam\steam.exe" [2007-11-18 19:26] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06] "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 06:00 C:\WINDOWS\system32\rundll32.exe] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] Prayer Times.lnk - C:\HAD\PTW.EXE [2006-05-27 09:46:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mghfdndu] mghfdndu.dll 2007-11-22 11:01 145984 C:\WINDOWS\system32\mghfdndu.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] C:\Program Files\D-Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -scheduler [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2006-02-23 15:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] 2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys S3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\C:\WINDOWS\system32\Drivers\Aldebaran.sys S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\Madden06.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \Shell\AutoRun\command - I:\RunGame.exe *Newly Created Service* - GTNDIS5 . Contents of the 'Scheduled Tasks' folder "2007-11-22 01:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-22 12:23:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-22 12:26:14 - machine was rebooted C:\ComboFix2.txt ... 2007-11-22 12:15 . --- E O F ---
  15. yep it came back, the pop ups and such. I'll keep on chuggin I haven't tried your latest instructions, doing so now.
  16. I just want you to know how much I really appreciate the help so far. File move failed. C:\WINDOWS\system32\ddayw.dll scheduled to be moved on reboot. File move failed. C:\WINDOWS\system32\wvuvttr.dll scheduled to be moved on reboot. File/Folder C:\WINDOWS\SYSTEM32\fymsrkwy.dll not found. File/Folder C:\WINDOWS\system32\txiaacwj.exe not found. File/Folder C:\WINDOWS\system32\ugasbmwl.exe not found. C:\WINDOWS\system32\ijoimnxc.dll moved successfully. C:\WINDOWS\system32\eywpiwus.dll moved successfully. C:\Documents and Settings\Ahmad\services.exe moved successfully. C:\WINDOWS\system32\jkkiiji.dll moved successfully. C:\WINDOWS\system32\wgwgrcwt.dll moved successfully. C:\WINDOWS\system32\conajbhy.dll moved successfully. C:\WINDOWS\system32\kjolkvmc.exe moved successfully. C:\VundoFix Backups moved successfully. C:\WINDOWS\system32\nnnonll.dll moved successfully. C:\WINDOWS\system32\mbkvrgrp.dll moved successfully. C:\WINDOWS\system32\yaywutq.dll moved successfully. C:\WINDOWS\system32\warawgmj.dll moved successfully. C:\WINDOWS\system32\wyadd.ini2 moved successfully. C:\WINDOWS\system32\vbzip10.dll moved successfully. C:\WINDOWS\system32\yayaywt.dll moved successfully. Folder move failed. C:\SDFix\backups\HOSTS scheduled to be moved on reboot. C:\SDFix\backups moved successfully. Created on 11/21/2007 20:00:46 Deckard's System Scanner v20071014.68 Run by Ahmad on 2007-11-21 20:15:52 Computer is in Normal Mode. -------------------------------------------------------------------------------- System Drive C: has 3.59 GiB (less than 15%) free. -- HijackThis (run as Ahmad.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:16:02 PM, on 11/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Webroot\Washer\wwDisp.exe C:\program files\steam\steam.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Xfire\Xfire.exe C:\Documents and Settings\Ahmad\Desktop\dss.exe C:\DOCUME~1\Ahmad\Desktop\Ahmad.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7D4E49BE-906D-47AE-B4B2-601AB714B307} - C:\WINDOWS\system32\ddayw.dll O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuvttr.dll O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - Winlogon Notify: wvuvttr - C:\WINDOWS\SYSTEM32\wvuvttr.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 6908 bytes -- Files created between 2007-10-21 and 2007-11-21 ----------------------------- 2007-11-21 20:02:59 485107 --ahs---- C:\WINDOWS\system32\wyadd.ini2 2007-11-21 19:48:02 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire 2007-11-21 13:30:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia 2007-11-21 12:57:07 0 d-------- C:\Program Files\Sun 2007-11-21 12:53:33 0 d-------- C:\Program Files\Java 2007-11-21 12:53:09 0 d-------- C:\Program Files\Common Files\Java 2007-11-21 11:57:10 0 d-------- C:\WINDOWS\ERUNT 2007-11-20 06:29:41 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-20 06:29:41 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; > 2007-11-20 06:29:40 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS> 2007-11-20 06:29:40 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility> 2007-11-20 06:29:40 51200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-19 17:51:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire 2007-11-19 16:46:07 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Grisoft 2007-11-19 16:45:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-19 15:34:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-19 14:28:52 2110 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-18 19:26:22 0 d-------- C:\Program Files\Steam 2007-11-18 13:59:42 0 d-------- C:\Program Files\Webroot 2007-11-18 13:59:42 0 d-------- C:\Program Files\Common Files\Webroot Shared 2007-11-18 13:59:42 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Webroot 2007-11-18 13:59:05 56832 --a------ C:\WINDOWS\Unwash6.exe <Not Verified; Webroot Software, Inc.; > 2007-11-18 11:57:24 0 d-------- C:\Program Files\Advanced Windows Cleaner 2007-11-18 10:49:23 320608 --a------ C:\WINDOWS\system32\ddayw.dll 2007-11-18 10:44:15 36352 --a------ C:\WINDOWS\system32\wvuvttr.dll 2007-11-18 10:42:52 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-18 10:27:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-11-04 11:27:27 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll 2007-11-04 11:27:27 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows> 2007-11-04 11:27:12 0 d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor 2007-11-01 21:30:55 0 d-------- C:\WINDOWS\Prefetch 2007-10-27 10:47:07 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat 2007-10-27 10:47:07 4980736 --a------ C:\Documents and Settings\Ahmad\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2007-11-21 20:13:04 0 d-------- C:\Program Files\Al Muhaddith 2007-11-21 14:51:48 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Xfire 2007-11-21 12:53:09 0 d-------- C:\Program Files\Common Files 2007-11-20 20:17:56 0 d---s---- C:\Program Files\Xfire 2007-11-18 12:21:52 0 d-------- C:\Program Files\iTunes 2007-11-18 10:28:12 0 d-------- C:\Program Files\Lavasoft 2007-11-18 10:28:10 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Lavasoft 2007-11-18 10:27:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-11-18 10:21:39 0 d-------- C:\Program Files\Viewpoint 2007-11-18 10:20:36 0 d-------- C:\Program Files\The Weather Channel FW 2007-11-18 10:19:50 0 d-------- C:\Program Files\Maxthon 2007-11-18 10:19:22 0 d-------- C:\Program Files\Google 2007-11-18 10:19:05 0 d-------- C:\Program Files\EA SPORTS 2007-11-18 10:18:33 0 d-------- C:\Program Files\Air France TravelDesk 2007-11-18 10:15:14 0 d-------- C:\Program Files\Alitalia TravelDesk 2007-11-18 10:14:21 0 d-------- C:\Program Files\Pcsx2 2007-11-04 11:27:22 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-11-01 21:21:38 22720 --a----c- C:\WINDOWS\system32\emptyregdb.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D4E49BE-906D-47AE-B4B2-601AB714B307}] 11/18/2007 10:49 AM 320608 --a------ C:\WINDOWS\system32\ddayw.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}] 11/18/2007 10:44 AM 36352 --a------ C:\WINDOWS\system32\wvuvttr.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [02/28/2004 12:12 PM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 04:06 AM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/20/2005 01:07 PM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 06:00 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [] "AIM"="C:\Program Files\AIM\aim.exe" [04/27/2004 04:18 PM] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/30/2006 09:49 PM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM] "Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [03/08/2005 10:02 AM] "Steam"="c:\program files\steam\steam.exe" [11/18/2007 07:26 PM] C:\Documents and Settings\Ahmad\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 6:16:50 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM] Prayer Times.lnk - C:\HAD\PTW.EXE [5/27/2006 9:46:00 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\wvuvttr.dll [11/18/2007 10:44 AM 36352] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvttr] wvuvttr.dll 11/18/2007 10:44 AM 36352 C:\WINDOWS\system32\wvuvttr.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] AutoRun\command- H:\Madden06.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] AutoRun\command- I:\RunGame.exe -- End of Deckard's System Scanner: finished at 2007-11-21 20:16:40 ------------ one thing i've noticed, even through the first half of the cleaning, adaware would be picking up win32.trojandownload.zlob despite the lack of popups. I'm going to run it right now to see if its finally gone.
  17. Deckard's System Scanner v20071014.68 Run by Ahmad on 2007-11-21 12:14:54 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Ahmad.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:14:58 PM, on 11/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\AIM\aim.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Webroot\Washer\wwDisp.exe C:\program files\steam\steam.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Ahmad\Desktop\dss.exe C:\DOCUME~1\Ahmad\Desktop\Ahmad.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {137847A6-567A-4A2A-A96D-490AB6B582FB} - C:\WINDOWS\system32\ddayw.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {639DB5AF-9415-468F-B596-AFBF8BC2DD07} - (no file) O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuvttr.dll O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file) O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - Winlogon Notify: fymsrkwy - C:\WINDOWS\ O20 - Winlogon Notify: wvuvttr - C:\WINDOWS\SYSTEM32\wvuvttr.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ugasbmwl.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 7047 bytes -- Files created between 2007-10-21 and 2007-11-21 ----------------------------- 2007-11-21 12:08:22 0 d-------- C:\WINDOWS\LastGood 2007-11-21 11:57:10 0 d-------- C:\WINDOWS\ERUNT 2007-11-21 11:11:17 80960 --a------ C:\WINDOWS\system32\ijoimnxc.dll 2007-11-21 11:05:18 85056 --a------ C:\WINDOWS\system32\eywpiwus.dll 2007-11-21 11:01:04 36864 --a------ C:\Documents and Settings\Ahmad\services.exe 2007-11-21 00:04:37 37376 --a------ C:\WINDOWS\system32\jkkiiji.dll 2007-11-20 23:35:14 80960 --a------ C:\WINDOWS\system32\wgwgrcwt.dll 2007-11-20 23:35:08 85056 --a------ C:\WINDOWS\system32\conajbhy.dll 2007-11-20 23:23:05 71232 --a------ C:\WINDOWS\system32\kjolkvmc.exe <Not Verified; ; DDC> 2007-11-20 07:02:09 0 d-------- C:\VundoFix Backups 2007-11-20 06:29:41 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-20 06:29:41 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; > 2007-11-20 06:29:40 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS> 2007-11-20 06:29:40 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility> 2007-11-20 06:29:40 51200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-20 06:17:09 37376 --a------ C:\WINDOWS\system32\nnnonll.dll 2007-11-19 23:25:41 84544 --a------ C:\WINDOWS\system32\mbkvrgrp.dll 2007-11-19 17:51:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire 2007-11-19 16:46:07 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Grisoft 2007-11-19 16:45:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-19 15:34:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-19 14:28:52 2110 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-19 05:22:55 36352 --a------ C:\WINDOWS\system32\yaywutq.dll 2007-11-18 23:07:37 79424 --a------ C:\WINDOWS\system32\warawgmj.dll 2007-11-18 19:26:22 0 d-------- C:\Program Files\Steam 2007-11-18 13:59:42 0 d-------- C:\Program Files\Webroot 2007-11-18 13:59:42 0 d-------- C:\Program Files\Common Files\Webroot Shared 2007-11-18 13:59:42 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Webroot 2007-11-18 13:59:05 56832 --a------ C:\WINDOWS\Unwash6.exe <Not Verified; Webroot Software, Inc.; > 2007-11-18 11:57:24 0 d-------- C:\Program Files\Advanced Windows Cleaner 2007-11-18 10:49:34 440657 --ahs---- C:\WINDOWS\system32\wyadd.ini2 2007-11-18 10:49:23 320608 --a------ C:\WINDOWS\system32\ddayw.dll 2007-11-18 10:47:54 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ> 2007-11-18 10:44:28 36352 --a------ C:\WINDOWS\system32\yayaywt.dll 2007-11-18 10:44:15 36352 --a------ C:\WINDOWS\system32\wvuvttr.dll 2007-11-18 10:42:52 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-18 10:27:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-11-04 11:27:27 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll 2007-11-04 11:27:27 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows> 2007-11-04 11:27:12 0 d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor 2007-11-01 21:30:55 0 d-------- C:\WINDOWS\Prefetch 2007-10-27 10:47:07 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat 2007-10-27 10:47:07 4980736 --a------ C:\Documents and Settings\Ahmad\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2007-11-21 12:13:48 0 d-------- C:\Program Files\Al Muhaddith 2007-11-20 20:17:56 0 d---s---- C:\Program Files\Xfire 2007-11-20 16:29:45 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Xfire 2007-11-20 07:20:33 0 d-------- C:\Program Files\Common Files 2007-11-18 12:21:52 0 d-------- C:\Program Files\iTunes 2007-11-18 10:28:12 0 d-------- C:\Program Files\Lavasoft 2007-11-18 10:28:10 0 d-------- C:\Documents and Settings\Ahmad\Application Data\Lavasoft 2007-11-18 10:27:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-11-18 10:21:39 0 d-------- C:\Program Files\Viewpoint 2007-11-18 10:20:36 0 d-------- C:\Program Files\The Weather Channel FW 2007-11-18 10:19:50 0 d-------- C:\Program Files\Maxthon 2007-11-18 10:19:22 0 d-------- C:\Program Files\Google 2007-11-18 10:19:05 0 d-------- C:\Program Files\EA SPORTS 2007-11-18 10:18:33 0 d-------- C:\Program Files\Air France TravelDesk 2007-11-18 10:15:14 0 d-------- C:\Program Files\Alitalia TravelDesk 2007-11-18 10:14:21 0 d-------- C:\Program Files\Pcsx2 2007-11-04 11:27:22 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-11-01 21:21:38 22720 --a----c- C:\WINDOWS\system32\emptyregdb.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{137847A6-567A-4A2A-A96D-490AB6B582FB}] 11/18/2007 10:49 AM 320608 --a------ C:\WINDOWS\system32\ddayw.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{639DB5AF-9415-468F-B596-AFBF8BC2DD07}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}] 11/18/2007 10:44 AM 36352 --a------ C:\WINDOWS\system32\wvuvttr.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [02/28/2004 12:12 PM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 04:06 AM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/20/2005 01:07 PM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [] "AIM"="C:\Program Files\AIM\aim.exe" [04/27/2004 04:18 PM] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/30/2006 09:49 PM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM] "Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [03/08/2005 10:02 AM] "Steam"="c:\program files\steam\steam.exe" [11/18/2007 07:26 PM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM] C:\Documents and Settings\Ahmad\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 6:16:50 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM] Prayer Times.lnk - C:\HAD\PTW.EXE [5/27/2006 9:46:00 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\wvuvttr.dll [11/18/2007 10:44 AM 36352] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fymsrkwy] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvttr] wvuvttr.dll 11/18/2007 10:44 AM 36352 C:\WINDOWS\system32\wvuvttr.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] AutoRun\command- H:\Madden06.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] AutoRun\command- I:\RunGame.exe *Newly Created Service* - CATCHME -- End of Deckard's System Scanner: finished at 2007-11-21 12:16:04 ------------
  18. SDFix: Version 1.115 Run by Ahmad on Wed 11/21/2007 at 11:58 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFIX Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\X.DAT - Deleted C:\Z.DAT - Deleted C:\Documents and Settings\Ahmad\x.dat - Deleted C:\Documents and Settings\Ahmad\z.dat - Deleted C:\DOCUME~1\Ahmad\LOCALS~1\Temp\removalfile.bat - Deleted C:\n.bat - Deleted C:\WINDOWS\b111.exe - Deleted C:\WINDOWS\b128.exe - Deleted C:\WINDOWS\b147.exe - Deleted C:\WINDOWS\Fonts\Crack.exe - Deleted C:\WINDOWS\Fonts\*.zip - 1 File(s) 637,943 bytes - Deleted C:\WINDOWS\Fonts\'\*.zip - 579 File(s) 369,369,576 bytes - Deleted x.dat and z.dat data copied to \SDFix\Data.txt Folder C:\Program Files\InetGet2 - Removed Folder C:\Program Files\Insider - Removed Folder C:\Program Files\Temporary - Removed Folder C:\WINDOWS\Fonts\' - Removed Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-21 12:08:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] "khjeh"=hex:20,02,00,00,6f,d7,bc,ce,37,aa,d4,8f,f3,c4,37,a4,ee,e0,a5,0a,da,.. "hj34z0"=hex:3e,45,ea,e0,4c,98,21,d0,aa,bc,b2,7e,4b,6a,af,da,d9,11,ed,a7,f9,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41] "khjeh"=hex:20,02,00,00,6f,d7,bc,ce,d5,7f,42,c5,f3,c4,37,a4,ee,e0,a5,0a,da,.. "hj34z0"=hex:3e,45,ea,e0,4c,98,21,d0,aa,bc,b2,7e,4b,6a,af,da,d9,11,ed,a7,36,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42] "khjeh"=hex:20,02,00,00,6f,d7,bc,ce,9a,9f,61,14,f3,c4,37,a4,95,f1,a5,0a,d9,.. "hj34z0"=hex:19,44,ea,e0,5c,99,21,d0,aa,bc,b2,7e,4b,6a,af,da,d9,11,ed,a7,4d,.. "hj34z1"=hex:ad,44,ea,e0,24,99,21,d0,ab,bc,b3,7e,4a,6a,af,da,d9,11,ed,a7,e0,.. "hj34z2"=hex:ad,44,ea,e0,24,99,21,d0,ab,bc,b3,7e,4a,6a,af,da,d9,11,ed,a7,e0,.. "hj34z3"=hex:ad,44,ea,e0,24,99,21,d0,ab,bc,b3,7e,4a,6a,af,da,d9,11,ed,a7,e0,.. "hj34z4"=hex:ad,44,ea,e0,24,99,21,d0,ab,bc,b3,7e,4a,6a,af,da,d9,11,ed,a7,e0,.. scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\system32\CatRoot2\edbtmp.log C:\WINDOWS\LastGood C:\WINDOWS\LastGood\INF C:\WINDOWS\LastGood\INF\oem37.inf 0 bytes C:\WINDOWS\LastGood\INF\oem37.PNF 0 bytes scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 5 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\counter-strike source\\hl2.exe:*:Enabled:hl2" "C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire" "C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare" "C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5" "C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client" "C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"="C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Enabled:TmNationsESWC" "C:\\Program Files\\VentSrv\\ventrilo_srv.exe"="C:\\Program Files\\VentSrv\\ventrilo_srv.exe:*:Enabled:ventrilo_srv" "C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\half-life 2\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\half-life 2\\hl2.exe:*:Enabled:hl2" "C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\gbpackersfan2005\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2" "C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps" "C:\\Documents and Settings\\Younes\\Desktop\\New Folder\\iTunes.exe"="C:\\Documents and Settings\\Younes\\Desktop\\New Folder\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\EA SPORTS\\Madden NFL 06\\updater.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 06\\updater.exe:*:Enabled:Updater" "C:\\Program Files\\EA SPORTS\\Madden NFL 06\\mainapp.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 06\\mainapp.exe:*:Enabled:mainapp" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\EA SPORTS\\Madden NFL 07\\mainapp.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 07\\mainapp.exe:*:Enabled:mainapp" "C:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe:*:Enabled:Updater" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\WINDOWS\\system32\\txiaacwj.exe"="C:\\WINDOWS\\system32\\txi" "C:\\WINDOWS\\system32\\ugasbmwl.exe"="C:\\WINDOWS\\system32\\uga" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- File Backups: - C:\SDFIX\backups\backups.zip Files with Hidden Attributes: Sat 25 Mar 2006 80 A.SHR --- "C:\WINDOWS\system32\E92AFCCAC8.dll" Sat 8 Apr 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Fri 8 Sep 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak" Sat 3 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT4F.tmp" Wed 10 Jan 2007 839,703 A.SH. --- "C:\_OTMoveIt\MovedFiles\WINDOWS\Fonts\svchost.exe" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico1.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico22.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico23.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico24.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico25.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico26.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2B.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2C.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2D.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2E.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico2F.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico30.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico31.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico32.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico33.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico34.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico35.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico36.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico37.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico38.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico39.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3B.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3C.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3D.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3E.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico3F.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico4.tmp" Tue 20 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Ahmad\LOCALS~1\Temp\ico5.tmp" Finished!
  19. C:\WINDOWS\Fonts\svchost.exe moved successfully. File/Folder C:\WINDOWS\mrofinu1188.exe not found. File/Folder C:\Program Files\QdrPack\QdrPack9.exe not found. File/Folder C:\Program Files\QdrPack not found. C:\WINDOWS\b148.exe moved successfully. File/Folder C:\WINDOWS\system32\wqxmflum.dll not found. File/Folder C:\WINDOWS\system32\ohkvfqhg.dll not found. File/Folder C:\Program Files\WinAble\winable.exe not found. File/Folder C:\Program Files\WinAble not found. C:\Program Files\Insider\Insider.exe moved successfully. File/Folder C:\Program Files\Insider\UnInstall.exe not found. Created on 11/21/2007 11:30:01 VundoFix V6.6.2 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Scan started at 7:02:09 AM 11/20/2007 Listing files found while scanning.... C:\windows\system32\efiaxqgt.dll C:\WINDOWS\system32\wqxmflum.dll C:\windows\system32\wqxmflum.dllbox Beginning removal... Attempting to delete C:\windows\system32\efiaxqgt.dll C:\windows\system32\efiaxqgt.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\wqxmflum.dll C:\WINDOWS\system32\wqxmflum.dll Has been deleted! Attempting to delete C:\windows\system32\wqxmflum.dllbox C:\windows\system32\wqxmflum.dllbox Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.6.2 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Scan started at 7:26:33 AM 11/20/2007 Listing files found while scanning.... No infected files were found. VundoFix V6.6.2 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Scan started at 11:42:08 PM 11/20/2007 Listing files found while scanning.... C:\windows\system32\cppzuaod.dll C:\windows\system32\cppzuaod.dllbox C:\windows\system32\hvpftrut.dll Beginning removal... Attempting to delete C:\windows\system32\cppzuaod.dll C:\windows\system32\cppzuaod.dll Could not be deleted. Attempting to delete C:\windows\system32\cppzuaod.dllbox C:\windows\system32\cppzuaod.dllbox Has been deleted! Attempting to delete C:\windows\system32\hvpftrut.dll C:\windows\system32\hvpftrut.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\cppzuaod.dll C:\windows\system32\cppzuaod.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.6.2 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Scan started at 11:14:20 AM 11/21/2007 Listing files found while scanning.... No infected files were found. VundoFix V6.6.2 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Scan started at 11:32:40 AM 11/21/2007 Listing files found while scanning.... C:\windows\system32\fymsrkwy.dll C:\windows\system32\fymsrkwy.dllbox C:\windows\system32\injnuxjt.dll Beginning removal... Attempting to delete C:\windows\system32\fymsrkwy.dll C:\windows\system32\fymsrkwy.dll Could not be deleted. Attempting to delete C:\windows\system32\fymsrkwy.dllbox C:\windows\system32\fymsrkwy.dllbox Has been deleted! Attempting to delete C:\windows\system32\injnuxjt.dll C:\windows\system32\injnuxjt.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\fymsrkwy.dll C:\windows\system32\fymsrkwy.dll Has been deleted! Performing Repairs to the registry. Done!
  20. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:31:29 PM, on 11/19/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\Fonts\svchost.exe C:\WINDOWS\mrofinu1188.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\Fonts\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Steam\Steam.exe C:\Program Files\Insider\Insider.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\b148.exe C:\Program Files\QdrPack\QdrPack9.exe C:\Documents and Settings\Ahmad\Desktop\HiJackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\wqxmflum.dll O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM\..\Run: [a4c6cf8e] rundll32.exe "C:\WINDOWS\system32\ohkvfqhg.dll",b O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257 O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [insider] C:\Program Files\Insider\Insider.exe O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Prayer Times.lnk = C:\HAD\PTW.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 6111 bytes i exited out of counterstrike: source and whamo, i am somehow infected. I've tried disabling system restore, and then going into safe mode trying to clean everything out... but I go to reboot, and its back again on startup. Kinda frustrated by this.
  21. Wise words... would be wiser to let me moderate such a forum heh. I love cars.
×
×
  • Create New...