Jump to content
Sign in to follow this  
shadowxsssr

Virtumonde & Darksma

Recommended Posts

I recently got these two viruses/adware/malware whatever it is and it cannot be removed. I don't know how I got it, but I tried everything to remove it. I used CA internet suite, AVG, spyware terminator, malware bytes, spybot search & destroy, spyware doctor, vundofix, and virtumondobegone. Whatever I do, it just seems to reappear again after I restart my computer. It's annoying to get these false popups or alerts saying I need spyware protection or antivirus protection when it itself is the problem.

 

This is my HiJack This Log:

 

Logfile of random's system information tool 1.05 (written by random/random)

Run by Victor at 2008-12-22 23:27:02

Microsoft Windows XP Professional Service Pack 3

System drive C: has 13 GB (7%) free of 191 GB

Total RAM: 2046 MB (65% free)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:28:25 PM, on 12/22/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Documents and Settings\Victor\Desktop\VundoFix.exe

C:\Program Files\Spyware Doctor\pctsGui.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\Victor\Desktop\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\Victor.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\jqsnotify.exe

 

O2 - BHO: (no name) - {26D8B700-70B8-4A22-88C1-3CDCB0E68740} - C:\WINDOWS\system32\iifcDVLb.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {c5a963cd-1ad1-4e8c-b582-bd5b22fb4a0c} - C:\Program Files\tujumape\tujumape.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O20 - Winlogon Notify: vtUnnnOe - vtUnnnOe.dll (file missing)

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

 

--

End of file - 5095 bytes

 

======Scheduled tasks folder======

 

C:\WINDOWS\tasks\hvbmgxiu.job

C:\WINDOWS\tasks\rcpxlyju.job

C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job

C:\WINDOWS\tasks\Uniblue SpyEraser.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26D8B700-70B8-4A22-88C1-3CDCB0E68740}]

C:\WINDOWS\system32\iifcDVLb.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

Java Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-28 320920]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5a963cd-1ad1-4e8c-b582-bd5b22fb4a0c}]

C:\Program Files\tujumape\tujumape.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-28 34816]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FBF2401B-7447-4727-BE5D-C19B2075CA84}]

CA Toolbar Helper - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll [2008-09-15 275896]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{4B3803EA-5230-4DC3-A7FC-33638F3D3542} - &Crawler Toolbar - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll [2008-07-11 1190912]

{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-25 2055960]

{10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - CA Toolbar - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll [2008-09-15 275896]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-22 1168264]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

C:\Program Files\AIM\aim.exe [2006-08-01 67112]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-22 116040]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

C:\Program Files\ATI Multimedia\main\launchpd.exe [2002-05-02 98304]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]

C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe [2002-10-22 159744]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-30 1235736]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafw]

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe [2008-12-21 1504496]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfasem]

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe [2008-12-21 632048]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfupgrade]

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe [2008-12-21 668912]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAPPActiveProtection]

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe [2008-12-21 324848]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarMD]

C:\Program Files\CarMD\CarMD.exe [2007-12-11 1318912]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe [2008-12-21 271600]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray]

C:\Program Files\CA\CA Internet Security Suite\casc.exe [2008-12-21 349424]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]

C:\PROGRA~1\AIM\\DeadAIM.ocm [2003-02-24 266313]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-05-11 49152]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hujavawoki]

C:\Program Files\tujumape\tujumape.dll []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

C:\Program Files\Nero\Nero 7\InCD\InCD.exe [2007-06-25 1057064]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-22 1168264]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

C:\Program Files\iTunes\iTunesHelper.exe [2008-07-30 289064]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

C:\WINDOWS\system32\NvCpl.dll [2008-10-07 13574144]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

C:\WINDOWS\system32\NvMcTray.dll [2008-10-07 86016]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe [2008-12-21 14064]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

C:\WINDOWS\RTHDCPL.EXE [2007-02-26 16125440]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [2007-06-25 1629480]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe [2008-09-11 1783808]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

c:\program files\steam\steam.exe [2008-10-08 1410296]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-28 136600]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-10-26 185872]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2004-12-14 29696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2005-05-11 282624]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [2001-02-13 83360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Victor^Start Menu^Programs^Startup^Xfire.lnk]

C:\PROGRA~1\Xfire\xfire.exe [2008-12-11 2990416]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"x10nets"=3

"VETMSGNT"=2

"usnjsvc"=3

"SSScsiSV"=3

"SPTISRV"=3

"SonicStage Back-End Service"=3

"PPCtlPriv"=3

"PACSPTISVR"=3

"NVSvc"=2

"nTuneService"=2

"nSvcIp"=2

"NMIndexingService"=3

"NBService"=3

"MSCSPTISRV"=3

"LightScribeService"=2

"iPod Service"=3

"InCDsrv"=2

"IDriverT"=3

"ForceWare Intelligent Application Manager (IAM)"=2

"avg8wd"=2

"avg8emc"=2

"Apple Mobile Device"=2

"Adobe LM Service"=3

"UmxPol"=2

"UmxFwHlp"=2

"UmxCfg"=2

"UmxAgent"=2

"sp_rssrv"=2

"ITMRTSVC"=2

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtUnnnOe]

vtUnnnOe.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"=C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll [2008-09-15 1377720]

"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= []

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"authentication packages"=msv1_0

C:\WINDOWS\system32\iifcDVLb

"notification packages"=scecli

C:\Program Files\tujumape\tujumape.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"EnableShellExecuteHooks"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"D:\Installation\Setupx.exe"="D:\Installation\Setupx.exe:*:Enabled:Nero ProductSetup"

"C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire"

"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"

"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"

"C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui"

"C:\Program Files\Steam\steamapps\shadowxsssr\source sdk base 2007\hl2.exe"="C:\Program Files\Steam\steamapps\shadowxsssr\source sdk base 2007\hl2.exe:*:Enabled:hl2"

"C:\Program Files\Steam\steamapps\shadowxsssr\half-life\hl.exe"="C:\Program Files\Steam\steamapps\shadowxsssr\half-life\hl.exe:*:Enabled:Half-Life Launcher"

"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\Program Files\rFactor MP Test\rFactor MP Test.exe"="C:\Program Files\rFactor MP Test\rFactor MP Test.exe:*:Enabled:rFactor"

"C:\Program Files\Steam\steamapps\shadowxsssr\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\shadowxsssr\counter-strike source\hl2.exe:*:Enabled:hl2"

"C:\Program Files\Steam\steamapps\shadowxsssr\garrysmod\hl2.exe"="C:\Program Files\Steam\steamapps\shadowxsssr\garrysmod\hl2.exe:*:Enabled:hl2"

"C:\Program Files\Steam\steamapps\shadowxsssr\source sdk base\hl2.exe"="C:\Program Files\Steam\steamapps\shadowxsssr\source sdk base\hl2.exe:*:Enabled:hl2"

"C:\Program Files\Steam\steamapps\shadowxsssr\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Steam\steamapps\shadowxsssr\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"

"C:\Program Files\Steam\steamapps\shadowxsssr\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\shadowxsssr\team fortress 2\hl2.exe:*:Enabled:hl2"

"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"

"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"

"C:\Program Files\TVUPlayer\TVUPlayer.exe"="C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Enabled:TVUPlayer Component"

"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"

"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

"C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin"="C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin:*:Enabled:Project Torque"

"C:\ijji\ENGLISH\u_gbound.exe"="C:\ijji\ENGLISH\u_gbound.exe:*:Enabled:<ijji Downloader>"

"C:\ijji\ENGLISH\Gunbound Revolution\GunBound.gme"="C:\ijji\ENGLISH\Gunbound Revolution\GunBound.gme:*:Enabled:GunBound"

"C:\Program Files\TVAnts\Tvants.exe"="C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts"

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"

"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b78f85b-59fa-11dd-b73b-806d6172696f}]

shell\AutoRun\command - D:\autorun.exe

 

 

======List of files/folders created in the last 1 months======

 

2008-12-22 23:27:02 ----D---- C:\rsit

2008-12-22 22:58:17 ----A---- C:\WINDOWS\system32\wvUoNGAP.dll

2008-12-22 22:26:30 ----SH---- C:\WINDOWS\system32\chgkoyfe.ini

2008-12-22 22:23:24 ----A---- C:\WINDOWS\system32\nsdkavcj.dll

2008-12-22 22:18:07 ----A---- C:\WINDOWS\system32\bfdf66aa-.txt

2008-12-22 22:17:23 ----ASH---- C:\WINDOWS\system32\bLVDcfii.ini2

2008-12-22 22:17:23 ----ASH---- C:\WINDOWS\system32\bLVDcfii.ini

2008-12-22 22:13:33 ----D---- C:\Program Files\Spyware Doctor

2008-12-22 22:13:33 ----D---- C:\Documents and Settings\Victor\Application Data\PC Tools

2008-12-22 22:10:34 ----D---- C:\Documents and Settings\Victor\Application Data\gadcom

2008-12-22 21:52:46 ----D---- C:\WINDOWS\pss

2008-12-22 21:47:56 ----D---- C:\Documents and Settings\Victor\Application Data\X10 Commander

2008-12-22 21:38:37 ----D---- C:\Program Files\Trend Micro

2008-12-22 21:34:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP

2008-12-22 20:15:57 ----A---- C:\WINDOWS\ntbtlog.txt

2008-12-22 20:00:30 ----D---- C:\VundoFix Backups

2008-12-22 20:00:30 ----A---- C:\VundoFix.txt

2008-12-22 19:56:51 ----D---- C:\Program Files\HijackThis

2008-12-22 19:04:32 ----D---- C:\Documents and Settings\Victor\Application Data\Malwarebytes

2008-12-22 19:04:06 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-12-22 19:04:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2008-12-22 18:54:28 ----D---- C:\WINDOWS\system32\appmgmt

2008-12-22 16:58:53 ----A---- C:\WINDOWS\wininit.ini

2008-12-22 15:13:22 ----D---- C:\Program Files\Spybot - Search & Destroy

2008-12-22 15:13:22 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-21 20:27:46 ----D---- C:\WINDOWS\CAVTemp

2008-12-21 20:20:45 ----D---- C:\Documents and Settings\Victor\Application Data\CallingID

2008-12-21 19:57:39 ----D---- C:\Program Files\Common Files\Scanner

2008-12-21 19:57:19 ----A---- C:\WINDOWS\system32\vetredir.dll

2008-12-21 19:57:19 ----A---- C:\WINDOWS\system32\isafprod.dll

2008-12-21 19:57:19 ----A---- C:\WINDOWS\system32\isafeif.dll

2008-12-21 19:57:15 ----A---- C:\caavsetupLog.txt

2008-12-21 19:55:50 ----D---- C:\Program Files\CA

2008-12-21 19:53:00 ----D---- C:\Documents and Settings\All Users\Application Data\CA

2008-12-21 19:51:27 ----A---- C:\caisslog.txt

2008-12-21 19:18:41 ----A---- C:\WINDOWS\system32\ttfuqd.dll

2008-12-21 19:18:39 ----A---- C:\WINDOWS\system32\ydadrvjv.dll

2008-12-21 19:15:36 ----A---- C:\WINDOWS\system32\hwuusawa.dll

2008-12-21 18:27:12 ----A---- C:\WINDOWS\system32\ssqricsq.dll.ren

2008-12-19 21:21:41 ----D---- C:\Program Files\Valve

2008-12-17 18:14:50 ----D---- C:\Program Files\7-Zip

2008-12-11 15:37:44 ----A---- C:\WINDOWS\system32\xfcodec.dll

2008-12-03 22:29:41 ----A---- C:\WINDOWS\system32\ptpusb.dll

2008-12-03 22:29:40 ----A---- C:\WINDOWS\system32\ptpusd.dll

2008-12-01 13:34:56 ----D---- C:\Documents and Settings\All Users\Application Data\WebcamMax

2008-12-01 13:34:52 ----D---- C:\Documents and Settings\Victor\Application Data\Webcammax

2008-12-01 13:34:25 ----D---- C:\Program Files\WebcamMax

2008-11-28 16:48:02 ----A---- C:\WINDOWS\system32\javaws.exe

2008-11-28 16:48:02 ----A---- C:\WINDOWS\system32\javaw.exe

2008-11-28 16:48:02 ----A---- C:\WINDOWS\system32\java.exe

2008-11-28 16:48:02 ----A---- C:\WINDOWS\system32\deploytk.dll

 

======List of files/folders modified in the last 1 months======

 

2008-12-22 23:27:54 ----D---- C:\Program Files\Mozilla Firefox

2008-12-22 23:25:54 ----D---- C:\WINDOWS\system32

2008-12-22 23:25:54 ----D---- C:\WINDOWS

2008-12-22 23:17:19 ----D---- C:\WINDOWS\Temp

2008-12-22 23:17:09 ----D---- C:\WINDOWS\system32\drivers

2008-12-22 23:15:57 ----A---- C:\WINDOWS\SchedLgU.Txt

2008-12-22 23:15:47 ----SH---- C:\boot.ini

2008-12-22 23:15:47 ----A---- C:\WINDOWS\win.ini

2008-12-22 23:15:47 ----A---- C:\WINDOWS\system.ini

2008-12-22 23:03:14 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2008-12-22 22:58:33 ----SD---- C:\WINDOWS\Tasks

2008-12-22 22:13:33 ----RD---- C:\Program Files

2008-12-22 22:10:32 ----D---- C:\WINDOWS\Prefetch

2008-12-22 21:48:15 ----A---- C:\WINDOWS\NeroDigital.ini

2008-12-22 21:45:50 ----D---- C:\Documents and Settings\Victor\Application Data\HP

2008-12-22 21:35:19 ----D---- C:\Documents and Settings\Victor\Application Data\Xfire

2008-12-22 20:31:40 ----D---- C:\Program Files\Steam

2008-12-22 20:28:47 ----D---- C:\WINDOWS\system32\CatRoot2

2008-12-22 18:54:25 ----SHD---- C:\WINDOWS\Installer

2008-12-22 18:54:23 ----HD---- C:\Config.Msi

2008-12-22 14:42:34 ----D---- C:\Documents and Settings\Victor\Application Data\Spyware Terminator

2008-12-21 22:37:33 ----D---- C:\Program Files\Spyware Terminator

2008-12-21 20:17:34 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator

2008-12-21 19:57:39 ----D---- C:\Program Files\Common Files

2008-12-21 19:55:56 ----D---- C:\WINDOWS\system32\wbem

2008-12-21 19:05:16 ----D---- C:\WINDOWS\system32\config

2008-12-21 19:04:56 ----D---- C:\WINDOWS\Registration

2008-12-21 16:45:02 ----D---- C:\Documents and Settings\All Users\Application Data\ATI MMC

2008-12-20 00:51:57 ----D---- C:\Documents and Settings\Victor\Application Data\Adobe

2008-12-17 19:07:20 ----HD---- C:\$AVG8.VAULT$

2008-12-16 21:10:23 ----D---- C:\Program Files\Xfire

2008-12-06 23:04:04 ----D---- C:\Program Files\DivX

2008-12-03 22:29:45 ----RSHDC---- C:\WINDOWS\system32\dllcache

2008-12-03 22:29:37 ----HD---- C:\WINDOWS\inf

2008-12-01 13:29:53 ----D---- C:\Program Files\Adobe

2008-11-28 16:47:41 ----D---- C:\Program Files\Java

2008-11-28 00:36:45 ----A---- C:\WINDOWS\pspvc_path.ini

2008-11-28 00:36:37 ----D---- C:\Program Files\AviSynth 2.5

2008-11-28 00:36:21 ----D---- C:\Program Files\pspvc

2008-11-24 14:41:24 ----D---- C:\WINDOWS\Help

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-30 97928]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-07-25 26824]

R1 FileDisk;FileDisk; C:\WINDOWS\system32\drivers\FileDisk.sys [2004-06-09 10556]

R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2008-12-22 66952]

R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2008-12-22 81288]

R1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys [2007-06-25 36776]

R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys [2007-06-25 38440]

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

R1 KmxAgent;KmxAgent; C:\WINDOWS\System32\DRIVERS\kmxagent.sys [2008-08-06 72184]

R1 KmxFile;KmxFile; C:\WINDOWS\System32\DRIVERS\KmxFile.sys [2008-11-04 52728]

R1 KmxFw;KmxFw; C:\WINDOWS\System32\DRIVERS\kmxfw.sys [2008-11-04 115704]

R1 VETEFILE;VET File Scan Engine; C:\WINDOWS\system32\drivers\VETEFILE.sys [2008-12-21 880560]

R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\WINDOWS\system32\drivers\VETFDDNT.sys [2008-12-21 21488]

R1 VET-FILT;VET File System Filter; C:\WINDOWS\system32\drivers\VET-FILT.sys [2008-12-21 26352]

R1 VETMONNT;VET File Monitor; C:\WINDOWS\system32\drivers\VETMONNT.sys [2008-12-21 161008]

R1 VET-REC;VET File System Recognizer; C:\WINDOWS\system32\drivers\VET-REC.sys [2008-12-21 21104]

R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-25 76040]

R2 CAMTHWDM;WebcamMax, WDM Video Capture; C:\WINDOWS\system32\DRIVERS\CAMTHWDM.sys [2008-03-11 941784]

R2 KmxCF;KmxCF; C:\WINDOWS\System32\DRIVERS\KmxCF.sys [2008-11-04 143864]

R2 KmxSbx;KmxSbx; C:\WINDOWS\System32\DRIVERS\KmxSbx.sys [2008-07-30 58872]

R2 X4HSX32;X4HSX32; \??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys []

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture; C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 188506]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3); C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 31003]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar; C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 9882]

R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]

R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]

R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-03-01 4484608]

R3 KmxCfg;KmxCfg; C:\WINDOWS\System32\DRIVERS\kmxcfg.sys [2008-11-04 203768]

R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-10-07 6133856]

R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2007-03-14 62592]

R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2007-03-14 19968]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]

R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

R3 VETEBOOT;VET Boot Scan Engine; C:\WINDOWS\system32\drivers\VETEBOOT.sys [2008-12-21 108368]

R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys [2007-06-25 119080]

S1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []

S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]

S3 DSDrv4;DSDrv4; \??\C:\PROGRA~1\DScaler\DSDrv4.sys []

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]

S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]

S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]

S3 NVR0Dev;NVR0Dev; \??\C:\WINDOWS\nvoclock.sys []

S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]

S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-07-22 32000]

S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]

S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]

S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]

S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 CAISafe;CAISafe; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe [2008-08-20 144696]

R2 ccSchedulerSVC;CA Common Scheduler Service; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [2008-12-21 128240]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-28 152984]

R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]

R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-12-22 1079176]

R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]

R3 CaCCProvSP;CaCCProvSP; C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe [2008-12-21 259312]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]

S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]

S4 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-07-25 72704]

S4 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]

S4 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]

S4 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]

S4 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [2007-01-30 172032]

S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]

S4 InCDsrv;InCD Helper; C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe [2007-06-25 1552680]

S4 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]

S4 ITMRTSVC;CA Pest Patrol Realtime Protection Service; C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe [2008-09-29 283888]

S4 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-08-23 79136]

S4 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2006-12-14 45056]

S4 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-06-29 800040]

S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]

S4 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2007-01-30 180285]

S4 nTuneService;nTune Service; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-03-14 126976]

S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-10-07 163908]

S4 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2006-12-14 57344]

S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-10-02 66872]

S4 PPCtlPriv;PPCtlPriv; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-12-21 222448]

S4 SonicStage Back-End Service;SonicStage Back-End Service; C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe [2007-02-05 112184]

S4 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2008-09-11 570880]

S4 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2006-12-14 69632]

S4 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2007-02-05 75320]

S4 UmxAgent;HIPS Event Manager; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2008-11-04 1141240]

S4 UmxCfg;HIPS Configuration Interpreter; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2008-11-04 801272]

S4 UmxFwHlp;HIPS Firewall Helper; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [2008-08-06 154104]

S4 UmxPol;HIPS Policy Manager; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-11-04 289272]

S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

S4 VETMSGNT;VET Message Service; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe [2008-12-21 292080]

S4 x10nets;X10 Device Network Service; C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe []

 

-----------------EOF-----------------

 

 

I think part of the problem is in a folder in my Program Files called "GetPack" and my antivirus programs give me alerts on tujumape. I looked in there, with the showing hidden files option on, and could not find it.

 

Note: Spybot Search & Destroy keeps finding Virtumonde.dll while my other programs do not; I don't know how to locate and delete this. Also the CA Internet Security Suite finds Darksma everytime after restart. Are the two the same with different names?

 

Help is much appreciate and thank you in advance.

 

Edit: I might not reply back for awhile due to be away from my computer for awhile.

Edited by shadowxsssr

Share this post


Link to post
Share on other sites

Hi shadowxsssr,

 

Please visit the following webpage for instructions for downloading and running ComboFix

 

How to use ComboFix

 

 

Download ComboFix by sUBs from here, saving the file to your desktop.

 

 

Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

  • Close all open programs and windows
  • Double click ComboFix.exe and follow the prompts.
  • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

Share this post


Link to post
Share on other sites

Hi shadowxsssr,

 

Please visit the following webpage for instructions for downloading and running ComboFix

 

How to use ComboFix

Download ComboFix by sUBs from here, saving the file to your desktop.

Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

  • Close all open programs and windows
  • Double click ComboFix.exe and follow the prompts.
  • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

 

Thank you. I think that officially got rid of the Virtumonde and Darksma trojans. Thank you very much!

 

Also, one last thing, my internet explorer keeps freezing when I open it and this has been happening while the virtumonde was still in effect. I checked all my spyware and antivirus programs and it doesn't find anymore cases of virtumonde. But I don't know why my internet explorer keeps acting up, could there be something else effecting my computer?

 

Here is my ComboFix Log:

 

ComboFix 08-12-21.04 - Victor 2008-12-23 14:46:33.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1647 [GMT -5:00]

Running from: c:\documents and settings\Victor\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Victor\Application Data\gadcom

c:\documents and settings\Victor\Local Settings\Temporary Internet Files\fbk.sts

c:\documents and settings\Victor\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

c:\windows\system32\bLVDcfii.ini

c:\windows\system32\bLVDcfii.ini2

c:\windows\system32\chgkoyfe.ini

c:\windows\system32\femigegi.dll

c:\windows\system32\nsdkavcj.dll

c:\windows\wiaserviv.log

 

----- BITS: Possible infected sites -----

 

hxxp://childhe.com

.

((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))

.

 

2008-12-22 23:27 . 2008-12-22 23:28 <DIR> d-------- C:\rsit

2008-12-22 23:01 . 2008-12-22 23:02 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\CallingID

2008-12-22 22:58 . 2008-12-22 22:58 45,056 --a------ c:\windows\system32\wvUoNGAP.dll

2008-12-22 22:13 . 2008-12-22 23:06 <DIR> d-------- c:\program files\Spyware Doctor

2008-12-22 22:13 . 2008-12-22 22:13 <DIR> d-------- c:\documents and settings\Victor\Application Data\PC Tools

2008-12-22 22:13 . 2008-12-22 23:01 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys

2008-12-22 22:13 . 2008-12-22 23:01 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys

2008-12-22 22:13 . 2008-12-22 23:01 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys

2008-12-22 22:13 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

2008-12-22 21:47 . 2008-12-22 21:47 <DIR> d-------- c:\documents and settings\Victor\Application Data\X10 Commander

2008-12-22 21:38 . 2008-12-22 21:38 <DIR> d-------- c:\program files\Trend Micro

2008-12-22 21:34 . 2008-12-23 14:40 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-12-22 20:00 . 2008-12-22 20:00 <DIR> d-------- C:\VundoFix Backups

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\documents and settings\Victor\Application Data\Malwarebytes

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-22 19:04 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-22 19:04 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-22 16:58 . 2008-12-22 16:58 151 --a------ c:\windows\wininit.ini

2008-12-22 15:13 . 2008-12-22 15:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-22 15:13 . 2008-12-22 17:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-21 20:27 . 2008-12-23 14:51 <DIR> d-------- c:\windows\CAVTemp

2008-12-21 20:20 . 2008-12-23 00:28 <DIR> d-------- c:\documents and settings\Victor\Application Data\CallingID

2008-12-21 19:57 . 2008-12-21 19:57 <DIR> d-------- c:\program files\Common Files\Scanner

2008-12-21 19:57 . 2008-12-21 20:10 880,560 --a------ c:\windows\system32\drivers\vetefile.sys

2008-12-21 19:57 . 2008-08-20 18:44 250,544 --a------ c:\windows\system32\KeyHelp.ocx

2008-12-21 19:57 . 2008-12-21 20:10 161,008 --a------ c:\windows\system32\drivers\vetmonnt.sys

2008-12-21 19:57 . 2008-12-21 20:10 111,856 --a------ c:\windows\system32\isafprod.dll

2008-12-21 19:57 . 2008-12-21 20:10 108,368 --a------ c:\windows\system32\drivers\veteboot.sys

2008-12-21 19:57 . 2008-08-20 04:42 99,568 --a------ c:\windows\system32\isafeif.dll

2008-12-21 19:57 . 2008-08-20 04:42 83,256 --a------ c:\windows\system32\vetredir.dll

2008-12-21 19:57 . 2008-12-21 20:10 26,352 --a------ c:\windows\system32\drivers\vet-filt.sys

2008-12-21 19:57 . 2008-12-21 20:10 21,488 --a------ c:\windows\system32\drivers\vetfddnt.sys

2008-12-21 19:57 . 2008-12-21 20:10 21,104 --a------ c:\windows\system32\drivers\vet-rec.sys

2008-12-21 19:55 . 2008-12-21 19:57 <DIR> d-------- c:\program files\CA

2008-12-21 19:53 . 2008-12-21 19:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA

2008-12-21 19:18 . 2008-12-21 19:18 129,024 --a------ c:\windows\system32\ydadrvjv.dll

2008-12-21 19:18 . 2008-12-21 19:18 129,024 --a------ c:\windows\system32\ttfuqd.dll

2008-12-21 19:15 . 2008-12-21 19:15 72,704 --a------ c:\windows\system32\hwuusawa.dll

2008-12-21 18:27 . 2008-12-21 18:27 34,816 --a------ c:\windows\system32\ssqricsq.dll.ren

2008-12-19 21:21 . 2008-12-19 21:21 <DIR> d-------- c:\program files\Valve

2008-12-17 18:14 . 2008-12-17 18:14 <DIR> d-------- c:\program files\7-Zip

2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll

2008-12-03 22:29 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll

2008-12-03 22:29 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2008-12-03 22:29 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2008-12-03 22:29 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\program files\WebcamMax

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\documents and settings\Victor\Application Data\Webcammax

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\WebcamMax

2008-12-01 13:34 . 2008-03-11 08:14 941,784 --a------ c:\windows\system32\drivers\CAMTHWDM.sys

2008-11-28 16:48 . 2008-11-28 16:47 410,976 --a------ c:\windows\system32\deploytk.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-23 02:45 --------- d-----w c:\documents and settings\Victor\Application Data\HP

2008-12-23 02:35 --------- d-----w c:\documents and settings\Victor\Application Data\Xfire

2008-12-23 01:31 --------- d-----w c:\program files\Steam

2008-12-22 19:42 --------- d-----w c:\documents and settings\Victor\Application Data\Spyware Terminator

2008-12-22 19:41 0 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys

2008-12-22 03:37 --------- d-----w c:\program files\Spyware Terminator

2008-12-22 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator

2008-12-21 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC

2008-12-17 02:10 --------- d-----w c:\program files\Xfire

2008-12-07 04:04 --------- d-----w c:\program files\DivX

2008-11-28 21:47 --------- d-----w c:\program files\Java

2008-11-28 05:36 --------- d-----w c:\program files\pspvc

2008-11-28 05:36 --------- d-----w c:\program files\AviSynth 2.5

2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll

2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll

2008-11-17 02:14 --------- d-----w c:\program files\StepMania

2008-11-12 00:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-11-12 00:02 --------- d-----w c:\program files\AGEIA Technologies

2008-11-04 21:32 52,728 ----a-w c:\windows\system32\drivers\KmxFile.sys

2008-11-04 21:32 264,696 ----a-w c:\windows\system32\UmxSbxw.dll

2008-11-04 21:32 203,768 ----a-w c:\windows\system32\drivers\KmxCfg.sys

2008-11-04 21:32 143,864 ----a-w c:\windows\system32\drivers\KmxCF.sys

2008-11-04 21:32 115,704 ----a-w c:\windows\system32\drivers\KmxFw.sys

2008-11-04 21:32 113,144 ----a-w c:\windows\system32\UmxSbxExw.dll

2008-11-04 21:32 107,000 ----a-w c:\windows\system32\drivers\KmxStart.sys

2008-10-26 18:44 499,712 ----a-w c:\windows\system32\msvcp71.dll

2008-10-26 18:44 --------- d-----w c:\program files\Real

2008-10-26 18:44 --------- d-----w c:\program files\Common Files\xing shared

2008-10-26 18:44 --------- d-----w c:\program files\Common Files\Real

2008-10-26 18:40 105,168 ----a-w c:\windows\MozillaUninstall.exe

2008-10-26 18:40 105,168 ----a-w c:\windows\GREUninstall.exe

2008-10-26 18:40 --------- d-----w c:\program files\mozilla.org

2008-10-26 18:40 --------- d-----w c:\program files\Common Files\mozilla.org

2008-10-26 18:40 --------- d-----w c:\documents and settings\Victor\Application Data\Talkback

2008-10-25 04:09 --------- d-----w c:\documents and settings\Victor\Application Data\GetRightToGo

2008-10-02 19:11 111,928 ----a-w c:\windows\system32\PnkBstrB.exe

2008-10-02 18:53 22,328 ----a-w c:\documents and settings\Victor\Application Data\PnkBstrK.sys

2008-10-02 18:53 2,246,144 ----a-w c:\windows\system32\pbsvc.exe

2008-10-02 18:49 66,872 ----a-w c:\windows\system32\PnkBstrA.exe

2008-10-02 15:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-09-15 1377720]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

"msacm.ac3filter"= ac3filter.acm

"msacm.divxa32"= DivXa32.acm

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Victor^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\Victor\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2006-08-01 14:35 67112 c:\program files\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

--------- 2002-05-02 07:57 98304 c:\program files\ATI Multimedia\main\LaunchPd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]

--a------ 2002-10-22 09:55 159744 c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

--a------ 2008-08-30 10:15 1235736 c:\progra~1\AVG\AVG8\avgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-06-27 18:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafw]

--a------ 2008-12-21 20:11 1504496 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfasem]

--a------ 2008-12-21 20:11 632048 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfupgrade]

--a------ 2008-12-21 20:11 668912 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAPPActiveProtection]

--a------ 2008-12-21 20:10 324848 c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarMD]

--a------ 2007-12-11 13:23 1318912 c:\program files\CarMD\CarMD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]

--a------ 2008-12-21 20:10 271600 c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray]

--a------ 2008-12-21 20:11 349424 c:\program files\CA\CA Internet Security Suite\casc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]

--a------ 2003-02-24 15:11 266313 c:\progra~1\AIM\DeadAIM.ocm

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--a------ 2007-06-25 07:47 1057064 c:\program files\Nero\Nero 7\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-12-22 23:02 1168264 c:\program files\Spyware Doctor\pctsTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]

--a----t- 2008-12-21 20:11 14064 c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

--a------ 2007-06-25 07:47 1629480 c:\program files\Nero\Nero 7\InCD\NBHGui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-07-07 09:42 2156368 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

--a------ 2008-09-11 19:00 1783808 c:\program files\Spyware Terminator\SpywareTerminatorShield.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-10-08 13:36 1410296 c:\program files\Steam\steam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-11-28 16:47 136600 c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2008-10-26 13:44 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 17:43 69632 c:\windows\Alcmtr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2007-02-26 14:03 16125440 c:\windows\RTHDCPL.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 17:04 2879488 c:\windows\SkyTel.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"x10nets"=3 (0x3)

"VETMSGNT"=2 (0x2)

"usnjsvc"=3 (0x3)

"SSScsiSV"=3 (0x3)

"SPTISRV"=3 (0x3)

"SonicStage Back-End Service"=3 (0x3)

"PPCtlPriv"=3 (0x3)

"PACSPTISVR"=3 (0x3)

"NVSvc"=2 (0x2)

"nTuneService"=2 (0x2)

"nSvcIp"=2 (0x2)

"NMIndexingService"=3 (0x3)

"NBService"=3 (0x3)

"MSCSPTISRV"=3 (0x3)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"InCDsrv"=2 (0x2)

"IDriverT"=3 (0x3)

"ForceWare Intelligent Application Manager (IAM)"=2 (0x2)

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"UmxPol"=2 (0x2)

"UmxFwHlp"=2 (0x2)

"UmxCfg"=2 (0x2)

"UmxAgent"=2 (0x2)

"sp_rssrv"=2 (0x2)

"ITMRTSVC"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\source sdk base 2007\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\half-life\\hl.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\garrysmod\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\source sdk base\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=

"c:\\ijji\\ENGLISH\\u_gbound.exe"=

"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=

"c:\\Program Files\\TVAnts\\Tvants.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

 

R0 KmxStart;KmxStart;c:\windows\system32\DRIVERS\kmxstart.sys [2008-11-04 107000]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-25 97928]

R1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-08-06 72184]

R1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-11-04 52728]

R1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-11-04 115704]

R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-25 76040]

R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\DRIVERS\CAMTHWDM.sys [2008-12-01 941784]

R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [2008-12-21 128240]

R2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-11-04 143864]

R2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-07-30 58872]

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2008-07-25 188506]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2008-07-25 31003]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2008-07-25 9882]

R3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-11-04 203768]

S1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-07-25 0]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-22 356920]

S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-25 875288]

S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-25 231704]

S4 PPCtlPriv;PPCtlPriv;"c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-12-21 222448]

S4 UmxAgent;HIPS Event Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2008-11-04 1141240]

S4 UmxCfg;HIPS Configuration Interpreter;"c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2008-11-04 801272]

S4 UmxPol;HIPS Policy Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2008-11-04 289272]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b78f85b-59fa-11dd-b73b-806d6172696f}]

\Shell\AutoRun\command - D:\autorun.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-23 c:\windows\Tasks\hvbmgxiu.job

- c:\windows\system32\rundll32.exe [2008-04-14 04:42]

 

2008-12-23 c:\windows\Tasks\rcpxlyju.job

- c:\windows\system32\rundll32.exe [2008-04-14 04:42]

 

2008-12-20 c:\windows\Tasks\Uniblue SpyEraser Nag.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

 

2008-10-11 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{26D8B700-70B8-4A22-88C1-3CDCB0E68740} - c:\windows\system32\iifcDVLb.dll

BHO-{c5a963cd-1ad1-4e8c-b582-bd5b22fb4a0c} - c:\program files\tujumape\tujumape.dll

Notify-vtUnnnOe - vtUnnnOe.dll

MSConfigStartUp-hujavawoki - c:\program files\tujumape\tujumape.dll

 

 

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.google.com

IE: Crawler Search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

LSP: c:\windows\system32\VetRedir.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll

FF - ProfilePath - c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\Firefox\components\CallingIDLinkAdvisorGecko.dll

FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\Firefox\components\CIDDomFx3.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xcomm.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xshared.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xsupport.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xwsg.dll

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\plugins\npSeeTooAddon.dll

FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLC\npvlc.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-23 14:50:24

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'lsass.exe'(1588)

c:\windows\system32\nvappfilter.dll

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-12-23 14:55:39 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-23 19:55:35

 

Pre-Run: 13,105,618,944 bytes free

Post-Run: 13,307,748,352 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

380

 

Thanks again, much appreciation. B)

Share this post


Link to post
Share on other sites

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

 

Filename: CFScript.txt

Save As Type: All Files (*.*)

 

http://forums.pcpitstop.com/index.php?s=&showtopic=163625&view=findpost&p=1554007
Collect::
 c:\windows\system32\wvUoNGAP.dll
c:\windows\system32\ydadrvjv.dll
c:\windows\system32\ttfuqd.dll
c:\windows\system32\hwuusawa.dll
c:\windows\system32\ssqricsq.dll.ren
File::
c:\windows\Tasks\hvbmgxiu.job
c:\windows\Tasks\rcpxlyju.job
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b78f85b-59fa-11dd-b73b-806d6172696f}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

 

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

 

Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

 

Next please do an online scan with Kaspersky Online Scanner

 

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

 

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

 

 

Post the Kaspersky log

Share this post


Link to post
Share on other sites

Alright noahdfear, I uploaded the zip file as you requested. :mrgreen:

 

My kaspersky log is here:

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Wednesday, December 24, 2008

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, December 24, 2008 01:11:44

Records in database: 1507057

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

A:\

C:\

D:\

E:\

 

Scan statistics:

Files scanned: 142434

Threat name: 2

Infected objects: 2

Suspicious objects: 0

Duration of the scan: 01:50:26

 

 

File name / Threat name / Threats count

C:\Documents and Settings\Victor\Local Settings\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\Cache(3)\8A7004B7d01 Infected: Trojan.Win32.FraudPack.imt 1

C:\R8VE.exe Infected: Hoax.Win32.Bravia.jk 1

 

The selected area was scanned.

 

And the ComboFix log again:

 

ComboFix 08-12-21.04 - Victor 2008-12-24 0:50:04.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1464 [GMT -5:00]

Running from: c:\documents and settings\Victor\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Victor\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

c:\windows\Tasks\hvbmgxiu.job

c:\windows\Tasks\rcpxlyju.job

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\hwuusawa.dll

c:\windows\system32\ssqricsq.dll.ren

c:\windows\system32\ttfuqd.dll

c:\windows\system32\wvUoNGAP.dll

c:\windows\system32\ydadrvjv.dll

c:\windows\Tasks\hvbmgxiu.job

c:\windows\Tasks\rcpxlyju.job

c:\windows\Temp\tmp3.tmp

 

----- BITS: Possible infected sites -----

 

hxxp://childhe.com

.

((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))

.

 

2008-12-22 23:27 . 2008-12-22 23:28 <DIR> d-------- C:\rsit

2008-12-22 23:01 . 2008-12-23 15:01 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\CallingID

2008-12-22 22:13 . 2008-12-22 23:06 <DIR> d-------- c:\program files\Spyware Doctor

2008-12-22 22:13 . 2008-12-22 22:13 <DIR> d-------- c:\documents and settings\Victor\Application Data\PC Tools

2008-12-22 22:13 . 2008-12-22 23:01 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys

2008-12-22 22:13 . 2008-12-22 23:01 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys

2008-12-22 22:13 . 2008-12-22 23:01 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys

2008-12-22 22:13 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

2008-12-22 21:47 . 2008-12-22 21:47 <DIR> d-------- c:\documents and settings\Victor\Application Data\X10 Commander

2008-12-22 21:38 . 2008-12-22 21:38 <DIR> d-------- c:\program files\Trend Micro

2008-12-22 21:34 . 2008-12-24 00:43 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-12-22 20:00 . 2008-12-22 20:00 <DIR> d-------- C:\VundoFix Backups

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\documents and settings\Victor\Application Data\Malwarebytes

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-22 19:04 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-22 19:04 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-22 16:58 . 2008-12-22 16:58 151 --a------ c:\windows\wininit.ini

2008-12-22 15:13 . 2008-12-22 15:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-22 15:13 . 2008-12-22 17:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-21 20:27 . 2008-12-24 00:38 <DIR> d-------- c:\windows\CAVTemp

2008-12-21 20:20 . 2008-12-23 15:01 <DIR> d-------- c:\documents and settings\Victor\Application Data\CallingID

2008-12-21 19:57 . 2008-12-21 19:57 <DIR> d-------- c:\program files\Common Files\Scanner

2008-12-21 19:57 . 2008-12-21 20:10 880,560 --a------ c:\windows\system32\drivers\vetefile.sys

2008-12-21 19:57 . 2008-08-20 18:44 250,544 --a------ c:\windows\system32\KeyHelp.ocx

2008-12-21 19:57 . 2008-12-21 20:10 161,008 --a------ c:\windows\system32\drivers\vetmonnt.sys

2008-12-21 19:57 . 2008-12-21 20:10 111,856 --a------ c:\windows\system32\isafprod.dll

2008-12-21 19:57 . 2008-12-21 20:10 108,368 --a------ c:\windows\system32\drivers\veteboot.sys

2008-12-21 19:57 . 2008-08-20 04:42 99,568 --a------ c:\windows\system32\isafeif.dll

2008-12-21 19:57 . 2008-08-20 04:42 83,256 --a------ c:\windows\system32\vetredir.dll

2008-12-21 19:57 . 2008-12-21 20:10 26,352 --a------ c:\windows\system32\drivers\vet-filt.sys

2008-12-21 19:57 . 2008-12-21 20:10 21,488 --a------ c:\windows\system32\drivers\vetfddnt.sys

2008-12-21 19:57 . 2008-12-21 20:10 21,104 --a------ c:\windows\system32\drivers\vet-rec.sys

2008-12-21 19:55 . 2008-12-21 19:57 <DIR> d-------- c:\program files\CA

2008-12-21 19:53 . 2008-12-21 19:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA

2008-12-19 21:21 . 2008-12-19 21:21 <DIR> d-------- c:\program files\Valve

2008-12-17 18:14 . 2008-12-17 18:14 <DIR> d-------- c:\program files\7-Zip

2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll

2008-12-03 22:29 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll

2008-12-03 22:29 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2008-12-03 22:29 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2008-12-03 22:29 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\program files\WebcamMax

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\documents and settings\Victor\Application Data\Webcammax

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\WebcamMax

2008-12-01 13:34 . 2008-03-11 08:14 941,784 --a------ c:\windows\system32\drivers\CAMTHWDM.sys

2008-11-28 16:48 . 2008-11-28 16:47 410,976 --a------ c:\windows\system32\deploytk.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-23 02:45 --------- d-----w c:\documents and settings\Victor\Application Data\HP

2008-12-23 02:35 --------- d-----w c:\documents and settings\Victor\Application Data\Xfire

2008-12-23 01:31 --------- d-----w c:\program files\Steam

2008-12-22 19:42 --------- d-----w c:\documents and settings\Victor\Application Data\Spyware Terminator

2008-12-22 19:41 0 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys

2008-12-22 03:37 --------- d-----w c:\program files\Spyware Terminator

2008-12-22 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator

2008-12-21 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC

2008-12-17 02:10 --------- d-----w c:\program files\Xfire

2008-12-07 04:04 --------- d-----w c:\program files\DivX

2008-11-28 21:47 --------- d-----w c:\program files\Java

2008-11-28 05:36 --------- d-----w c:\program files\pspvc

2008-11-28 05:36 --------- d-----w c:\program files\AviSynth 2.5

2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll

2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll

2008-11-17 02:14 --------- d-----w c:\program files\StepMania

2008-11-12 00:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-11-12 00:02 --------- d-----w c:\program files\AGEIA Technologies

2008-11-04 21:32 52,728 ----a-w c:\windows\system32\drivers\KmxFile.sys

2008-11-04 21:32 264,696 ----a-w c:\windows\system32\UmxSbxw.dll

2008-11-04 21:32 203,768 ----a-w c:\windows\system32\drivers\KmxCfg.sys

2008-11-04 21:32 143,864 ----a-w c:\windows\system32\drivers\KmxCF.sys

2008-11-04 21:32 115,704 ----a-w c:\windows\system32\drivers\KmxFw.sys

2008-11-04 21:32 113,144 ----a-w c:\windows\system32\UmxSbxExw.dll

2008-11-04 21:32 107,000 ----a-w c:\windows\system32\drivers\KmxStart.sys

2008-10-26 18:44 499,712 ----a-w c:\windows\system32\msvcp71.dll

2008-10-26 18:44 --------- d-----w c:\program files\Real

2008-10-26 18:44 --------- d-----w c:\program files\Common Files\xing shared

2008-10-26 18:44 --------- d-----w c:\program files\Common Files\Real

2008-10-26 18:40 105,168 ----a-w c:\windows\MozillaUninstall.exe

2008-10-26 18:40 105,168 ----a-w c:\windows\GREUninstall.exe

2008-10-26 18:40 --------- d-----w c:\program files\mozilla.org

2008-10-26 18:40 --------- d-----w c:\program files\Common Files\mozilla.org

2008-10-26 18:40 --------- d-----w c:\documents and settings\Victor\Application Data\Talkback

2008-10-25 04:09 --------- d-----w c:\documents and settings\Victor\Application Data\GetRightToGo

2008-10-02 19:11 111,928 ----a-w c:\windows\system32\PnkBstrB.exe

2008-10-02 18:53 22,328 ----a-w c:\documents and settings\Victor\Application Data\PnkBstrK.sys

2008-10-02 18:53 2,246,144 ----a-w c:\windows\system32\pbsvc.exe

2008-10-02 18:49 66,872 ----a-w c:\windows\system32\PnkBstrA.exe

2008-10-02 15:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-09-15 1377720]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

"msacm.ac3filter"= ac3filter.acm

"msacm.divxa32"= DivXa32.acm

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Victor^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\Victor\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2006-08-01 14:35 67112 c:\program files\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

--------- 2002-05-02 07:57 98304 c:\program files\ATI Multimedia\main\LaunchPd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]

--a------ 2002-10-22 09:55 159744 c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

--a------ 2008-08-30 10:15 1235736 c:\progra~1\AVG\AVG8\avgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-06-27 18:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafw]

--a------ 2008-12-21 20:11 1504496 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfasem]

--a------ 2008-12-21 20:11 632048 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfupgrade]

--a------ 2008-12-21 20:11 668912 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAPPActiveProtection]

--a------ 2008-12-21 20:10 324848 c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarMD]

--a------ 2007-12-11 13:23 1318912 c:\program files\CarMD\CarMD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]

--a------ 2008-12-21 20:10 271600 c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray]

--a------ 2008-12-21 20:11 349424 c:\program files\CA\CA Internet Security Suite\casc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]

--a------ 2003-02-24 15:11 266313 c:\progra~1\AIM\DeadAIM.ocm

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--a------ 2007-06-25 07:47 1057064 c:\program files\Nero\Nero 7\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-12-22 23:02 1168264 c:\program files\Spyware Doctor\pctsTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]

--a----t- 2008-12-21 20:11 14064 c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

--a------ 2007-06-25 07:47 1629480 c:\program files\Nero\Nero 7\InCD\NBHGui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-07-07 09:42 2156368 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

--a------ 2008-09-11 19:00 1783808 c:\program files\Spyware Terminator\SpywareTerminatorShield.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-10-08 13:36 1410296 c:\program files\Steam\steam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-11-28 16:47 136600 c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2008-10-26 13:44 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 17:43 69632 c:\windows\Alcmtr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2007-02-26 14:03 16125440 c:\windows\RTHDCPL.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 17:04 2879488 c:\windows\SkyTel.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"x10nets"=3 (0x3)

"VETMSGNT"=2 (0x2)

"usnjsvc"=3 (0x3)

"SSScsiSV"=3 (0x3)

"SPTISRV"=3 (0x3)

"SonicStage Back-End Service"=3 (0x3)

"PPCtlPriv"=3 (0x3)

"PACSPTISVR"=3 (0x3)

"NVSvc"=2 (0x2)

"nTuneService"=2 (0x2)

"nSvcIp"=2 (0x2)

"NMIndexingService"=3 (0x3)

"NBService"=3 (0x3)

"MSCSPTISRV"=3 (0x3)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"InCDsrv"=2 (0x2)

"IDriverT"=3 (0x3)

"ForceWare Intelligent Application Manager (IAM)"=2 (0x2)

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"UmxPol"=2 (0x2)

"UmxFwHlp"=2 (0x2)

"UmxCfg"=2 (0x2)

"UmxAgent"=2 (0x2)

"sp_rssrv"=2 (0x2)

"ITMRTSVC"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\source sdk base 2007\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\half-life\\hl.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\garrysmod\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\source sdk base\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=

"c:\\ijji\\ENGLISH\\u_gbound.exe"=

"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=

"c:\\Program Files\\TVAnts\\Tvants.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

 

R0 KmxStart;KmxStart;c:\windows\system32\DRIVERS\kmxstart.sys [2008-11-04 107000]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-25 97928]

R1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-08-06 72184]

R1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-11-04 52728]

R1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-11-04 115704]

R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-25 76040]

R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\DRIVERS\CAMTHWDM.sys [2008-12-01 941784]

R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [2008-12-21 128240]

R2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-11-04 143864]

R2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-07-30 58872]

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2008-07-25 188506]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2008-07-25 31003]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2008-07-25 9882]

R3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-11-04 203768]

S1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-07-25 0]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-22 356920]

S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-25 875288]

S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-25 231704]

S4 PPCtlPriv;PPCtlPriv;"c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-12-21 222448]

S4 UmxAgent;HIPS Event Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2008-11-04 1141240]

S4 UmxCfg;HIPS Configuration Interpreter;"c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2008-11-04 801272]

S4 UmxPol;HIPS Policy Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2008-11-04 289272]

 

*Newly Created Service* - CATCHME

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-20 c:\windows\Tasks\Uniblue SpyEraser Nag.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

 

2008-10-11 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.google.com

IE: Crawler Search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

LSP: c:\windows\system32\VetRedir.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll

FF - ProfilePath - c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\Firefox\components\CallingIDLinkAdvisorGecko.dll

FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\Firefox\components\CIDDomFx3.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xcomm.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xshared.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xsupport.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xwsg.dll

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\plugins\npSeeTooAddon.dll

FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLC\npvlc.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-24 00:54:29

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'lsass.exe'(1920)

c:\windows\system32\nvappfilter.dll

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

.

Completion time: 2008-12-24 0:56:56

ComboFix-quarantined-files.txt 2008-12-24 05:56:53

ComboFix2.txt 2008-12-23 19:55:41

 

Pre-Run: 13,295,161,344 bytes free

Post-Run: 13,278,334,976 bytes free

 

356

 

 

Also, I forgot to mention something. When I turn on my computer, I get a red x logo in a windows popup menu titled "RUNDLL" and it says it cannot find or run "C:\Program Files\tujumape\tujumape.dll," which I thought I got rid of by now. I guess rundll is still trying to launch it, but it's just not on my computer anymore.

Edited by shadowxsssr

Share this post


Link to post
Share on other sites

Delete the C:\R8VE.exe file.

 

Download ATF Cleaner by Atribune and save it to your Desktop.

  • Double click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:

     

  • Windows Temp
Current User Temp All Users Temp Temporary Internet Files Prefetch Java Cache Recycle bin

The rest are optional - if you want it to remove everything check "Select All". Finally, click Empty Selected. Now select the Firefox option and clear at least the temporary files.When you get the "Done Cleaning" message, click OK then exit.Reboot

 

 

Open HijackThis to the Misc Tools section.

Check both boxes in the StartupList section then click Generate Startuplist log.

Post the contents of that log here.

Share this post


Link to post
Share on other sites

StartupList report, 12/24/2008, 11:21:23 PM

StartupList version: 1.52.2

Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE

Detected: Windows XP SP3 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP3 (6.00.2900.5512)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe

C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CAGlobal.exe

C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Victor\Start Menu\Programs\Startup]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

*No files*

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

SkyTel = SkyTel.EXE

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

SecurDisc = C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"

AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe

SpywareTerminator = "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

CarMD = C:\Program Files\CarMD\CarMD.exe

AppleSyncNotifier = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

cctray = C:\Program Files\CA\CA Internet Security Suite\casc.exe

CAVRID = "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

cafw = C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

capfasem = C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

capfupgrade = C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

QOELOADER = "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe"

CAPPActiveProtection = "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"

hujavawoki = Rundll32.exe "C:\Program Files\tujumape\tujumape.dll",s

ISTray = "C:\Program Files\Spyware Doctor\pctsTray.exe"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

ATI Remote Control = "C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe"

(Default) =

LightScribe Control Panel = C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

SpybotDeletingB2019 = command /c del "C:\Program Files\GetPack\trgtame.gz"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\ComFile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

 

[>{26923b43-4d38-484f-9b9e-de460746276c}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

 

[{10880D85-AAD9-4558-ABDC-2AB1552D831F}] *

StubPath = "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

 

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *

StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

 

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\system32\ie4uinit.exe

 

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *

StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINDOWS\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registry Editor'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

(no name) - C:\Program Files\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

(no name) - (no file) - {c5a963cd-1ad1-4e8c-b582-bd5b22fb4a0c}

(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}

CA Toolbar Helper - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll - {FBF2401B-7447-4727-BE5D-C19B2075CA84}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Uniblue SpyEraser Nag.job

Uniblue SpyEraser.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[MySpace Uploader Control]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\MySpaceUploader.ocx

CODEBASE = http://lads.myspace.com/upload/MySpaceUploader1006.cab

 

[Java Plug-in 1.6.0_10]

InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll

CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

 

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]

CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

 

[Java Plug-in 1.6.0_07]

InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll

CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

 

[Java Plug-in 1.6.0_10]

InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll

CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

 

[Java Plug-in 1.6.0_10]

InProcServer32 = C:\Program Files\Java\jre6\bin\npjpi160_10.dll

CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINDOWS\System32\mswsock.dll

NameSpace #2: C:\WINDOWS\System32\winrnr.dll

NameSpace #3: C:\WINDOWS\System32\mswsock.dll

Protocol #1: C:\WINDOWS\system32\nvappfilter.dll

Protocol #2: C:\WINDOWS\system32\nvappfilter.dll

Protocol #3: C:\WINDOWS\system32\nvappfilter.dll

Protocol #4: C:\WINDOWS\system32\VetRedir.dll

Protocol #5: C:\WINDOWS\system32\mswsock.dll

Protocol #6: C:\WINDOWS\system32\mswsock.dll

Protocol #7: C:\WINDOWS\system32\mswsock.dll

Protocol #8: C:\WINDOWS\system32\rsvpsp.dll

Protocol #9: C:\WINDOWS\system32\rsvpsp.dll

Protocol #10: C:\WINDOWS\system32\nvappfilter.dll

Protocol #11: C:\WINDOWS\system32\mswsock.dll

Protocol #12: C:\WINDOWS\system32\mswsock.dll

Protocol #13: C:\WINDOWS\system32\mswsock.dll

Protocol #14: C:\WINDOWS\system32\mswsock.dll

Protocol #15: C:\WINDOWS\system32\mswsock.dll

Protocol #16: C:\WINDOWS\system32\mswsock.dll

Protocol #17: C:\WINDOWS\system32\mswsock.dll

Protocol #18: C:\WINDOWS\system32\mswsock.dll

Protocol #19: C:\WINDOWS\system32\VetRedir.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)

Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (disabled)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

AFD: \SystemRoot\System32\drivers\afd.sys (system)

Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)

Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)

Apple Mobile Device: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" (disabled)

Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)

RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)

Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)

ATI TV Wonder Pro A/V Capture: system32\drivers\aticxcap.sys (manual start)

ATI TV Wonder Pro Tuner (Philips 1236 MK3): system32\drivers\aticxtun.sys (manual start)

ATI TV Wonder Pro A/V Crossbar: system32\drivers\aticxxbr.sys (manual start)

ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)

AVG Free8 E-mail Scanner: C:\PROGRA~1\AVG\AVG8\avgemc.exe (disabled)

AVG Free8 WatchDog: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (disabled)

AVG Free AVI Loader Driver x86: \SystemRoot\System32\Drivers\avgldx86.sys (system)

AVG Free On-access Scanner Minifilter Driver x86: \SystemRoot\System32\Drivers\avgmfx86.sys (system)

AVG Free8 Network Redirector: \SystemRoot\System32\Drivers\avgtdix.sys (autostart)

Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

CaCCProvSP: "C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe" (manual start)

CAISafe: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe (autostart)

WebcamMax, WDM Video Capture: system32\DRIVERS\CAMTHWDM.sys (autostart)

catchme: \??\C:\ComboFix\catchme.sys (manual start)

Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)

CA Common Scheduler Service: C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe (autostart)

CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)

Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)

.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)

COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)

DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Disk Driver: system32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

Logical Disk Manager Driver: System32\drivers\dmio.sys (system)

dmload: System32\drivers\dmload.sys (system)

Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)

DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)

Wired AutoConfig: %SystemRoot%\System32\svchost.exe -k dot3svc (manual start)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

DSDrv4: \??\C:\PROGRA~1\DScaler\DSDrv4.sys (manual start)

Extensible Authentication Protocol Service: %SystemRoot%\System32\svchost.exe -k eapsvcs (manual start)

Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)

Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)

Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)

FltMgr: system32\drivers\fltmgr.sys (system)

ForceWare Intelligent Application Manager (IAM): C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe (disabled)

Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)

GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)

giveio: system32\giveio.sys (system)

Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)

Microsoft UAA Bus Driver for High Definition Audio: system32\DRIVERS\HDAudBus.sys (manual start)

Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)

Health Key and Certificate Management Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

HTTP: System32\Drivers\HTTP.sys (manual start)

HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)

i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)

InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe" (disabled)

File Security Driver: \SystemRoot\system32\drivers\ikfilesec.sys (manual start)

System Filter Driver: system32\drivers\iksysflt.sys (manual start)

System Security Driver: system32\drivers\iksyssec.sys (manual start)

CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)

IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)

InCD File System: system32\drivers\InCDFs.sys (disabled)

InCDPass: system32\drivers\InCDPass.sys (system)

InCD Reader: system32\drivers\InCDRm.sys (system)

InCD Helper: C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (disabled)

Service for Realtek HD Audio (WDM): system32\drivers\RtkHDAud.sys (manual start)

Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)

IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)

IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)

iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (disabled)

IPSEC driver: system32\DRIVERS\ipsec.sys (system)

IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)

PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)

CA Pest Patrol Realtime Protection Service: "C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe" (disabled)

Java Quick Starter: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" (autostart)

Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

KmxAgent: System32\DRIVERS\kmxagent.sys (system)

KmxCF: System32\DRIVERS\KmxCF.sys (autostart)

KmxCfg: System32\DRIVERS\kmxcfg.sys (manual start)

KmxFile: System32\DRIVERS\KmxFile.sys (system)

KmxFw: System32\DRIVERS\kmxfw.sys (system)

KmxSbx: System32\DRIVERS\KmxSbx.sys (autostart)

KmxStart: System32\DRIVERS\kmxstart.sys (system)

Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

LightScribeService Direct Disc Labeling Service: "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" (disabled)

TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)

NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)

Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)

Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)

WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: system32\DRIVERS\mrxsmb.sys (system)

MSCSPTISRV: "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe" (disabled)

Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)

Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)

Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)

Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)

Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)

Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)

Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)

NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)

Network Access Protection Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NBService: C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (disabled)

Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)

Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)

NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: system32\DRIVERS\netbios.sys (system)

NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (disabled)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)

Net Logon: %SystemRoot%\system32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

NMIndexingService: "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" (disabled)

ForceWare IP service: C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (disabled)

NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

nTune Service: C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService (disabled)

nv: system32\DRIVERS\nv4_mini.sys (manual start)

nvata: system32\DRIVERS\nvata.sys (system)

NVIDIA nForce Networking Controller Driver: system32\DRIVERS\NVENETFD.sys (manual start)

NVIDIA Network Bus Enumerator: system32\DRIVERS\nvnetbus.sys (manual start)

NVR0Dev: \??\C:\WINDOWS\nvoclock.sys (manual start)

NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (disabled)

IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)

PACSPTISVR: "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe" (disabled)

PCI Bus Driver: system32\DRIVERS\pci.sys (system)

PCIIde: system32\DRIVERS\pciide.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

PnkBstrA: C:\WINDOWS\system32\PnkBstrA.exe (disabled)

IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)

PPCtlPriv: "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" (disabled)

WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)

Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)

QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)

Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)

PxHelp20: System32\Drivers\PxHelp20.sys (system)

Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)

Direct Parallel: system32\DRIVERS\raspti.sys (manual start)

Rdbss: system32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)

Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)

Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)

Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

PC Tools Auxiliary Service: C:\Program Files\Spyware Doctor\pctsAuxs.exe (manual start)

PC Tools Security Service: C:\Program Files\Spyware Doctor\pctsSvc.exe (manual start)

Secdrv: system32\DRIVERS\secdrv.sys (manual start)

Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)

Serial port driver: system32\DRIVERS\serial.sys (system)

Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)

SonicStage Back-End Service: "C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe" (disabled)

speedfan: system32\speedfan.sys (system)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

Sony SPTI Service: "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" (disabled)

Spyware Terminator Driver 2: \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys (system)

Spyware Terminator Realtime Shield Service: "C:\Program Files\Spyware Terminator\sp_rsser.exe" (disabled)

System Restore Filter Driver: system32\DRIVERS\sr.sys (system)

System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Srv: system32\DRIVERS\srv.sys (manual start)

SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)

SonicStage SCSI Service: C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (disabled)

Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)

BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)

Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{DE0CD01B-E96D-44A6-A1C3-44512A92B4ED} (manual start)

Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)

Terminal Device Driver: system32\DRIVERS\termdd.sys (system)

Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)

Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)

Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)

HIPS Event Manager: "C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" (disabled)

HIPS Configuration Interpreter: "C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" (disabled)

HIPS Firewall Helper: "C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe" (disabled)

HIPS Policy Manager: "C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" (disabled)

Microcode Update Driver: system32\DRIVERS\update.sys (manual start)

Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

Apple Mobile USB Driver: System32\Drivers\usbaapl.sys (manual start)

Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)

Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)

USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)

Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)

Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)

USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)

USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)

Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (disabled)

User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

VET Message Service: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe (autostart)

VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)

Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)

Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)

WpdUsb: System32\Drivers\wpdusb.sys (manual start)

Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)

Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)

Automatic Updates: %systemRoot%\System32\svchost.exe -k netsvcs (autostart)

Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

X10 Device Network Service: C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (disabled)

X4HSX32: \??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys (autostart)

Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\system32\webcheck.dll

SysTray: C:\WINDOWS\system32\stobject.dll

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*No values found*

 

--------------------------------------------------

 

End of report, 40,059 bytes

Report generated in 0.187 seconds

Share this post


Link to post
Share on other sites

TeaTimer is an excellent tool for the prevention of spyware, though it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Reboot.

 

Download ResetTeaTimer.bat by right clicking the link and selecting Save Target As and save it your desktop.

Now double click ResetTeaTimer.bat to run it.

Then since it will not be needed again delete ResetTeaTimer.bat

 

Now do a scan with HijackThis. You should see an entry similar to the following.

 

O4 - HKLM\..\Run: [hujavawoki] Rundll32.exe "C:\Program Files\tujumape\tujumape.dll",s

 

Place a check in the box next to the entry then click Fix Checked.

When complete, reboot once more, then scan with HijckThis and save the log. Post that log here.

Edited by noahdfear

Share this post


Link to post
Share on other sites

Hmm... I did everything you said and it still comes up with that message when I boot up my computer.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:23:43 AM, on 12/25/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {c5a963cd-1ad1-4e8c-b582-bd5b22fb4a0c} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [spywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [CarMD] C:\Program Files\CarMD\CarMD.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe"

O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"

O4 - HKLM\..\Run: [hujavawoki] Rundll32.exe "C:\Program Files\tujumape\tujumape.dll",s

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe"

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

 

--

End of file - 7338 bytes

Share this post


Link to post
Share on other sites

Scan again and check the following, then click Fix Checked.

 

O4 - HKLM\..\Run: [hujavawoki] Rundll32.exe "C:\Program Files\tujumape\tujumape.dll",s

 

 

Restart and do another scan. Let me know if the entry remains.

Share this post


Link to post
Share on other sites

Scan again and check the following, then click Fix Checked.

 

O4 - HKLM\..\Run: [hujavawoki] Rundll32.exe "C:\Program Files\tujumape\tujumape.dll",s

Restart and do another scan. Let me know if the entry remains.

 

Yeah, it keeps showing up for some reason. I scanned, fixed, and rebooted about three times to make sure. Weird...

Share this post


Link to post
Share on other sites

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

 

Filename: CFScript.txt

Save As Type: All Files (*.*)

 

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hujavawoki"=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

 

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

**NOTE - Allow ComboFix to update if prompted.

Share this post


Link to post
Share on other sites

Ah, thank you, that finished it off.

 

Here is my HiJack This log again in case you see something else suspicious:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:14:28 AM, on 12/25/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [spywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [CarMD] C:\Program Files\CarMD\CarMD.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe"

O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe"

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

 

--

End of file - 7401 bytes

 

 

Sorry for stretching the problem out, though my Internet Explorer keeps freezing. I don't know what the problem is but when I right click the IE tab on the task bar it loads the page except I cannot click anything on it (frozen). I don't know how to pinpoint the problem.

 

Anyway, I really appreciate your help, thank you a lot. I learned a few things too.

Edited by shadowxsssr

Share this post


Link to post
Share on other sites

Please post the C:\ComboFix.txt log.

 

Oops, sorry, I missed that.

 

ComboFix 08-12-21.04 - Victor 2008-12-25 0:56:30.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1360 [GMT -5:00]

Running from: c:\documents and settings\Victor\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Victor\Desktop\CFScript.txt

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))

.

 

2008-12-25 00:47 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp

2008-12-22 23:27 . 2008-12-22 23:28 <DIR> d-------- C:\rsit

2008-12-22 23:01 . 2008-12-23 15:01 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\CallingID

2008-12-22 22:13 . 2008-12-22 23:06 <DIR> d-------- c:\program files\Spyware Doctor

2008-12-22 22:13 . 2008-12-22 22:13 <DIR> d-------- c:\documents and settings\Victor\Application Data\PC Tools

2008-12-22 22:13 . 2008-12-22 23:01 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys

2008-12-22 22:13 . 2008-12-22 23:01 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys

2008-12-22 22:13 . 2008-12-22 23:01 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys

2008-12-22 22:13 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

2008-12-22 21:47 . 2008-12-22 21:47 <DIR> d-------- c:\documents and settings\Victor\Application Data\X10 Commander

2008-12-22 21:38 . 2008-12-22 21:38 <DIR> d-------- c:\program files\Trend Micro

2008-12-22 21:34 . 2008-12-25 00:54 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-12-22 20:00 . 2008-12-22 20:00 <DIR> d-------- C:\VundoFix Backups

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\documents and settings\Victor\Application Data\Malwarebytes

2008-12-22 19:04 . 2008-12-22 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-22 19:04 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-22 19:04 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-22 16:58 . 2008-12-22 16:58 151 --a------ c:\windows\wininit.ini

2008-12-22 15:13 . 2008-12-22 15:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-22 15:13 . 2008-12-22 17:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-21 20:27 . 2008-12-24 00:38 <DIR> d-------- c:\windows\CAVTemp

2008-12-21 20:20 . 2008-12-25 00:54 <DIR> d-------- c:\documents and settings\Victor\Application Data\CallingID

2008-12-21 19:57 . 2008-12-21 19:57 <DIR> d-------- c:\program files\Common Files\Scanner

2008-12-21 19:57 . 2008-12-21 20:10 880,560 --a------ c:\windows\system32\drivers\vetefile.sys

2008-12-21 19:57 . 2008-08-20 18:44 250,544 --a------ c:\windows\system32\KeyHelp.ocx

2008-12-21 19:57 . 2008-12-21 20:10 161,008 --a------ c:\windows\system32\drivers\vetmonnt.sys

2008-12-21 19:57 . 2008-12-21 20:10 111,856 --a------ c:\windows\system32\isafprod.dll

2008-12-21 19:57 . 2008-12-21 20:10 108,368 --a------ c:\windows\system32\drivers\veteboot.sys

2008-12-21 19:57 . 2008-08-20 04:42 99,568 --a------ c:\windows\system32\isafeif.dll

2008-12-21 19:57 . 2008-08-20 04:42 83,256 --a------ c:\windows\system32\vetredir.dll

2008-12-21 19:57 . 2008-12-21 20:10 26,352 --a------ c:\windows\system32\drivers\vet-filt.sys

2008-12-21 19:57 . 2008-12-21 20:10 21,488 --a------ c:\windows\system32\drivers\vetfddnt.sys

2008-12-21 19:57 . 2008-12-21 20:10 21,104 --a------ c:\windows\system32\drivers\vet-rec.sys

2008-12-21 19:55 . 2008-12-21 19:57 <DIR> d-------- c:\program files\CA

2008-12-21 19:53 . 2008-12-21 19:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA

2008-12-19 21:21 . 2008-12-19 21:21 <DIR> d-------- c:\program files\Valve

2008-12-17 18:14 . 2008-12-17 18:14 <DIR> d-------- c:\program files\7-Zip

2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll

2008-12-03 22:29 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll

2008-12-03 22:29 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2008-12-03 22:29 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2008-12-03 22:29 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\program files\WebcamMax

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\documents and settings\Victor\Application Data\Webcammax

2008-12-01 13:34 . 2008-12-01 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\WebcamMax

2008-12-01 13:34 . 2008-03-11 08:14 941,784 --a------ c:\windows\system32\drivers\CAMTHWDM.sys

2008-11-28 16:48 . 2008-11-28 16:47 410,976 --a------ c:\windows\system32\deploytk.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-23 02:45 --------- d-----w c:\documents and settings\Victor\Application Data\HP

2008-12-23 02:35 --------- d-----w c:\documents and settings\Victor\Application Data\Xfire

2008-12-23 01:31 --------- d-----w c:\program files\Steam

2008-12-22 19:42 --------- d-----w c:\documents and settings\Victor\Application Data\Spyware Terminator

2008-12-22 19:41 0 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys

2008-12-22 03:37 --------- d-----w c:\program files\Spyware Terminator

2008-12-22 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator

2008-12-21 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC

2008-12-17 02:10 --------- d-----w c:\program files\Xfire

2008-12-07 04:04 --------- d-----w c:\program files\DivX

2008-11-28 21:47 --------- d-----w c:\program files\Java

2008-11-28 05:36 --------- d-----w c:\program files\pspvc

2008-11-28 05:36 --------- d-----w c:\program files\AviSynth 2.5

2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll

2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll

2008-11-17 02:14 --------- d-----w c:\program files\StepMania

2008-11-12 00:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-11-12 00:02 --------- d-----w c:\program files\AGEIA Technologies

2008-11-04 21:32 52,728 ----a-w c:\windows\system32\drivers\KmxFile.sys

2008-11-04 21:32 264,696 ----a-w c:\windows\system32\UmxSbxw.dll

2008-11-04 21:32 203,768 ----a-w c:\windows\system32\drivers\KmxCfg.sys

2008-11-04 21:32 143,864 ----a-w c:\windows\system32\drivers\KmxCF.sys

2008-11-04 21:32 115,704 ----a-w c:\windows\system32\drivers\KmxFw.sys

2008-11-04 21:32 113,144 ----a-w c:\windows\system32\UmxSbxExw.dll

2008-11-04 21:32 107,000 ----a-w c:\windows\system32\drivers\KmxStart.sys

2008-10-26 18:44 499,712 ----a-w c:\windows\system32\msvcp71.dll

2008-10-26 18:44 --------- d-----w c:\program files\Real

2008-10-26 18:44 --------- d-----w c:\program files\Common Files\xing shared

2008-10-26 18:44 --------- d-----w c:\program files\Common Files\Real

2008-10-26 18:40 105,168 ----a-w c:\windows\MozillaUninstall.exe

2008-10-26 18:40 105,168 ----a-w c:\windows\GREUninstall.exe

2008-10-26 18:40 --------- d-----w c:\program files\mozilla.org

2008-10-26 18:40 --------- d-----w c:\program files\Common Files\mozilla.org

2008-10-26 18:40 --------- d-----w c:\documents and settings\Victor\Application Data\Talkback

2008-10-25 04:09 --------- d-----w c:\documents and settings\Victor\Application Data\GetRightToGo

2008-10-02 19:11 111,928 ----a-w c:\windows\system32\PnkBstrB.exe

2008-10-02 18:53 22,328 ----a-w c:\documents and settings\Victor\Application Data\PnkBstrK.sys

2008-10-02 18:53 2,246,144 ----a-w c:\windows\system32\pbsvc.exe

2008-10-02 18:49 66,872 ----a-w c:\windows\system32\PnkBstrA.exe

2008-10-02 15:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

.

 

((((((((((((((((((((((((((((( [email protected]_ 0.56.19.89 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-12-23 20:01:16 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-12-25 05:51:40 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-12-23 20:01:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-12-25 05:51:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-12-25 05:51:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122520081226\index.dat

- 2008-12-23 20:01:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-12-25 05:51:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2005-01-28 18:44:28 28,672 -c--a-w c:\windows\system32\dllcache\custsat.dll

+ 2008-04-14 10:41:52 33,792 -c--a-w c:\windows\system32\dllcache\custsat.dll

- 2004-08-04 02:59:20 36,096 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\intelppm.sys

+ 2008-04-14 04:01:34 36,352 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\intelppm.sys

- 2004-08-04 02:59:20 36,096 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\intelppm.sys

+ 2008-04-14 04:01:34 36,352 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\intelppm.sys

- 2004-08-04 02:59:20 36,096 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\intelppm.sys

+ 2008-04-14 04:01:34 36,352 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\intelppm.sys

+ 2008-04-14 02:06:06 144,384 ----a-w c:\windows\system32\ReinstallBackups\0006\DriverFiles\hdaudbus.sys

+ 2008-04-14 04:01:34 36,352 ----a-w c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\intelppm.sys

- 2008-04-14 09:42:38 7,680 ----a-w c:\windows\system32\spdwnwxp.exe

+ 2008-04-14 10:42:38 7,680 ----a-w c:\windows\system32\spdwnwxp.exe

- 2007-08-11 00:46:18 17,272 ----a-w c:\windows\system32\spmsg.dll

+ 2007-08-11 01:46:18 17,272 ------w c:\windows\system32\spmsg.dll

- 2007-08-11 00:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe

+ 2007-08-11 01:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe

+ 2008-12-25 05:51:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_714.dat

+ 2008-04-14 09:42:52 1,054,208 ----a-w c:\windows\WinSxS\InstallTemp\2924210\comctl32.dll

- 2008-04-14 09:42:52 74,802 ----a-w c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll

+ 2008-04-14 10:42:52 74,802 ----a-w c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll

- 2008-04-14 09:42:52 995,383 ----a-w c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll

+ 2008-04-14 10:42:52 995,383 ----a-w c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll

- 2008-04-14 09:42:52 1,011,774 ----a-w c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll

+ 2008-04-14 10:42:52 1,011,774 ----a-w c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll

- 2008-04-14 09:42:52 401,462 ----a-w c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll

+ 2008-04-14 10:42:52 401,462 ----a-w c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll

- 2008-04-14 09:42:52 1,054,208 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

+ 2008-04-14 10:42:52 1,054,208 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

- 2008-04-14 09:42:52 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll

+ 2008-04-14 10:42:52 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll

- 2008-04-14 09:42:52 343,040 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll

+ 2008-04-14 10:42:52 343,040 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll

- 2008-04-14 09:42:48 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\GdiPlus.dll

+ 2008-04-14 10:42:48 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\GdiPlus.dll

- 2008-04-14 09:42:50 853,504 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll

+ 2008-04-14 10:42:50 853,504 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll

- 2008-04-14 09:42:52 991,232 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll

+ 2008-04-14 10:42:52 991,232 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll

- 2008-04-14 03:56:34 132,096 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll

+ 2008-04-14 04:56:34 132,096 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe" [2002-10-22 159744]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]

"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]

"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-09-11 1783808]

"CarMD"="c:\program files\CarMD\CarMD.exe" [2007-12-11 1318912]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-26 185872]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]

"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2008-12-21 349424]

"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-12-21 271600]

"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-12-21 1504496]

"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-12-21 632048]

"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-12-21 668912]

"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe" [2008-12-21 14064]

"CAPPActiveProtection"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe" [2008-12-21 324848]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-22 1168264]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-09-15 1377720]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

"msacm.ac3filter"= ac3filter.acm

"msacm.divxa32"= DivXa32.acm

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Victor^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\Victor\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2006-08-01 14:35 67112 c:\program files\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

--------- 2002-05-02 07:57 98304 c:\program files\ATI Multimedia\main\LaunchPd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]

--a------ 2002-10-22 09:55 159744 c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

--a------ 2008-08-30 10:15 1235736 c:\progra~1\AVG\AVG8\avgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-06-27 18:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafw]

--a------ 2008-12-21 20:11 1504496 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfasem]

--a------ 2008-12-21 20:11 632048 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfupgrade]

--a------ 2008-12-21 20:11 668912 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAPPActiveProtection]

--a------ 2008-12-21 20:10 324848 c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarMD]

--a------ 2007-12-11 13:23 1318912 c:\program files\CarMD\CarMD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]

--a------ 2008-12-21 20:10 271600 c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray]

--a------ 2008-12-21 20:11 349424 c:\program files\CA\CA Internet Security Suite\casc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]

--a------ 2003-02-24 15:11 266313 c:\progra~1\AIM\DeadAIM.ocm

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--a------ 2007-06-25 07:47 1057064 c:\program files\Nero\Nero 7\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-12-22 23:02 1168264 c:\program files\Spyware Doctor\pctsTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]

--a----t- 2008-12-21 20:11 14064 c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

--a------ 2007-06-25 07:47 1629480 c:\program files\Nero\Nero 7\InCD\NBHGui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-07-07 09:42 2156368 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

--a------ 2008-09-11 19:00 1783808 c:\program files\Spyware Terminator\SpywareTerminatorShield.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-10-08 13:36 1410296 c:\program files\Steam\steam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-11-28 16:47 136600 c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2008-10-26 13:44 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 17:43 69632 c:\windows\Alcmtr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2007-02-26 14:03 16125440 c:\windows\RTHDCPL.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 17:04 2879488 c:\windows\SkyTel.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"x10nets"=3 (0x3)

"VETMSGNT"=2 (0x2)

"usnjsvc"=3 (0x3)

"SSScsiSV"=3 (0x3)

"SPTISRV"=3 (0x3)

"SonicStage Back-End Service"=3 (0x3)

"PPCtlPriv"=3 (0x3)

"PACSPTISVR"=3 (0x3)

"NVSvc"=2 (0x2)

"nTuneService"=2 (0x2)

"nSvcIp"=2 (0x2)

"NMIndexingService"=3 (0x3)

"NBService"=3 (0x3)

"MSCSPTISRV"=3 (0x3)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"InCDsrv"=2 (0x2)

"IDriverT"=3 (0x3)

"ForceWare Intelligent Application Manager (IAM)"=2 (0x2)

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"UmxPol"=2 (0x2)

"UmxFwHlp"=2 (0x2)

"UmxCfg"=2 (0x2)

"UmxAgent"=2 (0x2)

"sp_rssrv"=2 (0x2)

"ITMRTSVC"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\source sdk base 2007\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\half-life\\hl.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\garrysmod\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\source sdk base\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\shadowxsssr\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=

"c:\\ijji\\ENGLISH\\u_gbound.exe"=

"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=

"c:\\Program Files\\TVAnts\\Tvants.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

 

R0 KmxStart;KmxStart;c:\windows\system32\DRIVERS\kmxstart.sys [2008-11-04 107000]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-25 97928]

R1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-08-06 72184]

R1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-11-04 52728]

R1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-11-04 115704]

R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-25 76040]

R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\DRIVERS\CAMTHWDM.sys [2008-12-01 941784]

R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [2008-12-21 128240]

R2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-11-04 143864]

R2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-07-30 58872]

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2008-07-25 188506]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2008-07-25 31003]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2008-07-25 9882]

R3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-11-04 203768]

S1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-07-25 0]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-22 356920]

S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-25 875288]

S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-25 231704]

S4 PPCtlPriv;PPCtlPriv;"c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-12-21 222448]

S4 UmxAgent;HIPS Event Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2008-11-04 1141240]

S4 UmxCfg;HIPS Configuration Interpreter;"c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2008-11-04 801272]

S4 UmxPol;HIPS Policy Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2008-11-04 289272]

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-20 c:\windows\Tasks\Uniblue SpyEraser Nag.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

 

2008-10-11 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{c5a963cd-1ad1-4e8c-b582-bd5b22fb4a0c} - (no file)

 

 

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.google.com

IE: Crawler Search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

LSP: c:\windows\system32\VetRedir.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll

FF - ProfilePath - c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\Firefox\components\CallingIDLinkAdvisorGecko.dll

FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\Firefox\components\CIDDomFx3.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xcomm.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xshared.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xsupport.dll

FF - component: c:\program files\Crawler\Toolbar\firefox\components\xwsg.dll

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll

FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\pwhamn3e.default\extensions\[email protected]\plugins\npSeeTooAddon.dll

FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLC\npvlc.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-25 01:01:51

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'lsass.exe'(844)

c:\windows\system32\nvappfilter.dll

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

.

Completion time: 2008-12-25 1:03:44

ComboFix-quarantined-files.txt 2008-12-25 06:03:40

ComboFix2.txt 2008-12-24 05:56:57

ComboFix3.txt 2008-12-23 19:55:41

 

Pre-Run: 13,043,679,232 bytes free

Post-Run: 13,048,844,288 bytes free

 

419

Share this post


Link to post
Share on other sites

Looks great! Remove any items in quarantine by your resident anitvirus and antispyware applications. Empty the recycle bin once more.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.

Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

You can delete any other logs that were created/saved too.

 

 

That should finish things up as far as malware. Is IE still acting up?

Share this post


Link to post
Share on other sites

Looks great! Remove any items in quarantine by your resident anitvirus and antispyware applications. Empty the recycle bin once more.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.

Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

You can delete any other logs that were created/saved too.

That should finish things up as far as malware. Is IE still acting up?

 

Sorry for the late response, thanks for helping me clear up this stuff.

 

So... Yes, unfortunately, IE is still acting up. I can't use it at all...

Edited by shadowxsssr

Share this post


Link to post
Share on other sites

Download ATF Cleaner by Atribune and save it to your Desktop.

  • Double click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:

     

  • Windows Temp
Current User Temp All Users Temp Temporary Internet Files Prefetch Java Cache Recycle bin

The rest are optional - if you want it to remove everything check "Select All". Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.Reboot

 

 

If no improvement, I recommend you try an IE reset. Open Internet Options in the Control Panel, select the Programs tab, then Click Reset Web Settings.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...