Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Again


  • This topic is locked This topic is locked
17 replies to this topic

#1 dthomasss

dthomasss

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 23 May 2008 - 05:42 AM

Looks like I am infected again! Here is my HJ file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:41 PM, on 5/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Siemens\Tango Access Lite\app\TangoService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\PROGRA~1\Siemens\TANGOA~1\app\TangoLite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Malware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BED9C81C-AE24-45E8-BF09-9753710BFF0D}: NameServer = 58.64.124.150 202.80.255.150
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Siemens\Tango Access Lite\app\TangoService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7878 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:52 PM

Posted 23 May 2008 - 09:37 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please go to this page and scroll down to step 6.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Follow the directions there to run DSS and then post those logs back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 dthomasss

dthomasss
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 23 May 2008 - 07:17 PM

I downloaded SuperAntiS[yware and it found some Vundo and the problem seems to be fixed (I think). Here are the log files from dss:



Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-23 21:46:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-05-23 14:46:10 UTC - RP262 - Deckard's System Scanner Restore Point
3: 2008-05-23 10:23:24 UTC - RP261 - Installed SUPERAntiSpyware Free Edition
2: 2008-05-23 10:13:34 UTC - RP260 - Last known good configuration
1: 2008-05-23 10:13:30 UTC - RP259 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:29 PM, on 5/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Siemens\Tango Access Lite\app\TangoService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\PROGRA~1\Siemens\TANGOA~1\app\TangoLite.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\Malware\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BED9C81C-AE24-45E8-BF09-9753710BFF0D}: NameServer = 58.64.124.150 202.80.255.150
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Siemens\Tango Access Lite\app\TangoService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 8586 bytes



-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,23
.inf - inffile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-151
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 EIO - c:\windows\system32\drivers\eio.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Kernel Mode Driver for NT>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R3 CnxEtP (Conexant AccessRunner USB ADSL LAN Adapter Filter Driver) - c:\windows\system32\drivers\cnxetp.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
R3 CnxEtU (Conexant AccessRunner USB ADSL Interface Device Driver) - c:\windows\system32\drivers\cnxetu.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
R3 CnxTgN (Conexant AccessRunner USB ADSL LAN Adapter Driver) - c:\windows\system32\drivers\cnxtgn.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner ADSL>
R3 ENETNT5 (Efficient Networks, tango Access PPPoE WAN Miniport) - c:\windows\system32\drivers\enetnt.sys <Not Verified; Efficient Networks, Inc.; tango>
R3 NTSTPL1 - c:\program files\siemens\tango access lite\app\ntstpl1.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 TAPBIND - c:\program files\siemens\tango access lite\app\tapbind1.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 NTSTPL2 - c:\program files\siemens\tango access lite\app\ntstpl2.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>
S3 RAWESR - c:\program files\siemens\tango access lite\app\rawesr.sys <Not Verified; Efficient Networks, Inc.; tango>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ScsiAccess - c:\program files\photodex\proshowgold\scsiaccess.exe
R2 TangoService (Tango Service) - c:\program files\siemens\tango access lite\app\tangoservice.exe

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S4 ACDaemon (ArcSoft Connect Daemon) -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Keyboard
Device ID: ACPI\PNP0303\4&1400782C&0
Manufacturer: Logitech
Name: PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&1400782C&0
Service: i8042prt

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6270
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6270
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-05-23 21:00:00 502 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-05-23 00:38:36 438 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{043D304B-4D60-4C60-8501-16FA4A13E338}.job


-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 17:23:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 17:23:25 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 17:23:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-23 17:19:33 1308 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 17:18:47 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-23 17:18:47 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-23 17:18:47 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-23 17:18:46 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-23 17:18:46 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-23 17:18:46 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-23 17:18:46 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-23 17:18:46 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-23 17:10:43 114176 --a------ C:\WINDOWS\system32\jogpwalo.dll
2008-05-23 17:10:31 125952 --a------ C:\WINDOWS\system32\volclgdp.dll
2008-05-23 15:55:39 431549 --ahs---- C:\WINDOWS\system32\pYcIlnpo.ini2
2008-05-21 20:26:12 0 d-------- C:\Documents and Settings\Administrator\LocalLow
2008-05-18 20:31:04 13824 --a------ C:\WINDOWS\ftpupd.dll
2008-05-18 17:56:37 123670 --ah----- C:\Documents and Settings\All Users\smss.exe <Not Verified; Digital; BHAI>
2008-05-08 19:50:04 0 d-------- C:\WINDOWS\Prefetch
2008-05-08 17:50:30 0 d-------- C:\WINDOWS\system32\scripting
2008-05-08 17:50:30 0 d-------- C:\WINDOWS\l2schemas
2008-05-08 17:50:29 0 d-------- C:\WINDOWS\system32\en
2008-05-08 17:50:29 0 d-------- C:\WINDOWS\system32\bits
2008-05-08 17:47:57 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-07 15:29:29 14 --a------ C:\WINDOWS\system32\W7409A4F3f481e2F2.bin
2008-05-06 10:20:26 51001 --a------ C:\WINDOWS\system32\ms410215.dll
2008-05-06 10:20:25 15103 --a------ C:\WINDOWS\system32\msiclass.dll <Not Verified; Microsott Corporation; >
2008-05-06 10:20:25 28160 --a------ C:\WINDOWS\hwuser.dll
2008-04-27 11:50:01 0 d-------- C:\Program Files\Foxit Software
2008-04-26 18:21:21 0 d-------- C:\Program Files\Investintech.com Inc


-- Find3M Report ---------------------------------------------------------------

2008-05-23 19:19:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-05-23 19:00:21 0 d-------- C:\Program Files\Y!mLite
2008-05-23 18:43:35 0 d-------- C:\Program Files\mIRC
2008-05-23 18:00:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\DMCache
2008-05-23 17:59:39 777 --a------ C:\Documents and Settings\Administrator\Application Data\ClockTraySkins.ini
2008-05-23 17:23:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 20:26:02 0 d-------- C:\Program Files\TVUPlayer
2008-05-21 13:50:49 0 d-------- C:\Program Files\IEPro
2008-05-19 18:39:52 668 --a------ C:\Documents and Settings\Administrator\Application Data\vso_ts_preview.xml
2008-05-19 18:39:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-19 18:20:19 0 d-------- C:\Program Files\Internet Download Manager
2008-05-19 10:32:31 0 d-------- C:\Program Files\English-Thai Software-Dictionary
2008-05-12 06:44:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-09 03:06:23 0 d-------- C:\Program Files\Zune
2008-05-08 17:50:53 0 d-------- C:\Program Files\Messenger
2008-05-08 17:50:29 0 d-------- C:\Program Files\Movie Maker
2008-05-08 17:47:37 0 d-------- C:\Program Files\Windows NT
2008-05-07 16:45:29 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-07 15:19:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-02 08:03:40 0 d-------- C:\Program Files\Microsoft Works
2008-05-02 08:03:26 0 d-------- C:\Program Files\Common Files
2008-05-01 14:16:24 160 --a------ C:\WINDOWS\TangoStatHigh Speed Internet
2008-04-29 17:07:18 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-29 08:23:51 75832 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-22 14:51:03 0 d-------- C:\Program Files\PDF-Convert
2008-04-22 14:50:58 0 d-------- C:\Program Files\psconvert
2008-04-20 08:57:51 0 d-------- C:\Program Files\EzGenerator3
2008-04-19 16:29:12 0 d-------- C:\Program Files\LimeWire
2008-04-18 07:47:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-18 07:47:49 0 d-------- C:\Program Files\Sarm Software
2008-04-17 06:50:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sarm Software
2008-04-17 06:39:17 0 d-------- C:\Program Files\Quicken WillMaker Plus 2007
2008-04-14 15:03:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-11 15:42:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-04-09 08:10:55 0 d-------- C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-06 06:42:57 0 d-------- C:\Program Files\VSO
2008-04-05 19:03:41 34 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-04-05 19:03:38 47360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-05 19:03:38 1144 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
2008-04-05 19:03:38 7887 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-04-05 18:26:23 0 d-------- C:\Program Files\EPSON
2008-04-05 15:59:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\HP
2008-04-05 15:59:19 141146 --a------ C:\WINDOWS\hpoins14.dat
2008-04-05 15:58:32 0 d-------- C:\Program Files\HP
2008-04-05 15:57:16 0 d-------- C:\Program Files\Common Files\HP
2008-04-05 15:56:58 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-05 15:56:43 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-05 10:46:33 0 d-------- C:\Program Files\Common Files\UDL
2008-04-04 05:02:36 0 d-------- C:\Program Files\FastStone Image Viewer
2008-04-02 16:29:05 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-04-02 16:28:54 0 d-------- C:\Program Files\Common Files\Logitech
2008-04-02 16:28:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-03-31 16:35:06 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-03-31 07:16:55 0 d-------- C:\Program Files\QuickInvoice
2008-03-30 17:55:53 0 d-------- C:\Program Files\Microsoft Windows Script
2008-03-29 17:15:46 0 d-------- C:\Program Files\MOJOSOFT
2008-03-29 17:15:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\mojosoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [05/03/2005 07:38 PM C:\WINDOWS\system32\P17.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [09/21/2007 03:10 AM C:\WINDOWS\KHALMNPR.Exe]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [01/12/2007 03:12 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11/30/2006 08:50 AM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 01:39 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [09/24/2007 12:30 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/11/2007 05:03 AM]
"nwiz"="nwiz.exe" [05/11/2007 05:03 AM C:\WINDOWS\system32\NWIZ.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [01/23/2008 06:21 AM]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [05/18/2008 06:29 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 07:12 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 11/15/2007 10:10 AM 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap C:\WINDOWS\system32\opnlIcYp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{984c0484-95bc-11dc-8c5f-00d0f85c4293}]
Auto\command- SHE.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SHE.exe




-- End of Deckard's System Scanner: finished at 2008-05-23 21:49:33 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU E6550 @ 2.33GHz
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 2047.04 MiB / 1485.75 MiB
Pagefile Memory (total/avail): 3429.04 MiB / 3008.69 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.1 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 127.46 GiB free.
D: is Fixed (NTFS) - 149.05 GiB total, 27.6 GiB free.
E: is Fixed (NTFS) - 465.76 GiB total, 389.42 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE2 - ST3160827AS - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.05 GiB - D:

\\.\PHYSICALDRIVE0 - ST3250310AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD5000AAKS-00YGA0 - 465.76 GiB - 1 partition
\PARTITION0 - Installable File System - 465.76 GiB - E:

\\.\PHYSICALDRIVE4 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE6 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WIZARDOFOZ
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\WIZARDOFOZ
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\Samsung\Samsung PC Studio 3\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=WIZARDOFOZ
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> MsiExec /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
--> MsiExec.exe /X{69495273-FCDC-4A86-BCB7-49B504D3FB0E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C64409FA-42A7-49C6-837A-D2E5D813BD57}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
5800UB 1.0 --> C:\Program Files\StarNet\uninst.exe
Able2Doc Professional v4.0 --> C:\Program Files\Investintech.com Inc\Able2Doc Professional 4.0\Uninstal.exe
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Acronis Disk Director Suite --> MsiExec.exe /X{2300EE96-0A41-4FAB-BD03-989EC44577A0}
Acronis True Image Home --> MsiExec.exe /X{E5343B27-55DF-40BD-9FCF-A643C1331E8A}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements 6.0 --> msiexec /I {F54AC413-D2C6-4A24-B324-370C223C6250}
AGEIA PhysX v7.03.21 --> MsiExec.exe /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Alt-Tab Task Switcher Powertoy for Windows XP --> MsiExec.exe /I{A7050037-F0EA-4BAB-BCD5-FC05507D6147}
AM-DeadLink 3.2 --> "C:\Program Files\AM-DeadLink\unins000.exe"
ArcSoft Funhouse --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F32C03C3-3B52-4E3C-9375-F442FF71EEC7}\SETUP.EXE" -l0x9 -uninst
Attansic Ethernet Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9 -removeonly
Attansic L1 Gigabit Ethernet Driver --> rundll32.exe C:\WINDOWS\system32\Attansic\L1\atcInst.dll,AtcUninst C:\WINDOWS\system32\Attansic\L1 x86 1969 1048 L1
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
BitComet 1.00 --> C:\Program Files\BitComet\uninst.exe
Buddy Broadband --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3F904B8-B250-48E9-990D-CFC0936898E0}\setup.exe" -AUNINSTALL_ONLY
BusinessCardsMX 3.8 --> "C:\Program Files\MOJOSOFT\BusinessCardsMX3\unins000.exe"
Canon CanoScan Toolbox 4.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{143FB15C-0C48-41E3-9C30-F56FB69BF3D7}\Setup.exe" -l0x9 anything
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Clock Tray Skins 4 --> "C:\Program Files\Clock Tray Skins\unins000.exe"
CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Conexant AccessRunner USB ADSL LAN Adapter --> C:\Program Files\Conexant\AccessRunner ADSL\CnxUnist.exe -w7 AccessRunner ADSL
ConvertXtoDVD 3.0.0.9 --> "C:\Program Files\VSO\ConvertX\3\unins000.exe"
Creative EAX Settings --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C64409FA-42A7-49C6-837A-D2E5D813BD57}\setup.exe" -l0x9 /remove
Creative Speaker Settings --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 /remove
Creative WebCam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9 /remove
Creative WebCam Live! Driver (1.01.01.0730) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script Pd0630.uns -unsext NT -plugin P0630Pin.dll -pluginres P0630Pin.crl
Cucusoft DVD to Zune + Zune Video Converter Suite 5.28.5.11 --> "C:\Program Files\Cucusoft\zune-converter\unins000.exe"
DAMN NFO Viewer Setup --> MsiExec.exe /I{D5DE2E28-2BA1-4CF8-A4C5-D3D2AE0A9E38}
Device Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9 /remove
DS-Monkey Audio Source 1.00 --> "C:\Program Files\DS-Monkey Audio Source\Uninstall.exe"
English-Thai Software-Dictionary --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\English-Thai Software-Dictionary\ST6UNST.LOG"
English-Thai Software-Dictionary (C:\Program Files\English-Thai Software-Dictionary\) --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\English-Thai Software-Dictionary\ST6UNST.000"
EVEREST Ultimate Edition v4.20 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
EzGenerator 3.0 --> C:\Program Files\EzGenerator3\uninst.exe
FastStone Capture 6.0 --> C:\Program Files\FastStone Capture\uninst.exe
FastStone Image Viewer 3.5 --> C:\Program Files\FastStone Image Viewer\uninst.exe
foobar2000 v0.9.4.5 --> "C:\Program Files\foobar2000\uninstall.exe"
Foxit PDF Editor --> C:\Program Files\Foxit Software\PDF Editor\uninstall.exe
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Free PS Convert driver 8.15 --> "C:\Program Files\psconvert\unins000.exe"
Garmin WebUpdater --> MsiExec.exe /X{366FFC89-C800-4366-B903-B9C4314109A5}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\Malware\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet All-In-One Software 9.0 --> C:\Program Files\HP\Digital Imaging\{FA8A44D7-3E8A-4034-9C4F-088FA6B72BC4}\setup\hpzscr01.exe -datfile hposcr14.dat
HP Imaging Device Functions 9.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Solution Center 9.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}
HyperCam 2 --> "C:\Program Files\HyCam2\UnHyCam2.exe"
IE7Pro --> C:\Program Files\IEPro\uninst.exe
Internet Download Manager --> C:\Program Files\Internet Download Manager\Uninstall.exe
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
LimeWire PRO 4.17.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech Communications Manager --> MsiExec.exe /I{BD202930-5F70-4B35-B875-1E28604F328D}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Magic ISO Maker v5.3 (build 0216) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MapMagic [Bangkok 2004-2005 ET] --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD46F0DC-AE05-45E2-9DA7-E33F514A4DDC}\setup.exe"
MapMagic [Thailand 2005-2006 ET] --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04D364A2-BCEA-4E99-A58C-87549B48D3B5}\setup.exe"
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 --> "C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Player Utilities 4.15 --> MsiExec.exe /I{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
My Pictures 3D 1.2 --> "C:\Program Files\My Pictures 3D\My Pictures 3D ScreenSaver\unins000.exe"
Mystery P.I. - The Vegas Heist --> C:\Program Files\Mystery P.I. - The Vegas Heist\Uninstal.exe
Nero 7 Ultra Edition --> MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{11964613-805F-432D-A12B-169554B793E7}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Nokia_PC_Suite_6_84_10_3_eng_us_web.exe
Nokia PC Suite --> MsiExec.exe /I{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}
Nokia Software Updater --> MsiExec.exe /X{57CEA991-6F11-4E7E-B67C-2F02168CED6B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PC Connectivity Solution --> MsiExec.exe /I{99A40651-0BC2-4095-8F9A-A40FAB224FEF}
PDF to Image Converter 2.00 --> "C:\Program Files\PDF-Convert\pdf2img\unins000.exe"
Photo Frame Show --> C:\PROGRA~1\FRAMES~1\UNWISE.EXE C:\PROGRA~1\FRAMES~1\INSTALL.LOG
Photodex Presenter --> C:\Program Files\Photodex Presenter\uninst.exe
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
ProShow Gold --> C:\Program Files\Photodex\ProShowGold\proshow.exe . -u
Quicken WillMaker Plus 2007 --> C:\WINDOWS\unvise32.exe C:\Program Files\Quicken WillMaker Plus 2007\uninstal.log
Recover My Files --> "C:\Program Files\GetData\Recover My Files\unins000.exe"
SAMSUNG Mobile Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Mobile phone USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 --> "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The KMPlayer (remove only) --> "C:\Program Files\The KMPlayer\uninstall.exe"
TubeHunter Ultra --> MsiExec.exe /I{3A4BEF94-179B-43DC-8380-76EEC6DB5EF4}
TubeHunter Ultra --> MsiExec.exe /I{4572F220-0A56-402E-90F1-4D36DD22F108}
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
TVUPlayer 2.3.5.4 --> C:\Program Files\TVUPlayer\uninst.exe
Tweak UI --> MsiExec.exe /I{64649281-4B5D-4425-A0F7-E79F6756FFC8}
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Video Edit Magic 4 --> "C:\Program Files\Deskshare\Video Edit Magic 4.4\unins000.exe"
VideoLAN VLC media player 0.8.1 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_044C8712DB44F83D9DE6C376991EE9254E0A69E4\pccswpddriver.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_F12A08B6F776984A95553486F64C541356F86E38\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_5E1541AFF1E1EA3554CE566743CCAD323ED1C108\nokbtmdm.inf
Windows Easy Transfer --> "C:\WINDOWS\$NtUninstallWETCable$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPatrol 2007 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.2 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
Y!mLite 303 Final --> "C:\Program Files\Y!mLite\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zune --> C:\Program Files\Zune\ZuneSetup.exe /x
Zune --> MsiExec.exe /X{FF70513F-E3A7-402F-84FB-B7810A064BE2}
Zune Language Pack (ES) --> MsiExec.exe /X{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR) --> MsiExec.exe /X{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}


-- Application Event Log -------------------------------------------------------

Event Record #/Type21414 / Success
Event Submitted/Written: 05/23/2008 06:29:20 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type21412 / Warning
Event Submitted/Written: 05/23/2008 06:05:24 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\Documents and Settings\Administrator\Local Settings\Temp\wz89cd\authpatch.exe contains Downloader.gen.a Trojan. The file was successfully deleted.

Event Record #/Type21411 / Warning
Event Submitted/Written: 05/23/2008 06:05:24 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\WZ89CD\AUTHPATCH.EXE contains Downloader.gen.a Trojan. The file was successfully deleted.

Event Record #/Type21410 / Warning
Event Submitted/Written: 05/23/2008 06:05:14 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\Documents and Settings\Administrator\Local Settings\Temp\wz655d\authpatch.exe contains Downloader.gen.a Trojan. The file was successfully deleted.

Event Record #/Type21409 / Warning
Event Submitted/Written: 05/23/2008 06:05:14 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\WZ655D\AUTHPATCH.EXE contains Downloader.gen.a Trojan. The file was successfully deleted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13063 / Warning
Event Submitted/Written: 05/23/2008 09:29:45 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13062 / Warning
Event Submitted/Written: 05/23/2008 07:40:25 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13061 / Warning
Event Submitted/Written: 05/23/2008 06:45:48 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13058 / Warning
Event Submitted/Written: 05/23/2008 06:18:03 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13057 / Warning
Event Submitted/Written: 05/23/2008 06:04:23 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-05-23 21:49:33 ------------


Directories/Files moved to C:\Deckard\System Scanner\backup

2008-05-15 08:57:53 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aolbartcache
2008-05-20 14:12:56 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bc_cache
2008-05-23 18:03:42 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bc_tmp
2008-05-23 17:26:09 130 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw.log
2008-05-23 18:00:56 1005 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LVCOMSX.LOG
2008-05-23 17:17:37 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MessengerCache
2008-05-21 19:39:34 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msohtmlclip1
2008-05-23 17:17:37 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pft17.tmp
2008-05-20 06:18:57 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VEM
2008-05-23 18:01:01 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WPDNSE
2008-05-20 08:41:25 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wz75c3
2008-05-23 17:17:37 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wz8163
2008-05-23 17:17:37 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wzb5ff
2008-05-20 07:18:51 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wzdb16
2008-05-23 19:00:22 16384 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF167B.tmp
2008-05-23 19:00:21 16384 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFF5F.tmp
2008-04-22 21:15:18 0 d-------- C:\WINDOWS\temp\alb81.tmp
2008-05-08 17:26:57 27982 --a------ C:\WINDOWS\temp\hppldcoi.log
2008-05-07 16:45:25 1000224 --a------ C:\WINDOWS\temp\hpqddsvc.log
2007-03-28 12:50:02 44107 --a------ C:\WINDOWS\temp\hpzEN5ha.chm
2007-03-28 12:50:02 33625 --a------ C:\WINDOWS\temp\hpzEN5ha.hlp
2008-04-05 15:56:02 12114 --a------ C:\WINDOWS\temp\HPZIDS000.log
2008-05-08 16:46:31 383 --a------ C:\WINDOWS\temp\HPZIDS001.log
2008-05-08 17:26:57 383 --a------ C:\WINDOWS\temp\HPZIDS002.log
2008-04-05 15:59:01 452516 --a------ C:\WINDOWS\temp\ProductContextF4100.log
2008-04-05 15:55:52 540 --a------ C:\WINDOWS\temp\servic000.log
2008-05-08 16:46:30 607 --a------ C:\WINDOWS\temp\update000.log
2008-05-08 17:26:56 607 --a------ C:\WINDOWS\temp\update001.log
2008-05-23 21:30:12 255 --a------ C:\WINDOWS\temp\WGAErrLog.txt
2008-05-23 18:01:13 409 --a------ C:\WINDOWS\temp\WGANotify.settings
2007-10-19 16:30:52 38428 --a------ C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
2007-01-24 08:41:42 841304 --a------ C:\WINDOWS\Downloaded Program Files\ampAx3.0.84.2.dll <Verified; America Online, Inc.; AOL Media Playback Control>

-*- End of Logfile -*-

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:52 PM

Posted 24 May 2008 - 08:15 AM

You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


=================



Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 dthomasss

dthomasss
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 24 May 2008 - 07:51 PM

ComboFix 08-05-21.3 - Administrator 2008-05-25 7:39:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.27.1033.18.1474 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Malware\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMf7b2dfea.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\pYcIlnpo.ini
C:\WINDOWS\system32\pYcIlnpo.ini2

----- BITS: Possible infected sites -----

hxxp://ftp.hp.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 07:43 . 2008-05-25 07:43 1,626,112 --a------ C:\WINDOWS\system32\nwiz˙.exe
2008-05-25 07:33 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-25 07:32 . 2008-05-25 07:33 <DIR> d-------- C:\Program Files\Java
2008-05-24 14:22 . 2008-05-24 14:22 41,984 --a------ C:\WINDOWS\ftpupd3.dll
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-24 07:24 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-24 07:24 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-23 21:45 . 2008-05-23 21:45 <DIR> d-------- C:\Deckard
2008-05-23 17:23 . 2008-05-24 08:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 17:23 . 2008-05-23 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 17:23 . 2008-05-24 08:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-23 17:19 . 2008-05-23 17:24 1,308 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 17:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-23 17:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-23 17:18 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-23 17:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-23 17:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-23 17:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-23 17:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-23 17:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-23 17:10 . 2008-05-23 17:10 125,952 --a------ C:\WINDOWS\system32\volclgdp.dll
2008-05-23 15:50 . 2008-05-23 15:50 58,880 --a------ C:\WINDOWS\system32\fccaWQIc.dll.vir
2008-05-21 20:26 . 2008-05-21 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\LocalLow
2008-05-18 20:31 . 2008-05-18 20:31 13,824 --a------ C:\WINDOWS\ftpupd.dll
2008-05-08 20:15 . 2008-03-21 13:57 14,640 --------- C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-05-08 20:15 . 2008-05-08 20:15 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-05-08 20:15 . 2008-05-08 20:15 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-08 17:47 . 2008-05-08 17:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 17:35 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-07 15:29 . 2008-05-07 15:31 14 --a------ C:\WINDOWS\system32\W7409A4F3f481e2F2.bin
2008-05-06 10:20 . 2004-06-18 00:49 51,001 --a------ C:\WINDOWS\system32\ms410215.dll
2008-05-06 10:20 . 2008-05-07 15:33 28,160 --a------ C:\WINDOWS\hwuser.dll
2008-05-06 10:20 . 2008-05-25 07:43 15,103 --a------ C:\WINDOWS\system32\msiclass.dll
2008-04-29 19:56 . 2008-04-29 19:56 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-04-29 19:56 . 2008-04-29 19:56 61,856 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2008-04-27 11:50 . 2008-05-06 10:20 <DIR> d-------- C:\Program Files\Foxit Software
2008-04-26 18:21 . 2008-04-26 18:33 <DIR> d-------- C:\Program Files\Investintech.com Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 00:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DMCache
2008-05-24 10:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-05-24 08:23 --------- d-----w C:\Program Files\mIRC
2008-05-24 01:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 00:59 --------- d-----w C:\Program Files\Y!mLite
2008-05-21 13:26 --------- d-----w C:\Program Files\TVUPlayer
2008-05-21 06:50 --------- d-----w C:\Program Files\IEPro
2008-05-19 23:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-19 11:20 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-19 03:32 --------- d-----w C:\Program Files\English-Thai Software-Dictionary
2008-05-15 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 23:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-08 20:06 --------- d-----w C:\Program Files\Zune
2008-05-07 09:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 01:03 --------- d-----w C:\Program Files\Microsoft Works
2008-04-29 12:39 40,704 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-04-29 10:07 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-04-22 07:51 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\imgpdf2.dll
2008-04-22 07:51 --------- d-----w C:\Program Files\PDF-Convert
2008-04-22 07:50 --------- d-----w C:\Program Files\psconvert
2008-04-20 01:57 --------- d-----w C:\Program Files\EzGenerator3
2008-04-20 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-19 09:29 --------- d-----w C:\Program Files\LimeWire
2008-04-18 00:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 00:47 --------- d-----w C:\Program Files\Sarm Software
2008-04-16 23:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Sarm Software
2008-04-16 23:39 --------- d-----w C:\Program Files\Quicken WillMaker Plus 2007
2008-04-14 08:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,504 ----a-w C:\WINDOWS\system32\drivers\mstee.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2008-01-23 06:21 1330432]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-18 18:29 2594224]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 07:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 03:12 244512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-09-24 00:30 292152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 05:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 05:03 1655808 C:\WINDOWS\system32\NWIZ.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 07:12 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Y!mLite\\ymlite.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\mcoinstall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56000:TCP"= 56000:TCP:Bit Comet
"53500:TCP"= 53500:TCP:BitComet 53500 TCP
"53500:UDP"= 53500:UDP:BitComet 53500 UDP

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-10-20 16:58]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 MBAMDrvService;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-05-05 20:46]
R2 MBAMService;MBAMService;"C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-05-05 20:46]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 07:12]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 21:12]
R3 CnxEtP;Conexant AccessRunner USB ADSL LAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2003-09-12 09:26]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2003-09-12 09:26]
R3 CnxTgN;Conexant AccessRunner USB ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-10-29 14:01]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINDOWS\system32\DRIVERS\enetnt.sys [2004-09-17 09:21]
R3 NTSTPL1;NTSTPL1;C:\PROGRA~1\Siemens\TANGOA~1\app\NTSTPL1.SYS [2004-12-09 10:58]
R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 08:55]
R3 TAPBIND;TAPBIND;C:\PROGRA~1\Siemens\TANGOA~1\app\TAPBIND1.SYS [2004-12-09 10:58]
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\Siemens\TANGOA~1\app\NTSTPL2.SYS [2004-12-09 10:58]
S3 RAWESR;RAWESR;C:\PROGRA~1\Siemens\TANGOA~1\app\RAWESR.SYS [2004-12-09 10:57]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-27 11:58]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]
S4 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{984c0484-95bc-11dc-8c5f-00d0f85c4293}]
\Shell\Auto\command - SHE.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SHE.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 00:43:09 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-24 20:34:08 C:\WINDOWS\Tasks\User_Feed_Synchronization-{043D304B-4D60-4C60-8501-16FA4A13E338}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 07:43:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\Siemens\Tango Access Lite\app\TangoService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Siemens\Tango Access Lite\app\TangoLite.exe
.
**************************************************************************
.
Completion time: 2008-05-25 7:47:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 00:47:27

Pre-Run: 136,133,275,648 bytes free
Post-Run: 136,052,965,376 bytes free

305 --- E O F --- 2008-05-17 10:15:09

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:52 PM

Posted 25 May 2008 - 08:16 AM

Let's check out a few files that look suspicious in your log.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:



    C:\WINDOWS\system32\nwiz˙.exe


  • Click on the submit button
  • Please post the results in your next reply.

Also submit these to be scanned and report back with the results.

C:\WINDOWS\ftpupd3.dll
C:\WINDOWS\system32\volclgdp.dll
C:\WINDOWS\system32\msiclass.dll

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 dthomasss

dthomasss
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 25 May 2008 - 08:37 PM

C:\WINDOWS\system32\nwiz˙.exe
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
I looked in my system32 directory and could not find the file

C:\WINDOWS\ftpupd3.dll
Status: INFECTED/MALWARE AntiVir Found TR/Dropper.Gen
A-Squared Found nothing
AntiVir Found TR/Dropper.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


C:\WINDOWS\system32\volclgdp.dll
INFECTED/MALWARE
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found Win32:Vundo@dll
AVG Antivirus Found nothing
BitDefender Found Trojan.Generic.275868
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.BannerModif
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.trb (4, 1, 400)
Fortinet Found Virtum!tr
Ikarus Found Virus.Win32.Vundo@dll
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.trb
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\system32\msiclass.dll
Status: OK

Edited by dthomasss, 25 May 2008 - 08:43 PM.


#8 dthomasss

dthomasss
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 25 May 2008 - 08:54 PM

I just ran combofix again after another problem and here is what I got

ComboFix 08-05-21.3 - Administrator 2008-05-26 8:44:04.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.27.1033.18.1474 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Malware\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\inst.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-26 08:47 . 2008-05-26 08:47 1,626,112 --a------ C:\WINDOWS\system32\nwiz˙.exe
2008-05-26 08:18 . 2008-05-26 08:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 08:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 08:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 07:33 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-25 07:32 . 2008-05-25 07:33 <DIR> d-------- C:\Program Files\Java
2008-05-24 14:22 . 2008-05-24 14:22 41,984 --a------ C:\WINDOWS\ftpupd3.dll
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-23 21:45 . 2008-05-23 21:45 <DIR> d-------- C:\Deckard
2008-05-23 17:23 . 2008-05-26 08:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 17:23 . 2008-05-23 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 17:23 . 2008-05-26 08:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-23 17:19 . 2008-05-23 17:24 1,308 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 17:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-23 17:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-23 17:18 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-23 17:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-23 17:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-23 17:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-23 17:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-23 17:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-23 17:10 . 2008-05-23 17:10 125,952 --a------ C:\WINDOWS\system32\volclgdp.dll
2008-05-23 15:50 . 2008-05-23 15:50 58,880 --a------ C:\WINDOWS\system32\fccaWQIc.dll.vir
2008-05-21 20:26 . 2008-05-21 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\LocalLow
2008-05-18 20:31 . 2008-05-18 20:31 13,824 --a------ C:\WINDOWS\ftpupd.dll
2008-05-08 20:15 . 2008-03-21 13:57 14,640 --------- C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-05-08 20:15 . 2008-05-08 20:15 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-05-08 20:15 . 2008-05-08 20:15 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-08 17:47 . 2008-05-08 17:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 17:35 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-07 15:29 . 2008-05-07 15:31 14 --a------ C:\WINDOWS\system32\W7409A4F3f481e2F2.bin
2008-05-06 10:20 . 2004-06-18 00:49 51,001 --a------ C:\WINDOWS\system32\ms410215.dll
2008-05-06 10:20 . 2008-05-07 15:33 28,160 --a------ C:\WINDOWS\hwuser.dll
2008-05-06 10:20 . 2008-05-26 08:47 15,103 --a------ C:\WINDOWS\system32\msiclass.dll
2008-04-29 19:56 . 2008-04-29 19:56 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-04-29 19:56 . 2008-04-29 19:56 61,856 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2008-04-27 11:50 . 2008-05-06 10:20 <DIR> d-------- C:\Program Files\Foxit Software
2008-04-26 18:21 . 2008-04-26 18:33 <DIR> d-------- C:\Program Files\Investintech.com Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 01:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DMCache
2008-05-26 01:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 01:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-05-26 00:16 --------- d-----w C:\Program Files\mIRC
2008-05-25 11:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-25 03:23 --------- d-----w C:\Program Files\AM-DeadLink
2008-05-24 00:59 --------- d-----w C:\Program Files\Y!mLite
2008-05-21 13:26 --------- d-----w C:\Program Files\TVUPlayer
2008-05-21 06:50 --------- d-----w C:\Program Files\IEPro
2008-05-19 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-19 11:20 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-19 03:32 --------- d-----w C:\Program Files\English-Thai Software-Dictionary
2008-05-15 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 23:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-08 20:06 --------- d-----w C:\Program Files\Zune
2008-05-07 09:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 01:03 --------- d-----w C:\Program Files\Microsoft Works
2008-04-29 12:39 40,704 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-04-29 10:07 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-04-22 07:51 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\imgpdf2.dll
2008-04-22 07:51 --------- d-----w C:\Program Files\PDF-Convert
2008-04-22 07:50 --------- d-----w C:\Program Files\psconvert
2008-04-20 01:57 --------- d-----w C:\Program Files\EzGenerator3
2008-04-20 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-19 09:29 --------- d-----w C:\Program Files\LimeWire
2008-04-18 00:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 00:47 --------- d-----w C:\Program Files\Sarm Software
2008-04-16 23:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Sarm Software
2008-04-16 23:39 --------- d-----w C:\Program Files\Quicken WillMaker Plus 2007
2008-04-14 08:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_ 7.47.11.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 00:43:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 01:47:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 01:04:29 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-05-26 01:04:29 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-05-25 00:43:23 1,626,112 ----a-w C:\WINDOWS\system32\nwiz .exe
+ 2008-05-26 01:47:38 1,626,112 ----a-w C:\WINDOWS\system32\nwiz .exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2008-01-23 06:21 1330432]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-18 18:29 2594224]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 07:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 03:12 244512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-09-24 00:30 292152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 05:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 05:03 1655808 C:\WINDOWS\system32\NWIZ.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 07:12 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Y!mLite\\ymlite.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\mcoinstall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56000:TCP"= 56000:TCP:Bit Comet
"53500:TCP"= 53500:TCP:BitComet 53500 TCP
"53500:UDP"= 53500:UDP:BitComet 53500 UDP

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-10-20 16:58]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 MBAMDrvService;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-05-05 20:46]
R2 MBAMService;MBAMService;"C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-05-05 20:46]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 07:12]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 21:12]
R3 CnxEtP;Conexant AccessRunner USB ADSL LAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2003-09-12 09:26]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2003-09-12 09:26]
R3 CnxTgN;Conexant AccessRunner USB ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-10-29 14:01]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINDOWS\system32\DRIVERS\enetnt.sys [2004-09-17 09:21]
R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 08:55]
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\Siemens\TANGOA~1\app\NTSTPL1.SYS [2004-12-09 10:58]
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\Siemens\TANGOA~1\app\NTSTPL2.SYS [2004-12-09 10:58]
S3 RAWESR;RAWESR;C:\PROGRA~1\Siemens\TANGOA~1\app\RAWESR.SYS [2004-12-09 10:57]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\Siemens\TANGOA~1\app\TAPBIND1.SYS [2004-12-09 10:58]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-27 11:58]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]
S4 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{984c0484-95bc-11dc-8c5f-00d0f85c4293}]
\Shell\Auto\command - SHE.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SHE.exe

*Newly Created Service* - MBAMDRVSERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 01:47:20 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-25 22:16:15 C:\WINDOWS\Tasks\User_Feed_Synchronization-{043D304B-4D60-4C60-8501-16FA4A13E338}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 08:47:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\Siemens\Tango Access Lite\app\TangoService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-05-26 8:51:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 01:51:47
ComboFix2.txt 2008-05-25 00:47:31

Pre-Run: 134,038,532,096 bytes free
Post-Run: 134,028,509,184 bytes free

309 --- E O F --- 2008-05-17 10:15:09

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:52 PM

Posted 26 May 2008 - 09:38 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\volclgdp.dll
C:\WINDOWS\system32\fccaWQIc.dll.vir
C:\WINDOWS\ftpupd.dll
C:\WINDOWS\ftpupd3.dll
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



===================




Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 dthomasss

dthomasss
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 26 May 2008 - 08:57 PM

Superantispyware only found some cookies.

Here is the latest combofix log:

ComboFix 08-05-21.3 - Administrator 2008-05-27 8:04:42.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.27.1033.18.1485 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Malware\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\ftpupd.dll
C:\WINDOWS\ftpupd3.dll
C:\WINDOWS\system32\fccaWQIc.dll.vir
C:\WINDOWS\system32\volclgdp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ftpupd.dll
C:\WINDOWS\ftpupd3.dll
C:\WINDOWS\system32\fccaWQIc.dll.vir
C:\WINDOWS\system32\volclgdp.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 08:08 . 2008-05-27 08:08 1,626,112 --a------ C:\WINDOWS\system32\nwiz˙.exe
2008-05-26 08:18 . 2008-05-26 08:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 08:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 08:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 07:33 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-25 07:32 . 2008-05-25 07:33 <DIR> d-------- C:\Program Files\Java
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-23 21:45 . 2008-05-23 21:45 <DIR> d-------- C:\Deckard
2008-05-23 17:23 . 2008-05-26 08:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 17:23 . 2008-05-23 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 17:23 . 2008-05-26 08:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-23 17:19 . 2008-05-23 17:24 1,308 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 17:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-23 17:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-23 17:18 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-23 17:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-23 17:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-23 17:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-23 17:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-23 17:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-21 20:26 . 2008-05-21 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\LocalLow
2008-05-08 20:15 . 2008-03-21 13:57 14,640 --------- C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-05-08 20:15 . 2008-05-08 20:15 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-05-08 20:15 . 2008-05-08 20:15 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-08 17:47 . 2008-05-08 17:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 17:35 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-07 15:29 . 2008-05-07 15:31 14 --a------ C:\WINDOWS\system32\W7409A4F3f481e2F2.bin
2008-05-06 10:20 . 2004-06-18 00:49 51,001 --a------ C:\WINDOWS\system32\ms410215.dll
2008-05-06 10:20 . 2008-05-07 15:33 28,160 --a------ C:\WINDOWS\hwuser.dll
2008-05-06 10:20 . 2008-05-27 08:08 15,103 --a------ C:\WINDOWS\system32\msiclass.dll
2008-04-29 19:56 . 2008-04-29 19:56 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-04-29 19:56 . 2008-04-29 19:56 61,856 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2008-04-27 11:50 . 2008-05-06 10:20 <DIR> d-------- C:\Program Files\Foxit Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 01:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DMCache
2008-05-27 01:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-27 00:55 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-05-26 13:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-05-26 12:27 --------- d-----w C:\Program Files\mIRC
2008-05-26 12:04 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\imgpdf2.dll
2008-05-26 01:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 11:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-25 03:23 --------- d-----w C:\Program Files\AM-DeadLink
2008-05-24 00:59 --------- d-----w C:\Program Files\Y!mLite
2008-05-21 13:26 --------- d-----w C:\Program Files\TVUPlayer
2008-05-21 06:50 --------- d-----w C:\Program Files\IEPro
2008-05-19 11:20 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-19 03:32 --------- d-----w C:\Program Files\English-Thai Software-Dictionary
2008-05-15 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 23:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-08 20:06 --------- d-----w C:\Program Files\Zune
2008-05-07 09:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 01:03 --------- d-----w C:\Program Files\Microsoft Works
2008-04-29 12:39 40,704 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-04-26 11:33 --------- d-----w C:\Program Files\Investintech.com Inc
2008-04-22 07:51 --------- d-----w C:\Program Files\PDF-Convert
2008-04-22 07:50 --------- d-----w C:\Program Files\psconvert
2008-04-20 01:57 --------- d-----w C:\Program Files\EzGenerator3
2008-04-20 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-19 09:29 --------- d-----w C:\Program Files\LimeWire
2008-04-18 00:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 00:47 --------- d-----w C:\Program Files\Sarm Software
2008-04-16 23:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Sarm Software
2008-04-16 23:39 --------- d-----w C:\Program Files\Quicken WillMaker Plus 2007
2008-04-14 08:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_ 7.47.11.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 00:43:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 01:08:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 01:04:29 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-05-26 01:04:29 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-05-25 00:43:23 1,626,112 ----a-w C:\WINDOWS\system32\nwiz .exe
+ 2008-05-27 01:08:32 1,626,112 ----a-w C:\WINDOWS\system32\nwiz .exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2008-01-23 06:21 1330432]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-18 18:29 2594224]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 07:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 03:12 244512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-09-24 00:30 292152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 05:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 05:03 1655808 C:\WINDOWS\system32\NWIZ.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 07:12 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Y!mLite\\ymlite.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\mcoinstall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56000:TCP"= 56000:TCP:Bit Comet
"53500:TCP"= 53500:TCP:BitComet 53500 TCP
"53500:UDP"= 53500:UDP:BitComet 53500 UDP

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-10-20 16:58]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 07:12]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 21:12]
R3 CnxEtP;Conexant AccessRunner USB ADSL LAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2003-09-12 09:26]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2003-09-12 09:26]
R3 CnxTgN;Conexant AccessRunner USB ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-10-29 14:01]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINDOWS\system32\DRIVERS\enetnt.sys [2004-09-17 09:21]
R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 08:55]
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\Siemens\TANGOA~1\app\NTSTPL1.SYS [2004-12-09 10:58]
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\Siemens\TANGOA~1\app\NTSTPL2.SYS [2004-12-09 10:58]
S3 RAWESR;RAWESR;C:\PROGRA~1\Siemens\TANGOA~1\app\RAWESR.SYS [2004-12-09 10:57]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\Siemens\TANGOA~1\app\TAPBIND1.SYS [2004-12-09 10:58]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-27 11:58]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]
S4 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{984c0484-95bc-11dc-8c5f-00d0f85c4293}]
\Shell\Auto\command - SHE.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SHE.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 01:08:19 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-27 00:13:26 C:\WINDOWS\Tasks\User_Feed_Synchronization-{043D304B-4D60-4C60-8501-16FA4A13E338}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 08:08:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\Siemens\Tango Access Lite\app\TangoService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-05-27 8:12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 01:12:24
ComboFix2.txt 2008-05-26 01:51:50
ComboFix3.txt 2008-05-25 00:47:31

Pre-Run: 133,361,426,432 bytes free
Post-Run: 133,349,212,160 bytes free

310 --- E O F --- 2008-05-17 10:15:09

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:52 PM

Posted 27 May 2008 - 01:49 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\She.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{984c0484-95bc-11dc-8c5f-00d0f85c4293}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 dthomasss

dthomasss
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 27 May 2008 - 09:23 PM

Here is Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 28, 2008 9:16:45 AM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/05/2008
Kaspersky Anti-Virus database records: 802914
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\


Scan Statistics:
Total number of scanned objects: 104352
Number of viruses found: 8
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 01:27:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.19014 Infected: Trojan-PSW.Win32.VB.pv skipped
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-5-28-2008( 7-29-13 ).LOG Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008052820080529\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\NAILogs\UpdaterUI_WIZARDOFOZ.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_WIZARDOFOZ.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_WIZARDOFOZ.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Program Files\BitComet\Downloads\Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD\Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD.rar/Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD/idman512.exe/wr-1-1796.exe Infected: Trojan-Downloader.Win32.Small.vvk skipped
C:\Program Files\BitComet\Downloads\Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD\Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD.rar/Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD/idman512.exe Infected: Trojan-Downloader.Win32.Small.vvk skipped
C:\Program Files\BitComet\Downloads\Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD\Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD.rar RAR: infected - 2 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fccaWQIc.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\volclgdp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.trb skipped
C:\sti.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{97A92ED2-79B8-4B57-BC2F-CA78506E22C3}\RP263\A0034277.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\System Volume Information\_restore{97A92ED2-79B8-4B57-BC2F-CA78506E22C3}\RP270\A0035069.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.e skipped
C:\System Volume Information\_restore{97A92ED2-79B8-4B57-BC2F-CA78506E22C3}\RP270\A0035073.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.e skipped
C:\System Volume Information\_restore{97A92ED2-79B8-4B57-BC2F-CA78506E22C3}\RP271\A0035388.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trb skipped
C:\System Volume Information\_restore{97A92ED2-79B8-4B57-BC2F-CA78506E22C3}\RP272\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\FirePassword.exe Infected: not-a-virus:PSWTool.Win32.FirePass.m skipped
C:\WINDOWS\S7E70B71F.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TangoLite.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\My Documents\My Downloads\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\My Documents\My Downloads\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\My Documents\My Downloads\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\My Documents\My Downloads\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\My Documents\My Downloads\mirc631.exe NSIS: infected - 4 skipped


and here is combofix log:

ComboFix 08-05-21.3 - Administrator 2008-05-28 7:26:02.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.27.1033.18.1528 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Malware\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\She.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-28 07:29 . 2008-05-28 07:29 1,626,112 --a------ C:\WINDOWS\system32\nwiz˙.exe
2008-05-26 08:18 . 2008-05-26 08:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 08:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 08:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 07:33 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-25 07:32 . 2008-05-25 07:33 <DIR> d-------- C:\Program Files\Java
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-24 07:24 . 2008-05-24 07:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-23 21:45 . 2008-05-23 21:45 <DIR> d-------- C:\Deckard
2008-05-23 17:23 . 2008-05-26 08:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 17:23 . 2008-05-23 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 17:23 . 2008-05-26 08:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-23 17:19 . 2008-05-23 17:24 1,308 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 17:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-23 17:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-23 17:18 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-23 17:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-23 17:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-23 17:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-23 17:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-23 17:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-21 20:26 . 2008-05-21 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\LocalLow
2008-05-08 20:15 . 2008-03-21 13:57 14,640 --------- C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-05-08 20:15 . 2008-05-08 20:15 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-05-08 20:15 . 2008-05-08 20:15 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-08 17:50 . 2008-05-08 17:50 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-08 17:47 . 2008-05-08 17:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 17:35 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-07 15:29 . 2008-05-07 15:31 14 --a------ C:\WINDOWS\system32\W7409A4F3f481e2F2.bin
2008-05-06 10:20 . 2004-06-18 00:49 51,001 --a------ C:\WINDOWS\system32\ms410215.dll
2008-05-06 10:20 . 2008-05-07 15:33 28,160 --a------ C:\WINDOWS\hwuser.dll
2008-05-06 10:20 . 2008-05-28 07:29 15,103 --a------ C:\WINDOWS\system32\msiclass.dll
2008-04-29 19:56 . 2008-04-29 19:56 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-04-29 19:56 . 2008-04-29 19:56 61,856 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 00:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DMCache
2008-05-27 10:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-05-27 10:07 --------- d-----w C:\Program Files\mIRC
2008-05-27 01:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-27 00:55 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-05-26 12:04 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\imgpdf2.dll
2008-05-26 01:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 11:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-25 03:23 --------- d-----w C:\Program Files\AM-DeadLink
2008-05-24 00:59 --------- d-----w C:\Program Files\Y!mLite
2008-05-21 13:26 --------- d-----w C:\Program Files\TVUPlayer
2008-05-21 06:50 --------- d-----w C:\Program Files\IEPro
2008-05-19 11:20 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-19 03:32 --------- d-----w C:\Program Files\English-Thai Software-Dictionary
2008-05-15 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 23:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-08 20:06 --------- d-----w C:\Program Files\Zune
2008-05-07 09:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-06 03:20 --------- d-----w C:\Program Files\Foxit Software
2008-05-02 01:03 --------- d-----w C:\Program Files\Microsoft Works
2008-04-29 12:39 40,704 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-04-26 11:33 --------- d-----w C:\Program Files\Investintech.com Inc
2008-04-22 07:51 --------- d-----w C:\Program Files\PDF-Convert
2008-04-22 07:50 --------- d-----w C:\Program Files\psconvert
2008-04-20 01:57 --------- d-----w C:\Program Files\EzGenerator3
2008-04-20 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-19 09:29 --------- d-----w C:\Program Files\LimeWire
2008-04-18 00:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 00:47 --------- d-----w C:\Program Files\Sarm Software
2008-04-16 23:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Sarm Software
2008-04-16 23:39 --------- d-----w C:\Program Files\Quicken WillMaker Plus 2007
2008-04-14 08:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_ 7.47.11.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 00:43:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 00:28:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 01:04:29 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-05-26 01:04:29 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-05-25 00:43:23 1,626,112 ----a-w C:\WINDOWS\system32\nwiz .exe
+ 2008-05-28 00:29:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz .exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2008-01-23 06:21 1330432]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-18 18:29 2594224]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 07:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 03:12 244512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-09-24 00:30 292152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 05:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 05:03 1655808 C:\WINDOWS\system32\NWIZ.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 07:12 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Y!mLite\\ymlite.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\mcoinstall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56000:TCP"= 56000:TCP:Bit Comet
"53500:TCP"= 53500:TCP:BitComet 53500 TCP
"53500:UDP"= 53500:UDP:BitComet 53500 UDP

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-10-20 16:58]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 07:12]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 21:12]
R3 CnxEtP;Conexant AccessRunner USB ADSL LAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2003-09-12 09:26]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2003-09-12 09:26]
R3 CnxTgN;Conexant AccessRunner USB ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-10-29 14:01]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINDOWS\system32\DRIVERS\enetnt.sys [2004-09-17 09:21]
R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 08:55]
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\Siemens\TANGOA~1\app\NTSTPL1.SYS [2004-12-09 10:58]
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\Siemens\TANGOA~1\app\NTSTPL2.SYS [2004-12-09 10:58]
S3 RAWESR;RAWESR;C:\PROGRA~1\Siemens\TANGOA~1\app\RAWESR.SYS [2004-12-09 10:57]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\Siemens\TANGOA~1\app\TAPBIND1.SYS [2004-12-09 10:58]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-27 11:58]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]
S4 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 00:28:54 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-27 22:36:32 C:\WINDOWS\Tasks\User_Feed_Synchronization-{043D304B-4D60-4C60-8501-16FA4A13E338}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 07:29:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\Siemens\Tango Access Lite\app\TangoService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-05-28 7:33:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-28 00:32:57
ComboFix2.txt 2008-05-27 01:12:28
ComboFix3.txt 2008-05-26 01:51:50
ComboFix4.txt 2008-05-25 00:47:31

Pre-Run: 133,231,296,512 bytes free
Post-Run: 133,211,746,304 bytes free

296 --- E O F --- 2008-05-17 10:15:09

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:52 PM

Posted 28 May 2008 - 09:59 AM

Delete this file.

C:\Program Files\BitComet\Downloads\Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD\Internet.Download.Manager.v5.12.11.WinAll.Incl.Keygen.and.Patch-CRD.rar



How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 dthomasss

dthomasss
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 28 May 2008 - 07:47 PM

Everything seems fine now! Is SuperantiSpyware a good utility to keep installed and running?
Thanks for all your help.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:52 PM

Posted 29 May 2008 - 09:59 AM

I like Superantispyware. It does a very thorough job of cleaning up when malware is present. I can't vouch for it's effectiveness at offering real time protection though since I've never used it that way.


Just a few last things and you should be good to go! :)


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users