Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

When I click on a link after a Google search I don't go to the desired location but to some web site selling something

Started by nonaste , Nov 10 2008 11:56 AM

  • This topic is locked This topic is locked
32 replies to this topic

#1 nonaste

nonaste

    Member

  • Members
  • PipPip
  • 27 posts

Posted 10 November 2008 - 11:56 AM

I was infected by some program called supervirus checker 2009 (something worded close to that, can't remember the exact name). I found the solution to that problem on your web site. But now I have the problem described in Topic Title. I performed all the steps in the Preparation Guide but still have the problem. I'm using XP and Firefox, latest edition. Thanks for any help you can offer.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:11 AM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS.0\System32\PAStiSvc.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS.0\explorer.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS.0\system32\cleanmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS.0\server.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,"C:\WINDOWS.0\server.exe",
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SurfLite Toolbar - {6226BA26-C017-4007-928C-DE9715C6FA68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Policies\Explorer\Run: [server] C:\WINDOWS.0\server.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1C1CB5F8-D5A3-4FD9-876C-ECD2BDA32716} - C:\Program Files\Reify Software\Turnabout\turnabout.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: SurfLite Toolbar - {6226ba26-c017-4007-928c-de9715c6fa68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O9 - Extra 'Tools' menuitem: SurfLite Toolbar - {6226ba26-c017-4007-928c-de9715c6fa68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTPID.cab
O18 - Protocol: data - {038664DA-5BA5-47FC-88D9-15ADE940ED55} - C:\Program Files\Reify Software\Turnabout\turnabout.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat?,avgrsstx.dll
O20 - Winlogon Notify: fsp_lmwl - C:\WINDOWS.0\SYSTEM32\fsp_lmwl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS.0\System32\PAStiSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe

--
End of file - 10177 bytes

Edited by nonaste, 10 November 2008 - 12:07 PM.

 

  • BC Ads
  • BleepingComputer.com

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Malware Response Team
  • PipPipPipPipPipPip
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 11 November 2008 - 03:04 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.


==================


Please download random's system information tool (RSIT) and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 nonaste

nonaste

    Member

  • Members
  • PipPip
  • 27 posts

Posted 11 November 2008 - 06:05 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.


==================


Please download random's system information tool (RSIT) and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)




Here is what you requested and thanks for your help. I included a comment after the report and log.


SDFix: Version 1.240
Run by Ray on Wed 11/19/2008 at 03:21 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSmaxt.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\115430~1 - Deleted
C:\DOCUME~1\RAY\COOKIES\EGEGYSA.SCR - Deleted
C:\Documents and Settings\All Users.WINDOWS.0\Documents\pymazoxore.scr - Deleted
C:\Program Files\Common Files\abaz._sy - Deleted
C:\WINDOWS.0\system32\e2.exe - Deleted
C:\WINDOWS.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 15:43:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Emule\\emule.exe"="C:\\Program Files\\Emule\\emule.exe:*:Enabled:DaZZle Emule Mod"
"C:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"="C:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe:*:Enabled:il2fb"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\rowan\\mig\\Mig.exe"="C:\\rowan\\mig\\Mig.exe:*:Enabled:MIG"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\Steam\\steamapps\\nonaste\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\nonaste\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\nonaste\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\nonaste\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Steam\\steamapps\\nonaste\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\nonaste\\day of defeat source\\hl2.exe:*:Enabled:hl2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS.0\nod32restoretemdono.reg"
Sat 26 Apr 2008 24 ..SH. --- "C:\WINDOWS.0\SCE3C12D1.tmp"
Thu 2 Nov 2006 200,706 A.SHR --- "C:\WINDOWS.0\server.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Fri 12 Nov 2004 37,376 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 5 May 2003 348,160 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\AACMP4.EXE"
Thu 7 Feb 2002 94,208 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\lpaccodec.dll"
Fri 2 Feb 2001 40,960 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\lpac_codec_api.dll"
Mon 12 Apr 2004 212,992 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\OFR.EXE"
Thu 16 Jan 2003 278,528 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PNCRT.dll"
Mon 5 May 2003 16,384 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\RMADEC.EXE"
Fri 24 Nov 2006 4,348 ..SH. --- "C:\SDFix\backups\movedfile.vir\DRM\DRMv1.bak"
Wed 28 Jun 2006 4,348 ..SH. --- "C:\SDFix\backups\movedfile.vir\DRM\DRMv1.key.bak"
Thu 28 Dec 2006 444 A..HR --- "C:\Documents and Settings\Raymond\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sat 20 Jul 2002 45,056 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\AC3\AC3ENC.DLL"
Wed 20 Feb 2002 98,304 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\AC3\AZID.DLL"
Fri 11 Apr 2003 73,766 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\atrc3260.dll"
Fri 11 Apr 2003 45,099 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\auth3260.dll"
Fri 11 Apr 2003 65,575 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\cook3260.dll"
Fri 11 Apr 2003 102,437 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv13260.dll"
Fri 11 Apr 2003 176,165 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv23260.dll"
Fri 11 Apr 2003 208,935 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv33260.dll"
Fri 11 Apr 2003 217,127 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv43260.dll"
Tue 15 Apr 2003 976,896 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnen3260.dll"
Fri 11 Apr 2003 348,203 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnvi3260.dll"
Fri 11 Apr 2003 53,289 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnxr3260.dll"
Fri 11 Apr 2003 45,101 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\ramf3260.dll"
Fri 11 Apr 2003 135,213 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rare3260.dll"
Mon 14 Oct 2002 57,344 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rims3290.dll"
Fri 11 Apr 2003 163,885 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmff3260.dll"
Mon 14 Oct 2002 737,280 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmse3290.dll"
Sun 13 Oct 2002 245,760 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmwr3260.dll"
Fri 11 Apr 2003 245,805 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rnlt3260.dll"
Sun 13 Oct 2002 245,760 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rorw3290.dll"
Sun 13 Oct 2002 114,688 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtae3290.dll"
Mon 14 Oct 2002 65,536 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtin3290.dll"
Mon 14 Oct 2002 163,840 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtve3290.dll"
Fri 11 Apr 2003 45,093 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv103260.dll"
Fri 11 Apr 2003 98,341 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv203260.dll"
Fri 11 Apr 2003 94,247 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv303260.dll"
Fri 11 Apr 2003 90,151 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv403260.dll"
Fri 11 Apr 2003 159,785 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rvre3260.dll"
Mon 14 Oct 2002 102,400 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\sipr3260.dll"
Fri 11 Apr 2003 61,485 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\smpl3260.dll"
Fri 11 Apr 2003 106,541 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\vsrl3260.dll"
Fri 11 Apr 2003 86,061 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\xmlp3261.dll"
Fri 11 Apr 2003 159,787 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\zipf3260.dll"
Sun 23 Feb 2003 64,512 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPDEC.EXE"
Fri 25 Oct 2002 79,360 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPENC.EXE"
Mon 4 Mar 2002 352,299 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PsyTEL\AACENC.EXE"
Mon 5 May 2003 348,160 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PsyTEL\AACMP4.EXE"
Mon 4 Mar 2002 221,184 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PsyTEL\FASTENC.EXE"
Thu 6 Sep 2001 688,128 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PsyTEL\IA32MATH.DLL"
Fri 14 Feb 2003 910,152 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Shorten\CYGWIN1.DLL"
Sat 19 Apr 2003 60,928 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Shorten\SHORTEN.EXE"
Wed 8 Oct 2003 75,264 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Speex\speexdec.exe"
Wed 8 Oct 2003 77,312 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Speex\speexenc.exe"
Tue 18 Feb 2003 103,936 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\WavPack\WAVPACK.EXE"
Tue 18 Feb 2003 102,912 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\WavPack\WVUNPACK.EXE"

Finished!



Logfile of random's system information tool 1.04 (written by random/random)
Run by Ray at 2008-11-19 15:48:26
Microsoft Windows XP Professional Service Pack 2
System drive C: has 138 GB (58%) free of 238 GB
Total RAM: 2047 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:49 PM, on 11/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\nHancer\nHancerService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS.0\System32\PAStiSvc.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ray\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ray.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,"C:\WINDOWS.0\server.exe",
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SurfLite Toolbar - {6226BA26-C017-4007-928C-DE9715C6FA68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1C1CB5F8-D5A3-4FD9-876C-ECD2BDA32716} - C:\Program Files\Reify Software\Turnabout\turnabout.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: SurfLite Toolbar - {6226ba26-c017-4007-928c-de9715c6fa68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O9 - Extra 'Tools' menuitem: SurfLite Toolbar - {6226ba26-c017-4007-928c-de9715c6fa68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTPID.cab
O18 - Protocol: data - {038664DA-5BA5-47FC-88D9-15ADE940ED55} - C:\Program Files\Reify Software\Turnabout\turnabout.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat?,avgrsstx.dll
O20 - Winlogon Notify: fsp_lmwl - C:\WINDOWS.0\SYSTEM32\fsp_lmwl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS.0\System32\PAStiSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe

--
End of file - 10491 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-11-18 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-18 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-11-18 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
MyIdentityDefender - C:\Documents and Settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll [2008-11-18 3962184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-18 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-18 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-11-18 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2006-09-12 4924472]
{6226BA26-C017-4007-928C-DE9715C6FA68} - SurfLite Toolbar - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll [2008-06-07 2404352]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-11-18 2055960]
{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - MyIdentityDefender - C:\Documents and Settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll [2008-11-18 3962184]
{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-11-18 262144]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS.0\system32\NvCpl.dll [2008-08-15 13570048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44cd49b8]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2007-10-30 140568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2007-10-30 909208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe [2001-05-22 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe [2001-05-22 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-18 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS.0\system32\ctfmon.exe [2006-01-12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [2005-10-31 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTXFIREG]
CTxfiReg.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
C:\Program Files\Maxtor\MaxBlast\DiscWizardMonitor.exe [2007-04-19 1169744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IconixOEAddOn]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2006-03-20 213936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS.0\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keyboard Driver]
skfhost.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe [2007-04-19 1169720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NaturalPoint]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS.0\system32\NvCpl.dll [2008-08-15 13570048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS.0\system32\NvMcTray.dll [2008-08-15 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe [2008-07-03 1684480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2007-07-23 144448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-18 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
C:\Program Files\TrojanHunter 5.0\THGuard.exe [2007-10-10 1046688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2007-10-30 2595616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS.0\UpdReg.EXE [2000-05-10 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^MightyFAX Controller.lnk]
C:\PROGRA~1\MIGHTY~1\MFNTCTL.EXE [2005-07-27 513536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Privoxy.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="karna.dat?,avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fsp_lmwl]
C:\WINDOWS.0\system32\fsp_lmwl.dll [2007-06-12 44400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap
C:\WINDOWS.0\system32\awtrOiJB

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Emule\emule.exe"="C:\Program Files\Emule\emule.exe:*:Enabled:DaZZle Emule Mod"
"C:\Program Files\Ubisoft\IL-2 Sturmovik 1946\il2fb.exe"="C:\Program Files\Ubisoft\IL-2 Sturmovik 1946\il2fb.exe:*:Enabled:il2fb"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Pinnacle\Studio 10\programs\RM.exe"="C:\Program Files\Pinnacle\Studio 10\programs\RM.exe:*:Enabled:Render Manager"
"C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe"="C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe:*:Enabled:Studio"
"C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe"="C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\Program Files\Pinnacle\Studio 10\programs\umi.exe"="C:\Program Files\Pinnacle\Studio 10\programs\umi.exe:*:Enabled:umi"
"C:\rowan\mig\Mig.exe"="C:\rowan\mig\Mig.exe:*:Enabled:MIG"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\InterVideo\DVD8\WinDVD.exe"="C:\Program Files\InterVideo\DVD8\WinDVD.exe:*:Enabled:WinDVD"
"C:\Program Files\Steam\steamapps\nonaste\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\nonaste\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\nonaste\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Steam\steamapps\nonaste\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Steam\steamapps\nonaste\day of defeat source\hl2.exe"="C:\Program Files\Steam\steamapps\nonaste\day of defeat source\hl2.exe:*:Enabled:hl2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adee6e49-fbe5-11dc-aaec-00508dcb517d}]
shell\AutoRun\command - F:\TVCenterPro.exe -autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adee6e4a-fbe5-11dc-aaec-00508dcb517d}]
shell\AutoRun\command - G:\TVCenterPro.exe -autorun
shell\Shell01\command - G:\TVCenterPro.exe
shell\Shell02\command - G:\TVCenterProSettings.exe


======List of files/folders created in the last 1 months======

2008-11-19 15:48:26 ----D---- C:\rsit
2008-11-19 15:18:40 ----D---- C:\WINDOWS.0\ERUNT
2008-11-19 15:16:45 ----A---- C:\WINDOWS.0\ntbtlog.txt
2008-11-19 15:13:48 ----D---- C:\SDFix
2008-11-19 06:47:37 ----HDC---- C:\WINDOWS.0\$NtUninstallKB912919$
2008-11-18 17:53:12 ----A---- C:\WINDOWS.0\system32\deploytk.dll
2008-11-18 17:53:11 ----A---- C:\WINDOWS.0\system32\javaws.exe
2008-11-18 17:53:11 ----A---- C:\WINDOWS.0\system32\javaw.exe
2008-11-18 17:53:11 ----A---- C:\WINDOWS.0\system32\java.exe
2008-11-18 09:46:56 ----D---- C:\Program Files\Trend Micro
2008-11-18 09:18:29 ----D---- C:\Program Files\ZoneAlarmSB
2008-11-18 09:16:22 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\MailFrontier
2008-11-18 09:15:53 ----A---- C:\WINDOWS.0\zllsputility.exe
2008-11-18 09:15:52 ----A---- C:\WINDOWS.0\system32\SpOrder.dll
2008-11-18 09:15:36 ----A---- C:\WINDOWS.0\system32\vsregexp.dll
2008-11-18 09:15:36 ----A---- C:\WINDOWS.0\system32\libeay32_0.9.6l.dll
2008-11-18 09:15:25 ----A---- C:\WINDOWS.0\system32\zlcommdb.dll
2008-11-18 09:15:25 ----A---- C:\WINDOWS.0\system32\zlcomm.dll
2008-11-18 09:15:20 ----A---- C:\WINDOWS.0\system32\vswmi.dll
2008-11-18 09:15:19 ----D---- C:\WINDOWS.0\system32\ZoneLabs
2008-11-18 09:15:19 ----D---- C:\Program Files\Zone Labs
2008-11-18 09:15:19 ----A---- C:\WINDOWS.0\system32\zpeng24.dll
2008-11-18 09:15:19 ----A---- C:\WINDOWS.0\system32\vsxml.dll
2008-11-18 09:15:19 ----A---- C:\WINDOWS.0\system32\vspubapi.dll
2008-11-18 09:15:19 ----A---- C:\WINDOWS.0\system32\vsmonapi.dll
2008-11-18 09:14:47 ----D---- C:\WINDOWS.0\Internet Logs
2008-11-18 09:14:47 ----A---- C:\WINDOWS.0\system32\vsutil.dll
2008-11-18 09:14:47 ----A---- C:\WINDOWS.0\system32\vsinit.dll
2008-11-18 09:14:47 ----A---- C:\WINDOWS.0\system32\vsdata.dll
2008-11-18 04:37:50 ----HD---- C:\$AVG8.VAULT$
2008-11-18 04:20:49 ----A---- C:\WINDOWS.0\system32\avgrsstx.dll
2008-11-18 04:20:41 ----D---- C:\Documents and Settings\Ray\Application Data\AVGTOOLBAR
2008-11-18 04:20:36 ----D---- C:\Program Files\AVG
2008-11-17 12:26:52 ----D---- C:\Program Files\TrojanHunter 5.0
2008-11-17 11:04:15 ----D---- C:\Documents and Settings\Ray\Application Data\Malwarebytes
2008-11-17 11:03:35 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-17 11:03:35 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-11-17 06:56:13 ----A---- C:\WINDOWS.0\system32\4fee8dc6-.txt
2008-11-17 06:55:18 ----SHD---- C:\WINDOWS.0\CSC
2008-11-17 06:21:14 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ESET
2008-11-17 06:02:49 ----A---- C:\WINDOWS.0\ixicytuwib.bat
2008-11-17 05:53:15 ----D---- C:\CloneDVDTemp
2008-11-17 05:51:12 ----D---- C:\Program Files\IESurfBar
2008-11-17 05:50:41 ----D---- C:\Program Files\Reify Software
2008-11-17 05:50:40 ----A---- C:\raeogcjp.exe
2008-11-17 04:38:48 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Avg8
2008-11-16 20:53:59 ----SHD---- C:\WINDOWS.0\ftpcache
2008-11-11 13:49:23 ----A---- C:\WINDOWS.0\system32\hidserv.dll
2008-11-11 13:09:27 ----A---- C:\WINDOWS.0\system32\SaiCfg.dll
2008-11-11 13:09:27 ----A---- C:\WINDOWS.0\system32\REnum.exe
2008-11-11 13:09:27 ----A---- C:\WINDOWS.0\system32\PrfAct.exe
2008-11-11 13:09:27 ----A---- C:\WINDOWS.0\system32\NX.exe
2008-11-11 07:51:41 ----D---- C:\Program Files\KALiNKOsoft
2008-11-11 07:42:17 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Innovative Solutions
2008-11-11 07:42:03 ----D---- C:\Program Files\Innovative Solutions
2008-11-03 05:15:16 ----D---- C:\Documents and Settings\Ray\Application Data\KALiNKOsoft
2008-11-03 05:13:21 ----N---- C:\WINDOWS.0\system32\ADsSecurity.dll
2008-11-03 05:13:21 ----A---- C:\WINDOWS.0\system32\zlib.dll
2008-11-03 05:13:21 ----A---- C:\WINDOWS.0\system32\VB5DB.DLL
2008-11-03 05:13:21 ----A---- C:\WINDOWS.0\system32\SSubTmr6.dll
2008-11-03 05:13:21 ----A---- C:\WINDOWS.0\system32\dxinputdll.dll
2008-11-03 05:13:21 ----A---- C:\WINDOWS.0\system32\capicom.dll
2008-10-29 15:59:19 ----D---- C:\Program Files\KeyTweak
2008-10-29 09:52:15 ----D---- C:\Program Files\THQ
2008-10-27 04:29:08 ----D---- C:\Program Files\7-Zip
2008-10-24 09:49:43 ----D---- C:\Documents and Settings\Ray\Application Data\Gearbox Software
2008-10-24 03:34:46 ----D---- C:\Program Files\Common Files\EasyInfo
2008-10-24 03:12:35 ----D---- C:\Program Files\EA GAMES
2008-10-21 08:51:48 ----A---- C:\WINDOWS.0\system32\kbdkor.dll
2008-10-21 08:51:48 ----A---- C:\WINDOWS.0\system32\kbdjpn.dll
2008-10-21 08:51:48 ----A---- C:\WINDOWS.0\system32\kbd106.dll
2008-10-21 08:51:48 ----A---- C:\WINDOWS.0\system32\kbd103.dll
2008-10-21 08:51:48 ----A---- C:\WINDOWS.0\system32\kbd101c.dll
2008-10-21 08:51:48 ----A---- C:\WINDOWS.0\system32\kbd101b.dll

======List of files/folders modified in the last 1 months======

2008-11-19 15:48:49 ----D---- C:\WINDOWS.0\Temp
2008-11-19 15:46:36 ----D---- C:\Program Files\Mozilla Firefox
2008-11-19 15:40:54 ----D---- C:\WINDOWS.0
2008-11-19 15:39:23 ----D---- C:\Documents and Settings
2008-11-19 15:23:26 ----D---- C:\WINDOWS.0\system32
2008-11-19 15:23:26 ----D---- C:\Program Files\Common Files
2008-11-19 15:21:06 ----D---- C:\WINDOWS.0\system32\DllCache
2008-11-19 15:15:45 ----D---- C:\WINDOWS.0\system32\CatRoot2
2008-11-19 15:15:09 ----D---- C:\Documents and Settings\Ray\Application Data\SiteAdvisor
2008-11-19 15:10:50 ----D---- C:\Program Files\Mozilla Thunderbird
2008-11-19 09:26:07 ----D---- C:\Program Files\Steam
2008-11-19 06:47:41 ----HD---- C:\WINDOWS.0\inf
2008-11-19 06:47:27 ----HD---- C:\WINDOWS.0\$hf_mig$
2008-11-19 04:21:20 ----D---- C:\Documents and Settings\Ray\Application Data\Azureus
2008-11-19 03:15:34 ----D---- C:\Documents and Settings\Ray\Application Data\MailWasherPro
2008-11-19 03:14:09 ----RSH---- C:\boot.ini
2008-11-19 03:14:09 ----AC---- C:\WINDOWS.0\win.ini
2008-11-19 03:14:09 ----AC---- C:\WINDOWS.0\system.ini
2008-11-18 19:06:10 ----D---- C:\WINDOWS.0\system32\drivers
2008-11-18 17:53:01 ----SHD---- C:\WINDOWS.0\Installer
2008-11-18 17:53:01 ----D---- C:\Program Files\Java
2008-11-18 09:46:56 ----RD---- C:\Program Files
2008-11-18 07:36:33 ----D---- C:\Documents and Settings\Ray\Application Data\Spyware Terminator
2008-11-18 04:19:33 ----D---- C:\Documents and Settings\Ray\Application Data\Microsoft
2008-11-18 03:56:06 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Spybot - Search & Destroy
2008-11-18 03:49:51 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-17 17:55:45 ----D---- C:\Documents and Settings\Ray\Application Data\Mozilla
2008-11-17 16:39:41 ----SD---- C:\WINDOWS.0\Downloaded Program Files
2008-11-17 16:02:02 ----D---- C:\Program Files\PeerGuardian2
2008-11-17 10:51:01 ----D---- C:\Program Files\Spyware Terminator
2008-11-17 10:10:41 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Spyware Terminator
2008-11-17 09:49:26 ----A---- C:\WINDOWS.0\DUMP2b46.tmp
2008-11-17 09:26:41 ----A---- C:\WINDOWS.0\DUMP2c5f.tmp
2008-11-17 07:25:58 ----A---- C:\WINDOWS.0\DUMP2f8b.tmp
2008-11-17 06:32:09 ----SHD---- C:\RECYCLER
2008-11-17 06:21:14 ----D---- C:\Program Files\ESET
2008-11-17 05:54:18 ----D---- C:\Tech stuff
2008-11-17 05:47:42 ----D---- C:\Program Files\Elaborate Bytes
2008-11-17 04:48:56 ----D---- C:\Program Files\TrojanHunter 4.7
2008-11-16 20:35:40 ----D---- C:\WINDOWS.0\WinSxS
2008-11-16 20:29:34 ----AD---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\TEMP
2008-11-16 20:28:16 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab
2008-11-15 19:49:36 ----D---- C:\Program Files\HyperLobbyPro3
2008-11-12 07:56:00 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-12 07:55:58 ----DC---- C:\WINDOWS.0\system32\DRVSTORE
2008-11-12 07:55:58 ----D---- C:\WINDOWS.0\Help
2008-11-11 13:47:10 ----D---- C:\Program Files\Saitek
2008-11-11 13:43:24 ----A---- C:\WINDOWS.0\DUMP34db.tmp
2008-11-11 13:33:05 ----A---- C:\WINDOWS.0\DUMP2a3c.tmp
2008-11-11 13:28:20 ----AC---- C:\WINDOWS.0\DUMP2896.tmp
2008-11-02 11:02:28 ----D---- C:\WINDOWS.0\system32\ReinstallBackups
2008-11-01 20:53:36 ----RD---- C:\Mp3
2008-10-31 03:32:36 ----AC---- C:\WINDOWS.0\NeroDigital.ini
2008-10-29 09:52:52 ----D---- C:\WINDOWS.0\system32\DirectX
2008-10-27 09:52:09 ----D---- C:\Program Files\Ubisoft
2008-10-27 03:07:08 ----D---- C:\Program Files\InterActual
2008-10-21 14:43:27 ----AC---- C:\WINDOWS.0\ModemLog_Smart Link 56K Voice Modem.txt
2008-10-21 14:38:50 ----AC---- C:\WINDOWS.0\MFPD.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\WINDOWS.0\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS.0\System32\Drivers\avgldx86.sys [2008-11-18 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS.0\System32\Drivers\avgmfx86.sys [2008-11-18 26824]
R1 intelppm;Intel Processor Driver; C:\WINDOWS.0\system32\DRIVERS\intelppm.sys [2006-01-12 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS.0\system32\DRIVERS\kbdhid.sys [2006-01-06 14848]
R1 KLIF;KLIF; C:\WINDOWS.0\system32\DRIVERS\klif.sys [2007-07-19 127768]
R1 PCLEPCI;PCLEPCI; \??\C:\WINDOWS.0\system32\drivers\pclepci.sys []
R1 vsdatant;vsdatant; C:\WINDOWS.0\System32\vsdatant.sys [2008-07-09 394952]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS.0\System32\Drivers\avgtdix.sys [2008-11-18 76040]
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS.0\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS.0\system32\DRIVERS\tifsfilt.sys [2008-02-03 44384]
R2 tmcomm;tmcomm; \??\C:\WINDOWS.0\system32\drivers\tmcomm.sys []
R3 AnyDVD;AnyDVD; C:\WINDOWS.0\System32\Drivers\AnyDVD.sys [2008-04-10 97728]
R3 catchme;catchme; \??\C:\DOCUME~1\Ray\LOCALS~1\Temp\catchme.sys []
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS.0\system32\DRIVERS\ctsfm2k.sys [2005-12-08 142336]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS.0\system32\DRIVERS\hidusb.sys [2006-01-06 9600]
R3 LMPC4;LMPC4; C:\WINDOWS.0\system32\drivers\LMPC4.sys [2007-02-21 10096]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS.0\system32\drivers\MODEMCSA.sys [2006-01-06 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS.0\system32\DRIVERS\mouhid.sys [2006-01-12 12160]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS.0\system32\DRIVERS\SLDRV\Mtlmnt5.sys [2005-05-10 237616]
R3 npusbio;npusbio; C:\WINDOWS.0\System32\Drivers\npusbio.sys [2008-01-11 36384]
R3 nv;nv; C:\WINDOWS.0\system32\DRIVERS\nv4_mini.sys [2008-08-15 6121504]
R3 NVR0Dev;NVR0Dev; \??\C:\WINDOWS.0\nvoclock.sys []
R3 ossrv;Creative OS Services Driver; C:\WINDOWS.0\system32\DRIVERS\ctoss2k.sys [2005-12-08 114688]
R3 P17;Sound Blaster Audigy; C:\WINDOWS.0\system32\drivers\P17.sys [2006-03-17 1163264]
R3 p17filt;p17filt; C:\WINDOWS.0\system32\drivers\p17filt.sys [2006-03-20 1452032]
R3 RTL8023;corega PCI-GT NT Driver; C:\WINDOWS.0\system32\DRIVERS\corega5.sys [2003-10-08 65280]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS.0\system32\DRIVERS\SLDRV\slntamr.sys [2005-05-10 698848]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS.0\system32\DRIVERS\SLDRV\SlWdmSup.sys [2005-05-10 13248]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS.0\system32\DRIVERS\usbccgp.sys [2006-01-06 31744]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS.0\system32\DRIVERS\usbehci.sys [2006-01-12 27008]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS.0\system32\DRIVERS\usbhub.sys [2006-01-12 57856]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS.0\system32\DRIVERS\usbprint.sys [2006-01-06 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS.0\system32\DRIVERS\usbuhci.sys [2006-01-12 20480]
S1 5ea275fb;5ea275fb; C:\WINDOWS.0\System32\drivers\5ea275fb.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS.0\system32\DRIVERS\CCDECODE.sys [2006-01-06 17024]
S3 gmer;gmer; C:\WINDOWS.0\System32\DRIVERS\gmer.sys [2007-07-23 83889]
S3 ICAM3NT5;Intel® PC Camera CS331; C:\WINDOWS.0\System32\Drivers\ICAM3D2.SYS [2001-07-18 145184]
S3 MagicTune;MagicTune; C:\WINDOWS.0\system32\drivers\MTiCtwl.sys []
S3 MPE;BDA MPE Filter; C:\WINDOWS.0\system32\DRIVERS\MPE.sys [2006-01-06 15360]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS.0\system32\drivers\MSTEE.sys [2006-01-06 5504]
S3 Mtlstrm;Mtlstrm; C:\WINDOWS.0\system32\DRIVERS\SLDRV\Mtlstrm.sys [2005-05-10 1464848]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS.0\system32\DRIVERS\NABTSFEC.sys [2006-01-06 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS.0\system32\DRIVERS\NdisIP.sys [2006-01-06 10880]
S3 NPF;Netgroup Packet Filter; C:\WINDOWS.0\system32\drivers\npf.sys [2007-12-17 42512]
S3 NPUSB;NPUSB; C:\WINDOWS.0\system32\DRIVERS\npusb.sys [2007-03-23 22816]
S3 PAC207;Webcam Basic; C:\WINDOWS.0\system32\DRIVERS\pfc027.sys [2005-04-08 162176]
S3 RivaTuner32;RivaTuner32; \??\C:\Program Files\RivaTuner v2.08\RivaTuner32.sys []
S3 SaiClass;SaiClass; C:\WINDOWS.0\system32\drivers\SaiNtBus.sys [2003-04-10 26368]
S3 SaiH0109;SaiH0109; C:\WINDOWS.0\system32\DRIVERS\SaiH0109.sys [2007-05-01 132232]
S3 SaiMini;SaiMini; C:\WINDOWS.0\system32\drivers\SaiMini.sys [2007-10-05 14080]
S3 SaiNtBus;SaiNtBus; C:\WINDOWS.0\system32\drivers\SaiBus.sys [2007-10-05 35200]
S3 SaiNtHid;SaiNtHid; C:\WINDOWS.0\system32\DRIVERS\SaiNtHid.sys [2003-04-10 48384]
S3 SaiNtSub;SaiNtSub; C:\WINDOWS.0\system32\DRIVERS\SaiNtSub.sys [2003-04-10 19200]
S3 SaiU0109;SaiU0109; C:\WINDOWS.0\system32\DRIVERS\SaiU0109.sys [2007-05-01 28416]
S3 SIVDRIVER;SIV Kernel Driver; \??\C:\WINDOWS.0\system32\Drivers\SIVX32.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS.0\system32\DRIVERS\SLIP.sys [2006-01-06 11136]
S3 SlNtHal;SlNtHal; C:\WINDOWS.0\system32\DRIVERS\SLDRV\Slnthal.sys [2005-05-10 101328]
S3 streamip;BDA IPSink; C:\WINDOWS.0\system32\DRIVERS\StreamIP.sys [2006-01-06 15360]
S3 USB28xxBGA;PCTV 330e/8x0e Device; C:\WINDOWS.0\system32\DRIVERS\emBDA.sys [2007-08-07 476288]
S3 USB28xxOEM;USB 28xx OEM Filter; C:\WINDOWS.0\system32\DRIVERS\emOEM.sys [2007-08-07 38656]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS.0\system32\DRIVERS\USBSTOR.SYS [2006-01-06 26368]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS.0\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS.0\system32\DRIVERS\WSTCODEC.SYS [2006-01-06 19328]
S4 IntelIde;IntelIde; C:\WINDOWS.0\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS.0\system32\DRIVERS\sr.sys [2006-01-12 73472]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS.0\System32\drivers\ws2ifsl.sys [2006-01-12 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2007-10-30 427288]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-11-18 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-11-18 231704]
R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-18 152984]
R2 nHancer;nHancer Support; C:\Program Files\nHancer\nHancerService.exe [2007-10-31 20480]
R2 nTuneService;nTune Service; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-09-04 131072]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS.0\system32\nvsvc32.exe [2008-08-15 163908]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2008-08-22 570880]
R2 STI Simulator;STI Simulator; C:\WINDOWS.0\System32\PAStiSvc.exe [2005-01-14 53248]
R2 TryAndDecideService;Acronis Try And Decide Service; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-10-30 492720]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
S3 aawservice;Ad-Aware 2007 Service; C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe [2007-10-29 587096]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 Diskeeper;Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [2007-10-16 1094936]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-21 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS.0\system32\wdfmgr.exe [2006-01-12 38912]

-----------------EOF-----------------

Also, I don't know if this will help but after running those programs I opened up Firefox and did a Google search on Trojans. I clicked on some of the sites and went directly to them. However, the Wikilink took me to advertisement sites. I went to a different place with each click. Two of the urls I could see flashing by at the bottom of the browser were "125search.com" and "vfsearch.com". The third one flashed by too quick to catch. So I guess I still have a problem although not as serious as before.

Another curious thing is if I did the web search in AVG's toolbar in the browser and clicked on the links AVG provided I went to the selected site with no misdirections.

Edited by nonaste, 11 November 2008 - 06:07 PM.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Malware Response Team
  • PipPipPipPipPipPip
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 11 November 2008 - 06:19 PM

Please visit the online Jotti Virus Scanner
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    C:\WINDOWS.0\server.exe

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 nonaste

nonaste

    Member

  • Members
  • PipPip
  • 27 posts

Posted 11 November 2008 - 07:09 PM

Please visit the online Jotti Virus Scanner

  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    C:\WINDOWS.0\server.exe

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html



Here is what you requested:

Scan taken on 12 Nov 2008 00:07:37 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Backdoor:W32/Agent.DJF
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Malware Response Team
  • PipPipPipPipPipPip
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 11 November 2008 - 07:27 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 nonaste

nonaste

    Member

  • Members
  • PipPip
  • 27 posts

Posted 11 November 2008 - 08:20 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.



Here's what you requested:

ComboFix 08-11-10.01 - Ray 2008-11-19 18:11:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1090 [GMT -7:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows.0\server.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-19 15:48 . 2008-11-19 15:48 <DIR> d-------- C:\rsit
2008-11-19 15:21 . 2008-11-19 15:21 577,024 --a------ c:\windows.0\system32\DllCache\user32.dll
2008-11-19 15:18 . 2008-11-19 15:18 <DIR> d-------- c:\windows.0\ERUNT
2008-11-19 15:13 . 2008-11-19 15:44 <DIR> d-------- C:\SDFix
2008-11-18 19:06 . 2008-11-19 18:11 1,435,680 --ahs---- c:\windows.0\system32\drivers\fidbox.dat
2008-11-18 19:06 . 2008-11-19 15:15 16,604 --ahs---- c:\windows.0\system32\drivers\fidbox.idx
2008-11-18 17:53 . 2008-11-18 17:53 410,976 --a------ c:\windows.0\system32\deploytk.dll
2008-11-18 17:53 . 2008-11-18 17:53 73,728 --a------ c:\windows.0\system32\javacpl.cpl
2008-11-18 09:46 . 2008-11-18 09:46 <DIR> d-------- c:\program files\Trend Micro
2008-11-18 09:18 . 2008-11-18 09:18 <DIR> d-------- c:\program files\ZoneAlarmSB
2008-11-18 09:16 . 2008-11-18 09:16 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\MailFrontier
2008-11-18 09:16 . 2008-11-18 19:13 4,212 ---h----- c:\windows.0\system32\zllictbl.dat
2008-11-18 09:15 . 2008-11-18 09:15 <DIR> d-------- c:\program files\Zone Labs
2008-11-18 09:14 . 2008-11-19 16:21 <DIR> d-------- c:\windows.0\Internet Logs
2008-11-18 04:37 . 2008-11-19 11:27 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-18 04:20 . 2008-11-18 04:22 <DIR> d-------- c:\windows.0\system32\drivers\Avg
2008-11-18 04:20 . 2008-11-18 04:20 <DIR> d-------- c:\program files\AVG
2008-11-18 04:20 . 2008-11-18 07:16 <DIR> d-------- c:\documents and settings\Ray\Application Data\AVGTOOLBAR
2008-11-18 04:20 . 2008-11-18 04:20 97,928 --a------ c:\windows.0\system32\drivers\avgldx86.sys
2008-11-18 04:20 . 2008-11-18 04:20 76,040 --a------ c:\windows.0\system32\drivers\avgtdix.sys
2008-11-18 04:20 . 2008-11-18 04:20 10,520 --a------ c:\windows.0\system32\avgrsstx.dll
2008-11-17 12:26 . 2008-11-18 06:49 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-11-17 11:04 . 2008-11-17 11:04 <DIR> d-------- c:\documents and settings\Ray\Application Data\Malwarebytes
2008-11-17 11:03 . 2008-11-17 11:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-17 11:03 . 2008-11-17 11:03 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-11-17 11:03 . 2008-10-22 16:27 38,496 --a------ c:\windows.0\system32\drivers\mbamswissarmy.sys
2008-11-17 11:03 . 2008-10-22 16:27 15,504 --a------ c:\windows.0\system32\drivers\mbam.sys
2008-11-17 06:41 . 2008-03-03 14:25 5,702 --ah----- c:\windows.0\nod32restoretemdono.reg
2008-11-17 06:21 . 2008-11-17 06:21 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\ESET
2008-11-17 06:02 . 2008-11-17 06:02 19,980 --a------ c:\windows.0\dary.lib
2008-11-17 06:02 . 2008-11-17 06:02 19,681 --a------ c:\windows.0\leryxeh.sys
2008-11-17 06:02 . 2008-11-17 06:02 19,093 --a------ c:\windows.0\system32\ucur.sys
2008-11-17 06:02 . 2008-11-17 06:02 17,343 --a------ c:\documents and settings\All Users.WINDOWS.0\Application Data\yxodepyp.reg
2008-11-17 06:02 . 2008-11-17 06:02 17,113 --a------ c:\windows.0\sawajumo.reg
2008-11-17 06:02 . 2008-11-17 06:02 16,679 --a------ c:\windows.0\xofinu.inf
2008-11-17 06:02 . 2008-11-17 06:02 15,887 --a------ c:\windows.0\system32\vuwyrycex.sys
2008-11-17 06:02 . 2008-11-17 06:02 15,736 --a------ c:\documents and settings\Ray\Application Data\eneqox.dat
2008-11-17 06:02 . 2008-11-17 06:02 15,419 --a------ c:\windows.0\ixicytuwib.bat
2008-11-17 06:02 . 2008-11-17 06:02 15,069 --a------ c:\documents and settings\Ray\Application Data\jegi.dat
2008-11-17 06:02 . 2008-11-17 06:02 14,991 --a------ c:\windows.0\ofyqepujyf.ban
2008-11-17 06:02 . 2008-11-17 06:02 14,902 --a------ c:\windows.0\yloqi.reg
2008-11-17 06:02 . 2008-11-17 06:02 14,091 --a------ c:\windows.0\system32\adudatok.sys
2008-11-17 06:02 . 2008-11-17 06:02 13,100 --a------ c:\documents and settings\All Users.WINDOWS.0\Application Data\mutehuwi.sys
2008-11-17 06:02 . 2008-11-17 06:02 11,075 --a------ c:\windows.0\erol.bin
2008-11-17 06:02 . 2008-11-17 06:02 10,424 --a------ c:\windows.0\system32\ugaq.db
2008-11-17 05:53 . 2008-11-17 05:53 <DIR> d-------- C:\CloneDVDTemp
2008-11-17 05:51 . 2008-11-17 05:51 <DIR> d-------- c:\program files\IESurfBar
2008-11-17 05:50 . 2008-11-17 05:50 <DIR> d-------- c:\program files\Reify Software
2008-11-17 05:50 . 2008-11-17 05:50 166,515 --a------ C:\raeogcjp.exe
2008-11-17 05:50 . 2008-11-17 06:46 0 --a------ c:\windows.0\system32\drivers\5ea275fb.sys
2008-11-17 04:38 . 2008-11-18 04:20 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\Avg8
2008-11-16 20:53 . 2008-11-16 20:53 <DIR> d--hs---- c:\windows.0\ftpcache
2008-11-16 17:18 . 2008-02-18 09:26 102,664 --a------ c:\windows.0\system32\drivers\tmcomm.sys
2008-11-11 13:49 . 2006-01-06 15:53 21,504 --a------ c:\windows.0\system32\hidserv.dll
2008-11-11 13:09 . 2003-03-27 16:01 184,320 --a------ c:\windows.0\system32\PrfAct.exe
2008-11-11 13:09 . 2003-04-10 11:45 106,496 --a------ c:\windows.0\system32\SaiCfg.dll
2008-11-11 13:09 . 2003-04-10 11:53 102,400 --a------ c:\windows.0\system32\NX.exe
2008-11-11 13:09 . 2003-04-10 11:42 48,384 --a------ c:\windows.0\system32\drivers\SaiNtHid.sys
2008-11-11 13:09 . 2003-04-10 11:41 26,368 --a------ c:\windows.0\system32\drivers\SaiNtBus.sys
2008-11-11 13:09 . 2003-04-10 11:42 19,200 --a------ c:\windows.0\system32\drivers\saintsub.sys
2008-11-11 13:09 . 2007-10-05 10:19 14,080 --a------ c:\windows.0\system32\drivers\SaiMini.sys
2008-11-11 13:09 . 2003-02-06 09:20 6,656 --a------ c:\windows.0\system32\REnum.exe
2008-11-11 07:51 . 2008-11-11 07:51 <DIR> d-------- c:\program files\KALiNKOsoft
2008-11-11 07:42 . 2008-11-11 07:42 <DIR> d-------- c:\program files\Innovative Solutions
2008-11-11 07:42 . 2008-11-11 07:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\Innovative Solutions
2008-11-03 05:16 . 2008-11-03 05:16 57 -ra------ c:\windows.0\amunres.lsl
2008-11-03 05:15 . 2008-11-03 05:15 <DIR> d-------- c:\documents and settings\Ray\Application Data\KALiNKOsoft
2008-11-03 05:13 . 1998-06-24 02:00 164,144 --a------ c:\windows.0\system32\comct232.ocx
2008-11-03 05:13 . 2008-11-11 07:19 119,296 --a------ c:\windows.0\system32\zlib.dll
2008-11-03 05:13 . 1998-06-18 01:00 89,360 --a------ c:\windows.0\system32\VB5DB.DLL
2008-11-03 05:13 . 1999-05-17 14:55 57,344 --------- c:\windows.0\system32\ADsSecurity.dll
2008-11-03 05:13 . 2002-08-09 12:18 45,056 --------- c:\windows.0\system32\NTSVC.ocx
2008-11-03 05:13 . 2003-01-26 14:41 40,960 --a------ c:\windows.0\system32\SSubTmr6.dll
2008-11-03 05:13 . 2008-01-13 20:59 36,864 --a------ c:\windows.0\system32\dxinputdll.dll
2008-11-03 05:13 . 1999-03-12 02:20 18,728 --------- c:\windows.0\system32\ISHF_Ex.tlb
2008-11-03 05:13 . 1998-03-18 17:45 8,096 --------- c:\windows.0\system32\OLEGUIDS.TLB
2008-11-02 11:02 . 2007-05-01 15:45 3,488 -ra------ c:\windows.0\system32\SaiD0109.pr0
2008-10-29 15:59 . 2008-10-29 15:59 <DIR> d-------- c:\program files\KeyTweak
2008-10-29 09:52 . 2008-10-29 09:52 <DIR> d-------- c:\program files\THQ
2008-10-27 04:29 . 2008-10-27 04:29 <DIR> d-------- c:\program files\7-Zip
2008-10-24 09:49 . 2008-10-24 09:49 <DIR> d-------- c:\documents and settings\Ray\Application Data\Gearbox Software
2008-10-24 03:34 . 2008-10-24 03:34 <DIR> d-------- c:\program files\Common Files\EasyInfo
2008-10-24 03:12 . 2008-10-24 03:45 <DIR> d-------- c:\program files\EA GAMES
2008-10-21 08:51 . 2006-01-06 15:52 8,704 --a------ c:\windows.0\system32\kbdjpn.dll
2008-10-21 08:51 . 2006-01-06 15:52 8,192 --a------ c:\windows.0\system32\kbdkor.dll
2008-10-21 08:51 . 2006-01-06 15:52 6,144 --a------ c:\windows.0\system32\kbd106.dll
2008-10-21 08:51 . 2006-01-06 15:52 6,144 --a------ c:\windows.0\system32\kbd101c.dll
2008-10-21 08:51 . 2006-01-06 15:52 6,144 --a------ c:\windows.0\system32\kbd101b.dll
2008-10-21 08:51 . 2006-01-06 15:52 5,632 --a------ c:\windows.0\system32\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 01:06 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-20 00:13 --------- d-----w c:\documents and settings\Ray\Application Data\SiteAdvisor
2008-11-19 23:18 --------- d-----w c:\program files\Steam
2008-11-19 11:21 --------- d-----w c:\documents and settings\Ray\Application Data\Azureus
2008-11-19 10:15 --------- d-----w c:\documents and settings\Ray\Application Data\MailWasherPro
2008-11-19 00:53 --------- d-----w c:\program files\Java
2008-11-18 14:36 --------- d-----w c:\documents and settings\Ray\Application Data\Spyware Terminator
2008-11-18 10:56 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\Spybot - Search & Destroy
2008-11-18 10:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 23:02 --------- d-----w c:\program files\PeerGuardian2
2008-11-17 17:51 --------- d-----w c:\program files\Spyware Terminator
2008-11-17 17:10 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\Spyware Terminator
2008-11-17 16:49 90,112 ----a-w c:\windows.0\DUMP2b46.tmp
2008-11-17 16:26 90,112 ----a-w c:\windows.0\DUMP2c5f.tmp
2008-11-17 14:25 90,112 ----a-w c:\windows.0\DUMP2f8b.tmp
2008-11-17 13:21 --------- d-----w c:\program files\ESET
2008-11-17 12:47 --------- d-----w c:\program files\Elaborate Bytes
2008-11-17 11:48 --------- d-----w c:\program files\TrojanHunter 4.7
2008-11-17 03:29 --------- d---a-w c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2008-11-17 03:28 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab
2008-11-16 02:49 --------- d-----w c:\program files\HyperLobbyPro3
2008-11-12 14:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 20:47 --------- d-----w c:\program files\Saitek
2008-11-11 20:43 90,112 ----a-w c:\windows.0\DUMP34db.tmp
2008-11-11 20:33 90,112 ----a-w c:\windows.0\DUMP2a3c.tmp
2008-11-11 20:28 90,112 -c--a-w c:\windows.0\DUMP2896.tmp
2008-10-27 16:52 --------- d-----w c:\program files\Ubisoft
2008-10-27 10:07 --------- d-----w c:\program files\InterActual
2008-10-13 16:37 --------- d-----w c:\program files\FireTrust
2008-10-12 16:33 1,882,904 ----a-w c:\windows.0\system32\AutoPartNt.exe
2008-10-10 12:32 91,632 ----a-w c:\windows.0\system32\dsofile.dll
2008-09-23 12:56 --------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Acronis
2008-09-20 12:27 --------- d-----w c:\program files\CCleaner
2008-09-20 11:24 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\nView_Profiles
2008-09-20 11:23 --------- d-----w c:\program files\AGEIA Technologies
2008-09-20 11:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-04-19 16:30 282 -c--a-w c:\program files\Error.txt
2007-05-01 12:19 1,216,512 -c--a-w c:\program files\MissionTuner V2.exe
2007-03-21 13:02 11,675 -c--a-w c:\program files\QMT_Aircraft.txt
2007-01-24 14:21 38,120 -c--a-w c:\program files\QMT V2.HLP
2007-01-24 09:51 2,400 -c--a-w c:\program files\QMT_Maps.txt
2007-01-24 07:24 9,030 -c--a-w c:\program files\QMT_DF.txt
2007-01-23 21:28 37,124 -c--a-w c:\program files\QMT_Weapons.txt
2006-07-12 12:51 54,312 -c--a-w c:\program files\tor-bundle-uninstall.exe
2006-02-11 00:41 26,657 -c--a-w c:\program files\BUNDLE_LICENSE
2006-01-13 13:18 52 -c--a-w c:\program files\Save Windows and Programs (No Data or Documents).BDF
2006-01-13 13:18 52 -c--a-w c:\program files\Save Data and Documents Only.BDF
2005-10-18 12:13 306 -c--a-w c:\program files\QMT_Countries.txt
2005-10-18 12:12 83,107 -c--a-w c:\program files\QMT_Squadron.txt
2003-03-21 21:37 16,056 -c--a-w c:\program files\owcstp16.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-11-18 3962184]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2008-11-18 08:48 3962184 --a------ c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6226BA26-C017-4007-928C-DE9715C6FA68}"= "c:\program files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll" [2008-06-07 2404352]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-11-18 3962184]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6226BA26-C017-4007-928C-DE9715C6FA68}"= "c:\program files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll" [2008-06-07 2404352]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-11-18 3962184]

[HKEY_CLASSES_ROOT\clsid\{6226ba26-c017-4007-928c-de9715c6fa68}]
[HKEY_CLASSES_ROOT\TBSB01419.TBSB01419.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB01419.TBSB01419]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2008-08-15 13570048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows.0\system32\tscupgrd.exe" [2006-01-12 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\\WINDOWS.0\\system32\\userinit.exe,\"c:\\WINDOWS.0\\server.exe\","

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsp_lmwl]
2007-06-12 19:56 44400 c:\windows.0\system32\fsp_lmwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat?,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= I263_32.drv
"MSACM.G723"= g723.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap c:\windows.0\system32\awtrOiJB

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^MightyFAX Controller.lnk]
backup=c:\windows.0\pss\MightyFAX Controller.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Privoxy.lnk]
backup=c:\windows.0\pss\Privoxy.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44cd49b8
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IconixOEAddOn

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows.0\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a--c--- 2007-10-30 13:07 140568 c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a--c--- 2007-10-30 13:11 909208 c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
--a--c--- 2001-05-22 18:13 55296 c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Atari Icon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
--a--c--- 2001-05-22 18:17 49152 c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-18 04:20 1234712 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2006-01-12 18:13 15360 c:\windows.0\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
-----c--- 2005-10-31 03:51 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a--c--- 2007-04-19 14:24 1169744 c:\program files\Maxtor\MaxBlast\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-03-20 09:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]
--a--c--- 2007-04-19 23:59 1169720 c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a--c--- 2008-08-15 23:22 13570048 c:\windows.0\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a--c--- 2007-09-04 11:25 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2008-08-15 23:22 86016 c:\windows.0\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
--a--c--- 2008-07-03 05:45 1684480 c:\program files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-09-01 07:57 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a--c--- 2007-07-23 21:24 144448 c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahsc--- 2008-08-18 18:41 1832272 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-18 17:53 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2007-10-10 14:40 1046688 c:\program files\TrojanHunter 5.0\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a--c--- 2007-10-30 13:06 2595616 c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-10 18:00 90112 c:\windows.0\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-07-09 09:05 919016 c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2008-08-15 23:22 1657376 c:\windows.0\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a--c--- 2006-03-17 08:11 81408 c:\windows.0\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Emule\\emule.exe"=
"c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\rowan\\mig\\Mig.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Steam\\steamapps\\nonaste\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nonaste\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Steam\\steamapps\\nonaste\\day of defeat source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:emule
"4672:UDP"= 4672:UDP:emule

R0 videX32;videX32;c:\windows.0\system32\DRIVERS\videX32.sys [2006-02-22 9728]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows.0\system32\DRIVERS\xfilt.sys [2006-02-22 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows.0\system32\Drivers\avgldx86.sys [2008-11-18 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-18 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-18 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows.0\system32\Drivers\avgtdix.sys [2008-11-18 76040]
R3 LMPC4;LMPC4;c:\windows.0\system32\drivers\LMPC4.sys [2007-02-21 10096]
R3 npusbio;npusbio;c:\windows.0\system32\Drivers\npusbio.sys [2008-01-11 36384]
R3 p17filt;p17filt;c:\windows.0\system32\drivers\p17filt.sys [2006-03-20 1452032]
S0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [2006-01-12 77312]
S1 5ea275fb;5ea275fb;c:\windows.0\system32\drivers\5ea275fb.sys [2008-11-17 0]
S3 ICAM3NT5;Intel® PC Camera CS331;c:\windows.0\system32\Drivers\ICAM3D2.SYS [2001-07-18 145184]
S3 NPF;Netgroup Packet Filter;c:\windows.0\system32\drivers\npf.sys [2007-12-17 42512]
S3 NPUSB;NPUSB;c:\windows.0\system32\DRIVERS\npusb.sys [2007-03-23 22816]
S3 PAC207;Webcam Basic;c:\windows.0\system32\DRIVERS\pfc027.sys [2005-04-08 162176]
S3 SaiClass;SaiClass;c:\windows.0\system32\drivers\SaiNtBus.sys [2003-04-10 26368]
S3 SaiH0109;SaiH0109;c:\windows.0\system32\DRIVERS\SaiH0109.sys [2007-05-01 132232]
S3 SaiNtHid;SaiNtHid;c:\windows.0\system32\DRIVERS\SaiNtHid.sys [2003-04-10 48384]
S3 SaiNtSub;SaiNtSub;c:\windows.0\system32\DRIVERS\SaiNtSub.sys [2003-04-10 19200]
S3 SaiU0109;SaiU0109;c:\windows.0\system32\DRIVERS\SaiU0109.sys [2007-05-01 28416]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows.0\system32\Drivers\SIVX32.sys [2008-04-28 48608]
S3 USB28xxBGA;PCTV 330e/8x0e Device;c:\windows.0\system32\DRIVERS\emBDA.sys [2007-08-07 476288]
S3 USB28xxOEM;USB 28xx OEM Filter;c:\windows.0\system32\DRIVERS\emOEM.sys [2007-08-07 38656]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adee6e49-fbe5-11dc-aaec-00508dcb517d}]
\Shell\AutoRun\command - F:\TVCenterPro.exe -autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adee6e4a-fbe5-11dc-aaec-00508dcb517d}]
\Shell\AutoRun\command - G:\TVCenterPro.exe -autorun
\Shell\Shell01\Command - G:\TVCenterPro.exe
\Shell\Shell02\Command - G:\TVCenterProSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{05i41m56-qw07-u20f-yx8t-vb4u6tp4ux63}]
"c:\windows.0\server.exe"
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTXFIREG - CTxfiReg.exe
MSConfigStartUp-Keyboard Driver - skfhost.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\j5qdo124.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npfoxitpdf.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 18:11:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-19 18:12:59
ComboFix-quarantined-files.txt 2008-11-20 01:12:53

Pre-Run: 144,331,636,736 bytes free
Post-Run: 144,375,136,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\wubildr.mbr="Ubuntu"

356

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Malware Response Team
  • PipPipPipPipPipPip
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 12 November 2008 - 08:59 AM

You've got some suspicious files in your log that I'd like to get a better look at.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

http://www.bleepingcomputer.com/forums/t/179028/when-i-click-on-a-link-after-a-google-search-i-dont-go-to-the-desired-location-but-to-some-web-site-selling-something/

Suspect::[52]
c:\program files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll
c:\windows.0\dary.lib
c:\windows.0\leryxeh.sys
c:\windows.0\system32\ucur.sys
c:\documents and settings\All Users.WINDOWS.0\Application Data\yxodepyp.reg
c:\windows.0\sawajumo.reg
c:\windows.0\xofinu.inf
c:\windows.0\system32\vuwyrycex.sys
c:\documents and settings\Ray\Application Data\eneqox.dat
c:\windows.0\ixicytuwib.bat
c:\documents and settings\Ray\Application Data\jegi.dat
c:\windows.0\ofyqepujyf.ban
c:\windows.0\yloqi.reg
c:\windows.0\system32\adudatok.sys
c:\documents and settings\All Users.WINDOWS.0\Application Data\mutehuwi.sys
c:\windows.0\erol.bin
c:\windows.0\system32\ugaq.db
2C:\raeogcjp.exe
c:\windows.0\system32\drivers\5ea275fb.sys

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Are you still having the same issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 nonaste

nonaste

    Member

  • Members
  • PipPip
  • 27 posts

Posted 12 November 2008 - 09:56 AM

You've got some suspicious files in your log that I'd like to get a better look at.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

http://www.bleepingcomputer.com/forums/t/179028/when-i-click-on-a-link-after-a-google-search-i-dont-go-to-the-desired-location-but-to-some-web-site-selling-something/

Suspect::[52]
c:\program files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll
c:\windows.0\dary.lib
c:\windows.0\leryxeh.sys
c:\windows.0\system32\ucur.sys
c:\documents and settings\All Users.WINDOWS.0\Application Data\yxodepyp.reg
c:\windows.0\sawajumo.reg
c:\windows.0\xofinu.inf
c:\windows.0\system32\vuwyrycex.sys
c:\documents and settings\Ray\Application Data\eneqox.dat
c:\windows.0\ixicytuwib.bat
c:\documents and settings\Ray\Application Data\jegi.dat
c:\windows.0\ofyqepujyf.ban
c:\windows.0\yloqi.reg
c:\windows.0\system32\adudatok.sys
c:\documents and settings\All Users.WINDOWS.0\Application Data\mutehuwi.sys
c:\windows.0\erol.bin
c:\windows.0\system32\ugaq.db
2C:\raeogcjp.exe
c:\windows.0\system32\drivers\5ea275fb.sys

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Are you still having the same issues?



Here is the the text file result.:

ComboFix 08-11-10.01 - Ray 2008-11-20 7:33:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1472 [GMT -7:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFscript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-19 15:48 . 2008-11-19 15:48 d-------- C:\rsit
2008-11-19 15:21 . 2008-11-19 15:21 577,024 --a------ c:\windows.0\system32\DllCache\user32.dll
2008-11-19 15:18 . 2008-11-19 15:18 d-------- c:\windows.0\ERUNT
2008-11-19 15:13 . 2008-11-19 15:44 d-------- C:\SDFix
2008-11-18 19:06 . 2008-11-20 07:34 1,673,248 --ahs---- c:\windows.0\system32\drivers\fidbox.dat
2008-11-18 19:06 . 2008-11-19 19:38 18,644 --ahs---- c:\windows.0\system32\drivers\fidbox.idx
2008-11-18 17:53 . 2008-11-18 17:53 410,976 --a------ c:\windows.0\system32\deploytk.dll
2008-11-18 17:53 . 2008-11-18 17:53 73,728 --a------ c:\windows.0\system32\javacpl.cpl
2008-11-18 09:46 . 2008-11-18 09:46 d-------- c:\program files\Trend Micro
2008-11-18 09:18 . 2008-11-18 09:18 d-------- c:\program files\ZoneAlarmSB
2008-11-18 09:16 . 2008-11-18 09:16 d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\MailFrontier
2008-11-18 09:16 . 2008-11-18 19:13 4,212 ---h----- c:\windows.0\system32\zllictbl.dat
2008-11-18 09:15 . 2008-11-18 09:15 d-------- c:\program files\Zone Labs
2008-11-18 09:14 . 2008-11-20 07:28 d-------- c:\windows.0\Internet Logs
2008-11-18 04:37 . 2008-11-19 11:27 d--h----- C:\$AVG8.VAULT$
2008-11-18 04:20 . 2008-11-20 03:06 d-------- c:\windows.0\system32\drivers\Avg
2008-11-18 04:20 . 2008-11-18 04:20 d-------- c:\program files\AVG
2008-11-18 04:20 . 2008-11-18 07:16 d-------- c:\documents and settings\Ray\Application Data\AVGTOOLBAR
2008-11-18 04:20 . 2008-11-18 04:20 97,928 --a------ c:\windows.0\system32\drivers\avgldx86.sys
2008-11-18 04:20 . 2008-11-18 04:20 76,040 --a------ c:\windows.0\system32\drivers\avgtdix.sys
2008-11-18 04:20 . 2008-11-18 04:20 10,520 --a------ c:\windows.0\system32\avgrsstx.dll
2008-11-17 12:26 . 2008-11-18 06:49 d-------- c:\program files\TrojanHunter 5.0
2008-11-17 11:04 . 2008-11-17 11:04 d-------- c:\documents and settings\Ray\Application Data\Malwarebytes
2008-11-17 11:03 . 2008-11-17 11:04 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-17 11:03 . 2008-11-17 11:03 d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-11-17 11:03 . 2008-10-22 16:27 38,496 --a------ c:\windows.0\system32\drivers\mbamswissarmy.sys
2008-11-17 11:03 . 2008-10-22 16:27 15,504 --a------ c:\windows.0\system32\drivers\mbam.sys
2008-11-17 06:41 . 2008-03-03 14:25 5,702 --ah----- c:\windows.0\nod32restoretemdono.reg
2008-11-17 06:21 . 2008-11-17 06:21 d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\ESET
2008-11-17 06:02 . 2008-11-17 06:02 19,980 --a------ c:\windows.0\dary.lib
2008-11-17 06:02 . 2008-11-17 06:02 19,681 --a------ c:\windows.0\leryxeh.sys
2008-11-17 06:02 . 2008-11-17 06:02 19,093 --a------ c:\windows.0\system32\ucur.sys
2008-11-17 06:02 . 2008-11-17 06:02 17,343 --a------ c:\documents and settings\All Users.WINDOWS.0\Application Data\yxodepyp.reg
2008-11-17 06:02 . 2008-11-17 06:02 17,113 --a------ c:\windows.0\sawajumo.reg
2008-11-17 06:02 . 2008-11-17 06:02 16,679 --a------ c:\windows.0\xofinu.inf
2008-11-17 06:02 . 2008-11-17 06:02 15,887 --a------ c:\windows.0\system32\vuwyrycex.sys
2008-11-17 06:02 . 2008-11-17 06:02 15,736 --a------ c:\documents and settings\Ray\Application Data\eneqox.dat
2008-11-17 06:02 . 2008-11-17 06:02 15,419 --a------ c:\windows.0\ixicytuwib.bat
2008-11-17 06:02 . 2008-11-17 06:02 15,069 --a------ c:\documents and settings\Ray\Application Data\jegi.dat
2008-11-17 06:02 . 2008-11-17 06:02 14,991 --a------ c:\windows.0\ofyqepujyf.ban
2008-11-17 06:02 . 2008-11-17 06:02 14,902 --a------ c:\windows.0\yloqi.reg
2008-11-17 06:02 . 2008-11-17 06:02 14,091 --a------ c:\windows.0\system32\adudatok.sys
2008-11-17 06:02 . 2008-11-17 06:02 13,100 --a------ c:\documents and settings\All Users.WINDOWS.0\Application Data\mutehuwi.sys
2008-11-17 06:02 . 2008-11-17 06:02 11,075 --a------ c:\windows.0\erol.bin
2008-11-17 06:02 . 2008-11-17 06:02 10,424 --a------ c:\windows.0\system32\ugaq.db
2008-11-17 05:53 . 2008-11-17 05:53 d-------- C:\CloneDVDTemp
2008-11-17 05:51 . 2008-11-17 05:51 d-------- c:\program files\IESurfBar
2008-11-17 05:50 . 2008-11-17 05:50 d-------- c:\program files\Reify Software
2008-11-17 05:50 . 2008-11-17 05:50 166,515 --a------ C:\raeogcjp.exe
2008-11-17 05:50 . 2008-11-17 06:46 0 --a------ c:\windows.0\system32\drivers\5ea275fb.sys
2008-11-17 04:38 . 2008-11-18 04:20 d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\Avg8
2008-11-16 20:53 . 2008-11-16 20:53 d--hs---- c:\windows.0\ftpcache
2008-11-16 17:18 . 2008-02-18 09:26 102,664 --a------ c:\windows.0\system32\drivers\tmcomm.sys
2008-11-11 13:49 . 2006-01-06 15:53 21,504 --a------ c:\windows.0\system32\hidserv.dll
2008-11-11 13:09 . 2003-03-27 16:01 184,320 --a------ c:\windows.0\system32\PrfAct.exe
2008-11-11 13:09 . 2003-04-10 11:45 106,496 --a------ c:\windows.0\system32\SaiCfg.dll
2008-11-11 13:09 . 2003-04-10 11:53 102,400 --a------ c:\windows.0\system32\NX.exe
2008-11-11 13:09 . 2003-04-10 11:42 48,384 --a------ c:\windows.0\system32\drivers\SaiNtHid.sys
2008-11-11 13:09 . 2003-04-10 11:41 26,368 --a------ c:\windows.0\system32\drivers\SaiNtBus.sys
2008-11-11 13:09 . 2003-04-10 11:42 19,200 --a------ c:\windows.0\system32\drivers\saintsub.sys
2008-11-11 13:09 . 2007-10-05 10:19 14,080 --a------ c:\windows.0\system32\drivers\SaiMini.sys
2008-11-11 13:09 . 2003-02-06 09:20 6,656 --a------ c:\windows.0\system32\REnum.exe
2008-11-11 07:51 . 2008-11-11 07:51 d-------- c:\program files\KALiNKOsoft
2008-11-11 07:42 . 2008-11-11 07:42 d-------- c:\program files\Innovative Solutions
2008-11-11 07:42 . 2008-11-11 07:42 d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\Innovative Solutions
2008-11-03 05:16 . 2008-11-03 05:16 57 -ra------ c:\windows.0\amunres.lsl
2008-11-03 05:15 . 2008-11-03 05:15 d-------- c:\documents and settings\Ray\Application Data\KALiNKOsoft
2008-11-03 05:13 . 1998-06-24 02:00 164,144 --a------ c:\windows.0\system32\comct232.ocx
2008-11-03 05:13 . 2008-11-11 07:19 119,296 --a------ c:\windows.0\system32\zlib.dll
2008-11-03 05:13 . 1998-06-18 01:00 89,360 --a------ c:\windows.0\system32\VB5DB.DLL
2008-11-03 05:13 . 1999-05-17 14:55 57,344 --------- c:\windows.0\system32\ADsSecurity.dll
2008-11-03 05:13 . 2002-08-09 12:18 45,056 --------- c:\windows.0\system32\NTSVC.ocx
2008-11-03 05:13 . 2003-01-26 14:41 40,960 --a------ c:\windows.0\system32\SSubTmr6.dll
2008-11-03 05:13 . 2008-01-13 20:59 36,864 --a------ c:\windows.0\system32\dxinputdll.dll
2008-11-03 05:13 . 1999-03-12 02:20 18,728 --------- c:\windows.0\system32\ISHF_Ex.tlb
2008-11-03 05:13 . 1998-03-18 17:45 8,096 --------- c:\windows.0\system32\OLEGUIDS.TLB
2008-11-02 11:02 . 2007-05-01 15:45 3,488 -ra------ c:\windows.0\system32\SaiD0109.pr0
2008-10-29 15:59 . 2008-10-29 15:59 d-------- c:\program files\KeyTweak
2008-10-29 09:52 . 2008-10-29 09:52 d-------- c:\program files\THQ
2008-10-27 04:29 . 2008-10-27 04:29 d-------- c:\program files\7-Zip
2008-10-24 09:49 . 2008-10-24 09:49 d-------- c:\documents and settings\Ray\Application Data\Gearbox Software
2008-10-24 03:34 . 2008-10-24 03:34 d-------- c:\program files\Common Files\EasyInfo
2008-10-24 03:12 . 2008-10-24 03:45 d-------- c:\program files\EA GAMES
2008-10-21 08:51 . 2006-01-06 15:52 8,704 --a------ c:\windows.0\system32\kbdjpn.dll
2008-10-21 08:51 . 2006-01-06 15:52 8,192 --a------ c:\windows.0\system32\kbdkor.dll
2008-10-21 08:51 . 2006-01-06 15:52 6,144 --a------ c:\windows.0\system32\kbd106.dll
2008-10-21 08:51 . 2006-01-06 15:52 6,144 --a------ c:\windows.0\system32\kbd101c.dll
2008-10-21 08:51 . 2006-01-06 15:52 6,144 --a------ c:\windows.0\system32\kbd101b.dll
2008-10-21 08:51 . 2006-01-06 15:52 5,632 --a------ c:\windows.0\system32\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 14:27 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-20 14:25 --------- d-----w c:\documents and settings\Ray\Application Data\SiteAdvisor
2008-11-20 12:36 --------- d-----w c:\program files\Steam
2008-11-20 09:59 --------- d-----w c:\documents and settings\Ray\Application Data\MailWasherPro
2008-11-19 11:21 --------- d-----w c:\documents and settings\Ray\Application Data\Azureus
2008-11-19 00:53 --------- d-----w c:\program files\Java
2008-11-18 14:36 --------- d-----w c:\documents and settings\Ray\Application Data\Spyware Terminator
2008-11-18 10:56 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\Spybot - Search & Destroy
2008-11-18 10:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 23:02 --------- d-----w c:\program files\PeerGuardian2
2008-11-17 17:51 --------- d-----w c:\program files\Spyware Terminator
2008-11-17 17:10 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\Spyware Terminator
2008-11-17 16:49 90,112 ----a-w c:\windows.0\DUMP2b46.tmp
2008-11-17 16:26 90,112 ----a-w c:\windows.0\DUMP2c5f.tmp
2008-11-17 14:25 90,112 ----a-w c:\windows.0\DUMP2f8b.tmp
2008-11-17 13:21 --------- d-----w c:\program files\ESET
2008-11-17 12:47 --------- d-----w c:\program files\Elaborate Bytes
2008-11-17 11:48 --------- d-----w c:\program files\TrojanHunter 4.7
2008-11-17 03:29 --------- d---a-w c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2008-11-17 03:28 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab
2008-11-16 02:49 --------- d-----w c:\program files\HyperLobbyPro3
2008-11-12 14:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 20:47 --------- d-----w c:\program files\Saitek
2008-11-11 20:43 90,112 ----a-w c:\windows.0\DUMP34db.tmp
2008-11-11 20:33 90,112 ----a-w c:\windows.0\DUMP2a3c.tmp
2008-11-11 20:28 90,112 -c--a-w c:\windows.0\DUMP2896.tmp
2008-10-27 16:52 --------- d-----w c:\program files\Ubisoft
2008-10-27 10:07 --------- d-----w c:\program files\InterActual
2008-10-13 16:37 --------- d-----w c:\program files\FireTrust
2008-10-12 16:33 1,882,904 ----a-w c:\windows.0\system32\AutoPartNt.exe
2008-10-10 12:32 91,632 ----a-w c:\windows.0\system32\dsofile.dll
2008-09-23 12:56 --------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Acronis
2008-09-20 12:27 --------- d-----w c:\program files\CCleaner
2008-09-20 11:24 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\nView_Profiles
2008-09-20 11:23 --------- d-----w c:\program files\AGEIA Technologies
2008-09-20 11:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-04-19 16:30 282 -c--a-w c:\program files\Error.txt
2007-05-01 12:19 1,216,512 -c--a-w c:\program files\MissionTuner V2.exe
2007-03-21 13:02 11,675 -c--a-w c:\program files\QMT_Aircraft.txt
2007-01-24 14:21 38,120 -c--a-w c:\program files\QMT V2.HLP
2007-01-24 09:51 2,400 -c--a-w c:\program files\QMT_Maps.txt
2007-01-24 07:24 9,030 -c--a-w c:\program files\QMT_DF.txt
2007-01-23 21:28 37,124 -c--a-w c:\program files\QMT_Weapons.txt
2006-07-12 12:51 54,312 -c--a-w c:\program files\tor-bundle-uninstall.exe
2006-02-11 00:41 26,657 -c--a-w c:\program files\BUNDLE_LICENSE
2006-01-13 13:18 52 -c--a-w c:\program files\Save Windows and Programs (No Data or Documents).BDF
2006-01-13 13:18 52 -c--a-w c:\program files\Save Data and Documents Only.BDF
2005-10-18 12:13 306 -c--a-w c:\program files\QMT_Countries.txt
2005-10-18 12:12 83,107 -c--a-w c:\program files\QMT_Squadron.txt
2003-03-21 21:37 16,056 -c--a-w c:\program files\owcstp16.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-19_18.12.27.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-20 09:47:29 16,384 ----atw c:\windows.0\Temp\Perflib_Perfdata_4b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-11-18 3962184]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2008-11-18 08:48 3962184 --a------ c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6226BA26-C017-4007-928C-DE9715C6FA68}"= "c:\program files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll" [2008-06-07 2404352]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-11-18 3962184]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6226BA26-C017-4007-928C-DE9715C6FA68}"= "c:\program files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll" [2008-06-07 2404352]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Ray\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-11-18 3962184]

[HKEY_CLASSES_ROOT\clsid\{6226ba26-c017-4007-928c-de9715c6fa68}]
[HKEY_CLASSES_ROOT\TBSB01419.TBSB01419.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB01419.TBSB01419]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2008-08-15 13570048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows.0\system32\tscupgrd.exe" [2006-01-12 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\\WINDOWS.0\\system32\\userinit.exe,\"c:\\WINDOWS.0\\server.exe\","

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsp_lmwl]
2007-06-12 19:56 44400 c:\windows.0\system32\fsp_lmwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat?,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= I263_32.drv
"MSACM.G723"= g723.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap c:\windows.0\system32\awtrOiJB

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^MightyFAX Controller.lnk]
backup=c:\windows.0\pss\MightyFAX Controller.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Privoxy.lnk]
backup=c:\windows.0\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows.0\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a--c--- 2007-10-30 13:07 140568 c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a--c--- 2007-10-30 13:11 909208 c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
--a--c--- 2001-05-22 18:13 55296 c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Atari Icon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
--a--c--- 2001-05-22 18:17 49152 c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-18 04:20 1234712 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2006-01-12 18:13 15360 c:\windows.0\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
-----c--- 2005-10-31 03:51 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a--c--- 2007-04-19 14:24 1169744 c:\program files\Maxtor\MaxBlast\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-03-20 09:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]
--a--c--- 2007-04-19 23:59 1169720 c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a--c--- 2008-08-15 23:22 13570048 c:\windows.0\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a--c--- 2007-09-04 11:25 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2008-08-15 23:22 86016 c:\windows.0\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
--a--c--- 2008-07-03 05:45 1684480 c:\program files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-09-01 07:57 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a--c--- 2007-07-23 21:24 144448 c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahsc--- 2008-08-18 18:41 1832272 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-18 17:53 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2007-10-10 14:40 1046688 c:\program files\TrojanHunter 5.0\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a--c--- 2007-10-30 13:06 2595616 c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-10 18:00 90112 c:\windows.0\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-07-09 09:05 919016 c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2008-08-15 23:22 1657376 c:\windows.0\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a--c--- 2006-03-17 08:11 81408 c:\windows.0\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Emule\\emule.exe"=
"c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\rowan\\mig\\Mig.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Steam\\steamapps\\nonaste\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nonaste\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Steam\\steamapps\\nonaste\\day of defeat source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:emule
"4672:UDP"= 4672:UDP:emule

R0 videX32;videX32;c:\windows.0\system32\DRIVERS\videX32.sys [2006-02-22 9728]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows.0\system32\DRIVERS\xfilt.sys [2006-02-22 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows.0\system32\Drivers\avgldx86.sys [2008-11-18 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-18 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-18 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows.0\system32\Drivers\avgtdix.sys [2008-11-18 76040]
R3 LMPC4;LMPC4;c:\windows.0\system32\drivers\LMPC4.sys [2007-02-21 10096]
R3 npusbio;npusbio;c:\windows.0\system32\Drivers\npusbio.sys [2008-01-11 36384]
R3 p17filt;p17filt;c:\windows.0\system32\drivers\p17filt.sys [2006-03-20 1452032]
S0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [2006-01-12 77312]
S1 5ea275fb;5ea275fb;c:\windows.0\system32\drivers\5ea275fb.sys [2008-11-17 0]
S3 ICAM3NT5;Intel® PC Camera CS331;c:\windows.0\system32\Drivers\ICAM3D2.SYS [2001-07-18 145184]
S3 NPF;Netgroup Packet Filter;c:\windows.0\system32\drivers\npf.sys [2007-12-17 42512]
S3 NPUSB;NPUSB;c:\windows.0\system32\DRIVERS\npusb.sys [2007-03-23 22816]
S3 PAC207;Webcam Basic;c:\windows.0\system32\DRIVERS\pfc027.sys [2005-04-08 162176]
S3 SaiClass;SaiClass;c:\windows.0\system32\drivers\SaiNtBus.sys [2003-04-10 26368]
S3 SaiH0109;SaiH0109;c:\windows.0\system32\DRIVERS\SaiH0109.sys [2007-05-01 132232]
S3 SaiNtHid;SaiNtHid;c:\windows.0\system32\DRIVERS\SaiNtHid.sys [2003-04-10 48384]
S3 SaiNtSub;SaiNtSub;c:\windows.0\system32\DRIVERS\SaiNtSub.sys [2003-04-10 19200]
S3 SaiU0109;SaiU0109;c:\windows.0\system32\DRIVERS\SaiU0109.sys [2007-05-01 28416]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows.0\system32\Drivers\SIVX32.sys [2008-04-28 48608]
S3 USB28xxBGA;PCTV 330e/8x0e Device;c:\windows.0\system32\DRIVERS\emBDA.sys [2007-08-07 476288]
S3 USB28xxOEM;USB 28xx OEM Filter;c:\windows.0\system32\DRIVERS\emOEM.sys [2007-08-07 38656]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adee6e49-fbe5-11dc-aaec-00508dcb517d}]
\Shell\AutoRun\command - F:\TVCenterPro.exe -autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adee6e4a-fbe5-11dc-aaec-00508dcb517d}]
\Shell\AutoRun\command - G:\TVCenterPro.exe -autorun
\Shell\Shell01\Command - G:\TVCenterPro.exe
\Shell\Shell02\Command - G:\TVCenterProSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{05i41m56-qw07-u20f-yx8t-vb4u6tp4ux63}]
"c:\windows.0\server.exe"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 07:34:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-20 7:37:53
ComboFix-quarantined-files.txt 2008-11-20 14:37:49
ComboFix2.txt 2008-11-20 01:13:00

Pre-Run: 143,951,118,336 bytes free
Post-Run: 143,939,964,928 bytes free

325


In addition ComboFix instructed me to send the following to you:


C:\Qoobox\Quarantine\[52]-Submit_2008-11-20@7.32.zip

To answer your question, I still get the problem described below:

When I use Google for a search and I receive all the links in response to the query if I click on a link I am misdirected to some commercial site or some search site. This doesn't happen all the time. Often I go to where the link says I'm going to go. Now if I happen to go to some unwanted site if I return to the link in Google and instead of clicking on that link I instead "copy and paste" the url at the bottom of the link and text into the navigation tool bar I will be directed to the proper site. So, I guess something is still not quite right.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Malware Response Team
  • PipPipPipPipPipPip
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 12 November 2008 - 10:06 AM

What do you know about this program:

IESurfBar
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 nonaste

nonaste

    Member

  • Members
  • PipPip
  • 27 posts

Posted 12 November 2008 - 10:25 AM

As Sargeant Schultz used to say, "I knoww nuthink!"

I did a Google search on "IESurfBar" and a link came up to YOUR site referencing our postings on this topic. For grins I clicked on the link and went to a commercial site pushing perfume. Beyond that absolutely nothing came up about "IESurfBar, which, of course, you know already. Weird, just weird. Evidently this thing has nothing to do with Internet Explorer which I haven't used for years.

Edited by nonaste, 12 November 2008 - 10:30 AM.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Malware Response Team
  • PipPipPipPipPipPip
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 12 November 2008 - 12:45 PM

I can't confirm that there's anything malicious about that program, but any program that is installed onto your computer without your knowledge is suspicious. So if you don't know what it is, let's get rid of it.


Click Start -> Control Panel -> Add Remove Programs and uninstall these programs:

IESurfBar


Reboot your computer and post a new hijackthis log.
Let me know if you're still having the same issues with your searches.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 nonaste

nonaste

    Member

  • Members
  • PipPip
  • 27 posts

Posted 12 November 2008 - 01:34 PM

I can't confirm that there's anything malicious about that program, but any program that is installed onto your computer without your knowledge is suspicious. So if you don't know what it is, let's get rid of it.


Click Start -> Control Panel -> Add Remove Programs and uninstall these programs:

IESurfBar


Reboot your computer and post a new hijackthis log.
Let me know if you're still having the same issues with your searches.


There is nothing in Add Remove Programs referencing this program. There is an uninstall icon in the program's file in C/Programs. The icon has no picture associated with it, as I've seen with just about every other program that has it's own uninstall feature, just a system file type of picture. I've become a little paranoid. Should I click on this uninstall file and see if the program is removed?

#14 nonaste

nonaste

    Member

  • Members
  • PipPip
  • 27 posts

Posted 12 November 2008 - 05:30 PM

The program wont uninstall. The uninstaller does nothing when clicked on.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Malware Response Team
  • PipPipPipPipPipPip
  • 17,382 posts
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 12 November 2008 - 05:39 PM

No problem. We'll take it out with combofix.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
c:\program files\IESurfBar

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6226BA26-C017-4007-928C-DE9715C6FA68}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6226BA26-C017-4007-928C-DE9715C6FA68}"=-
[-HKEY_CLASSES_ROOT\clsid\{6226ba26-c017-4007-928c-de9715c6fa68}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


While we reviewing your programs, how about CyberDefender?
What do you know about it?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·