Psarox.dll

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Psarox.dll

Options

kaido View Member Profile	Jul 5 2008, 10:40 AM Post #1
Member Group: Members Posts: 46 Joined: 23-December 07 Member No.: 178,487	well... my bro wanted tp download a trainer for game... unfortunately it screwed up my pc every time i opened any file it popped up that my windows files are deleted and stuff... and there was added too that download freeware scan or something like this.... ofcorz i didnt do it( u cannot go internet but it can open a fcking scan download site, suspicious :D) few days later nod32 detected psarox.dll, i deleted it but im not sure its clean now... im adding DSS log VUNDOFIX couldnt find anything(newest version by official website) NOD32-going to scan Spybot-going to scan Rogueremover couldnt find anything Deckard's System Scanner v20071014.68 Run by Kaidoo on 2008-07-05 18:32:21 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Kaidoo.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:32:31, on 5.07.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Documents and Settings\Kaidoo\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Kaidoo.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.raadiojaam.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6D0386B3-FD72-488E-9740-90355AE21735} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [EstEID AIP switch] "C:\Program Files\IT Arendus\ID-kaart\aipswitch.exe" 1 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {096DCF31-53FA-4BA6-A729-D85D29FC0D70} - https://installer.id.ee/IDInstaller.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200917299984 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198815555703 O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871 O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) - http://www.sk.ee/id-kontroll/20070223.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D0293C35-6A3A-423B-9411-E14FEF5C4837}: NameServer = 192.168.0.1,194.126.115.18 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7071 bytes -- Files created between 2008-06-05 and 2008-07-05 ----------------------------- 2008-07-05 18:03:24 0 dr-h----- C:\Documents and Settings\Kaidoo\Recent 2008-07-05 18:01:20 0 d-------- C:\Program Files\RogueRemover FREE 2008-07-05 17:39:03 0 d-------- C:\VundoFix Backups 2008-07-05 17:31:26 0 d-------- C:\Program Files\Trend Micro 2008-06-29 19:35:55 0 d-------- C:\Program Files\FlatOut 2008-06-28 16:45:21 0 d-------- C:\WINDOWS\Caps 2008-06-28 05:59:04 0 d-------- C:\WINDOWS\nvidia icons 2008-06-28 05:58:50 0 d-------- C:\WINDOWS\nview 2008-06-26 16:02:36 0 d-------- C:\Documents and Settings\All Users\Application Data\TrackMania 2008-06-26 15:58:14 0 d-------- C:\Program Files\TmNationsForever 2008-06-25 13:51:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia 2008-06-18 23:33:56 0 d-------- C:\Program Files\Java 2008-06-18 23:32:11 0 d-------- C:\Program Files\Common Files\Java 2008-06-11 11:07:14 0 d-------- C:\Program Files\Winamp 2008-06-11 11:07:14 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\Winamp 2008-06-10 21:01:50 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\MSN6 2008-06-10 21:01:50 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6 -- Find3M Report --------------------------------------------------------------- 2008-06-22 00:02:57 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-22 00:02:20 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\GetRightToGo 2008-06-18 23:32:11 0 d-------- C:\Program Files\Common Files 2008-06-04 14:05:40 0 d-------- C:\Program Files\DivX 2008-05-28 21:45:19 0 dr-h----- C:\Documents and Settings\Kaidoo\Application Data\SecuROM 2008-05-27 17:26:54 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-24 23:27:11 0 d-------- C:\Program Files\SweetIM 2008-05-23 01:32:26 0 d-------- C:\Program Files\Omnikey 2008-05-23 01:26:07 0 d-------- C:\Program Files\Ideelabor 2008-05-23 01:25:31 0 d-------- C:\Program Files\DigiDoc 2008-05-23 01:25:18 0 d-------- C:\Program Files\IT Arendus 2008-05-23 01:25:17 0 d-------- C:\Program Files\DIFX 2008-05-13 04:53:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2008-05-13 04:50:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2008-05-13 04:50:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2008-05-13 04:50:08 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2008-05-13 04:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-13 04:50:08 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll 2008-05-13 04:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-13 04:50:06 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-13 04:49:02 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2008-05-02 22:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll 2008-05-02 22:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll 2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll 2008-05-02 22:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe 2008-05-02 22:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll 2008-05-02 22:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe 2008-05-02 22:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe 2008-05-02 22:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D0386B3-FD72-488E-9740-90355AE21735}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}] 27.03.2008 14:12 1164600 --a------ C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{EEE6C35B-6118-11DC-9C72-001320C79847}"= C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [27.03.2008 14:12 1164600] [-HKEY_CLASSES_ROOT\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3] [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE.SWEETIE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cmaudio"="cmicnfg.cpl" [] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [21.01.2008 15:58] "EstEID AIP switch"="C:\Program Files\IT Arendus\ID-kaart\aipswitch.exe" [22.02.2007 15:36] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25.03.2008 04:28] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02.05.2008 22:46] "nwiz"="nwiz.exe" [02.05.2008 22:46 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02.05.2008 22:46] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [18.10.2007 12:34] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kaidoo^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

kaido View Member Profile	Jul 5 2008, 03:56 PM Post #2
Member Group: Members Posts: 46 Joined: 23-December 07 Member No.: 178,487	nod32-nothing found vundofix-nothing spybot-nothing dr.web-nothing.... rogueremover-nothing i also add combofix log: ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ----- BITS: Possible infected sites ----- hxxp://launcher.patcher.ncsoft.com . ((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 ))))))))))))))))))))))))))))))) . 2008-07-05 18:32 . 2008-07-05 18:32 <DIR> d-------- C:\Deckard 2008-07-05 18:01 . 2008-07-05 18:01 <DIR> d-------- C:\Program Files\RogueRemover FREE 2008-07-05 17:39 . 2008-07-05 17:39 <DIR> d-------- C:\VundoFix Backups 2008-07-05 17:31 . 2008-07-05 17:31 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-29 19:35 . 2008-06-30 02:06 <DIR> d-------- C:\Program Files\FlatOut 2008-06-28 16:45 . 2008-06-28 16:45 <DIR> d-------- C:\WINDOWS\Caps 2008-06-28 05:59 . 2008-06-28 05:59 <DIR> d-------- C:\WINDOWS\nvidia icons 2008-06-28 05:58 . 2008-06-28 05:58 <DIR> d-------- C:\WINDOWS\nview 2008-06-28 05:58 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2008-06-28 05:58 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe 2008-06-28 05:58 . 2008-07-05 19:57 182,765 --a------ C:\WINDOWS\system32\nvapps.xml 2008-06-28 05:58 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm 2008-06-28 05:58 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm 2008-06-28 05:58 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm 2008-06-28 05:58 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm 2008-06-28 05:58 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu 2008-06-26 16:02 . 2008-07-04 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania 2008-06-26 15:58 . 2008-06-26 16:01 <DIR> d-------- C:\Program Files\TmNationsForever 2008-06-25 23:13 . 2008-06-25 23:13 268 --ah----- C:\sqmdata10.sqm 2008-06-25 23:13 . 2008-06-25 23:13 244 --ah----- C:\sqmnoopt10.sqm 2008-06-25 13:51 . 2008-06-25 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia 2008-06-24 23:49 . 2008-06-24 23:49 268 --ah----- C:\sqmdata09.sqm 2008-06-24 23:49 . 2008-06-24 23:49 244 --ah----- C:\sqmnoopt09.sqm 2008-06-24 00:28 . 2008-06-24 00:28 268 --ah----- C:\sqmdata08.sqm 2008-06-24 00:28 . 2008-06-24 00:28 244 --ah----- C:\sqmnoopt08.sqm 2008-06-23 22:06 . 2008-06-23 22:06 268 --ah----- C:\sqmdata07.sqm 2008-06-23 22:06 . 2008-06-23 22:06 244 --ah----- C:\sqmnoopt07.sqm 2008-06-18 23:34 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-18 23:33 . 2008-06-18 23:34 <DIR> d-------- C:\Program Files\Java 2008-06-18 23:32 . 2008-06-18 23:32 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-11 11:07 . 2008-06-11 11:07 <DIR> d-------- C:\Program Files\Winamp 2008-06-11 11:07 . 2008-06-11 11:08 <DIR> d-------- C:\Documents and Settings\Kaidoo\Application Data\Winamp 2008-06-10 21:01 . 2008-06-10 21:01 <DIR> d-------- C:\Documents and Settings\Kaidoo\Application Data\MSN6 2008-06-10 21:01 . 2008-06-10 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-05 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-21 21:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-21 21:02 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\GetRightToGo 2008-06-09 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap 2008-06-04 11:05 --------- d-----w C:\Program Files\DivX 2008-06-03 12:53 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS 2008-05-28 18:45 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-05-28 18:45 --------- d--h--r C:\Documents and Settings\Kaidoo\Application Data\SecuROM 2008-05-28 17:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-27 14:26 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-24 20:27 --------- d-----w C:\Program Files\SweetIM 2008-05-22 22:32 --------- d-----w C:\Program Files\Omnikey 2008-05-22 22:26 --------- d-----w C:\Program Files\Ideelabor 2008-05-22 22:25 --------- d-----w C:\Program Files\IT Arendus 2008-05-22 22:25 --------- d-----w C:\Program Files\DigiDoc 2008-05-22 22:25 --------- d-----w C:\Program Files\DIFX 2008-05-13 01:53 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-05-13 01:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-05-13 01:51 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-05-13 01:51 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-05-13 01:49 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}] 2008-03-27 14:12 1164600 --a------ C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-03-27 14:12 1164600] [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}] [HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3] [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE.SWEETIE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-03-27 14:12 1164600] [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}] [HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3] [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE.SWEETIE] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-21 15:58 949376] "EstEID AIP switch"="C:\Program Files\IT Arendus\ID-kaart\aipswitch.exe" [2007-02-22 15:36 45984] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] "Cmaudio"="cmicnfg.cpl" [N/A] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ac3filter"= ac3filter.acm [HKLM\~\startupfolder\C:^Documents and Settings^Kaidoo^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Documents and Settings\\Kaidoo\\Desktop\\lfs2\\LFS.exe"= "C:\\Program Files\\TmNationsForever\\TmForever.exe"= "C:\\Program Files\\FlatOut\\flatout.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "13156:TCP"= 13156:TCP::Disabled:SolidNetworkManager "13156:UDP"= 13156:UDP::Disabled:SolidNetworkManager S3 cxbu0wdm;CardMan 1021;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2006-07-11 10:03] S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-03-13 18:55] S3 gUSBSTOi;gUSBSTOi;C:\DOCUME~1\Kaidoo\LOCALS~1\Temp\gUSBSTOi.sys [] S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 16:11] S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys [2006-11-30 16:11] S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys [2006-11-30 16:11] S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys [2006-11-30 16:11] S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys [2006-11-30 16:11] S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys [2006-11-30 16:11] S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys [2006-11-30 16:11] S3 SoRa01;SoRa01;C:\Documents and Settings\Kaidoo\Desktop\hack\100% Working Hack Pack\SoRa.sys [2007-09-16 09:38] . Contents of the 'Scheduled Tasks' folder "2008-06-14 21:34:35 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2008-02-05 22:17:53 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2008-02-05 22:41:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job" - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe . - - - - ORPHANS REMOVED - - - - BHO-{6D0386B3-FD72-488E-9740-90355AE21735} - (no file) ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-06 00:19:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 This post has been edited by kaido**: Jul 5 2008, 04:32 PM

suebaby41 View Member Profile	Jul 26 2008, 11:28 PM Post #3
W.A.M. (Women Against Malware) Group: HJT Team Posts: 1,717 Joined: 3-January 05 From: South Carolina, USA Member No.: 8,530	Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. -------------------- You don't stop laughing when you get old; you get old when you stop laughing. A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators) Malware Removal University Masters Graduate Join The Fight Against Malware

kaido View Member Profile	Aug 1 2008, 08:47 AM Post #4
Member Group: Members Posts: 46 Joined: 23-December 07 Member No.: 178,487	-- HijackThis (run as Kaidoo.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:44:36, on 1.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Documents and Settings\Kaidoo\Desktop\stuff\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Kaidoo.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.raadiojaam.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6D0386B3-FD72-488E-9740-90355AE21735} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [EstEID AIP switch] "C:\Program Files\IT Arendus\ID-kaart\aipswitch.exe" 1 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {096DCF31-53FA-4BA6-A729-D85D29FC0D70} - https://installer.id.ee/IDInstaller.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200917299984 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198815555703 O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) - http://www.sk.ee/id-kontroll/20070223.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D0293C35-6A3A-423B-9411-E14FEF5C4837}: NameServer = 192.168.0.1,194.126.115.18 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7290 bytes -- Files created between 2008-07-01 and 2008-08-01 ----------------------------- 2008-08-01 16:15:47 0 dr-h----- C:\Documents and Settings\Kaidoo\Recent 2008-07-30 02:49:27 0 d-------- C:\Program Files\Counter-Strike 1.6 2008-07-29 17:20:27 0 d-------- C:\Program Files\MSXML 4.0 2008-07-26 02:47:12 0 d-------- C:\My Music 2008-07-26 02:46:54 0 d-------- C:\Program Files\Common Files\Real 2008-07-26 02:44:10 0 d-------- C:\Program Files\Common Files\Logitech 2008-07-26 02:39:56 0 d-------- C:\Program Files\Labtec 2008-07-25 03:30:30 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\Hamachi 2008-07-19 00:10:56 0 d--h----- C:\Documents and Settings\All Users\Application Data\{26CA9988-350F-475B-AC03-7EDFC283C222} 2008-07-19 00:10:48 0 d-------- C:\Program Files\Uniblue DriverScanner 2008-07-06 20:38:01 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\Mount&Blade 2008-07-06 00:17:07 68096 --a------ C:\WINDOWS\zip.exe 2008-07-06 00:17:07 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-07-06 00:17:07 80412 --a------ C:\WINDOWS\grep.exe 2008-07-06 00:17:06 49152 --a------ C:\WINDOWS\VFind.exe 2008-07-06 00:17:06 98816 --a------ C:\WINDOWS\sed.exe 2008-07-06 00:17:06 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-07-06 00:17:05 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-07-06 00:17:05 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-07-05 18:01:20 0 d-------- C:\Program Files\RogueRemover FREE 2008-07-05 17:39:03 0 d-------- C:\VundoFix Backups 2008-07-05 17:31:26 0 d-------- C:\Program Files\Trend Micro -- Find3M Report --------------------------------------------------------------- 2008-07-26 02:46:54 0 d-------- C:\Program Files\Common Files 2008-07-19 00:09:37 0 d-------- C:\Program Files\Uniblue 2008-07-19 00:03:16 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\Uniblue 2008-07-10 14:00:49 0 d-------- C:\Program Files\Java 2008-06-30 02:06:19 0 d-------- C:\Program Files\FlatOut 2008-06-22 00:02:57 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-18 23:32:11 0 d-------- C:\Program Files\Common Files\Java 2008-06-11 11:08:51 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\Winamp 2008-06-11 11:07:37 0 d-------- C:\Program Files\Winamp 2008-06-10 21:01:50 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\MSN6 2008-06-04 14:05:40 0 d-------- C:\Program Files\DivX 2008-05-13 04:53:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2008-05-13 04:50:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2008-05-13 04:50:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2008-05-13 04:50:08 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2008-05-13 04:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-13 04:50:08 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll 2008-05-13 04:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-13 04:50:06 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-13 04:49:02 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2008-05-02 22:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll 2008-05-02 22:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll 2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll 2008-05-02 22:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe 2008-05-02 22:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll 2008-05-02 22:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe 2008-05-02 22:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe 2008-05-02 22:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D0386B3-FD72-488E-9740-90355AE21735}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}] 27.03.2008 14:12 1164600 --a------ C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{EEE6C35B-6118-11DC-9C72-001320C79847}"= C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [27.03.2008 14:12 1164600] [-HKEY_CLASSES_ROOT\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3] [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE.SWEETIE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cmaudio"="cmicnfg.cpl" [] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [21.01.2008 15:58] "EstEID AIP switch"="C:\Program Files\IT Arendus\ID-kaart\aipswitch.exe" [22.02.2007 15:36] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10.06.2008 04:27] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02.05.2008 22:46] "nwiz"="nwiz.exe" [02.05.2008 22:46 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02.05.2008 22:46] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [18.10.2007 12:34] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kaidoo^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "helpsvc"=2 (0x2) "ERSvc"=2 (0x2)

suebaby41 View Member Profile	Aug 1 2008, 02:37 PM Post #5
W.A.M. (Women Against Malware) Group: HJT Team Posts: 1,717 Joined: 3-January 05 From: South Carolina, USA Member No.: 8,530	A few things you may do prior to cleaning: Backup any important data first!! How to use the Backup utility that is included in Windows XP to back up files and folders Windows XP Backup Made Easy How Do I Back Up Files on My Computer? There are several online backup storage websites available. Some require a fee; some offer free backup storage. Mozy Online Backup: Free. Automatic. Secure Free Secure Online Storage--Xdrive Media Max Review the instructions on starting your computer in Safe Mode. (without networking support !). If you don’t know how to boot in Safe Mode, use this tutorial, How To Start Windows in Safe Mode. Review the instructions on configuring Windows Explorer to Show All Hidden Files and Folders. Perform all actions in the order given. If you are unsure of any procedure, stop and ask! Please reply to this thread. Do not start a new topic. Complete all the steps. ABSENCE OF SYMPTOMS DOES NOT ALWAYS MEAN A CLEAN COMPUTER!! During the cleaning process, if any other issues appear, please let us know. Please do not make any changes on your computer during the cleaning process or download and add programs on your computer unless instructed to do so. Thanks. -------------------- You don't stop laughing when you get old; you get old when you stop laughing. A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators) Malware Removal University Masters Graduate Join The Fight Against Malware

suebaby41 View Member Profile	Aug 1 2008, 02:52 PM Post #6
W.A.M. (Women Against Malware) Group: HJT Team Posts: 1,717 Joined: 3-January 05 From: South Carolina, USA Member No.: 8,530	You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Step 1 I noticed that you have some programs that need to be updated. Your "Adobe Reader" is out of date. You may want to download the latest version, Adobe® Reader® 9. You may want to update to Windows Service Pack 3 and Internet Explorer 7. I have both on my computer and have had no problems. Update to Windows XP Service Pack 3 and Internet Explorer 7 You need to install Windows Internet Explorer 7 or Internet Explorer 8 Beta 1 after you install Windows XP SP3. After you install Windows XP Service Pack 3 (SP3), you may not be able to uninstall Windows Internet Explorer 7 or Internet Explorer 8 Beta 1. How to obtain the latest Windows XP service pack. Scroll down the page until you come to Download the Windows XP Service Pack 3 package now. Click on Download the Windows XP Service Pack 3 package now to download the Windows XP Service Pack 3. Save it to your desktop. Click on the file and follow the directions. How to obtain Windows XP Service Pack 3 on a CD To order Windows XP SP3 on a CD, visit one of the following Microsoft Web sites, as appropriate for your region: Asia Europe and Africa North America South America Update to Windows Internet Explorer 7. Click on Download. Save it to your desktop. Click on the file to install Windows Internet Explorer 7. Step 2 In normal mode, run an online antivirus check from at least two and preferably three of the following sites BitDefender Computer Associates Online Virus Scan Panda's ActiveScan Trend Micro Housecall Windows Live Safety Center Free Online Scan This scanner from Trend does not require an Active X to run. Detects and removes malware ( viruses, worms, trojans, etc. ) Detects and removes grayware and spyware Restores damage caused by malware to your system. Notifies about vulnerabilities in installed programs and connected network services. Multi-platform support for: Windows, Linux, Solaris. Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox. When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply. Step 3 Please download Ad-Aware 2008. Please check this link, Ad-Aware 2007/ 2008 for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible. Step 4 I recommend using Spyware Blaster. Please download SpywareBlaster. SpywareBlaster helps to: Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially unwanted sites in Internet Explorer. Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster. Step 5 Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it is detected and minimizes interruptions and helps you stay productive. Please download and install Windows Defender. Confirm that your computer meets the minimum system requirements to install Windows Defender. Visit the Windows Defender page in the Microsoft Download Center. Click the Continue button and follow the directions on the succeeding pages to download the program and start the Installation Wizard. Follow the steps in the Installation Wizard. You will be asked if you want to participate in the Microsoft SpyNet online community. We suggest you choose the first option, Use recommended settings. Click Next to continue. Click Install to begin installing Windows Defender. When installation is complete, click Finish. Windows Defender will begin to scan your computer. For more information, See How to install and set up Windows Defender Step 6 ATF-Cleaner features include: Cleaning of all user temp folders, administrator only can use this feature. Cleaning of the Java cache, which seems to be harboring more and more malware. Cleaning the cache, cookies, history, download history, visited links and saved passwords. You have the option of checking no if you want to save your passwords. Please download the ATF-Cleaner by Atribune. Instructions: Double-click ATF-Cleaner.exe to run the program. Check the boxes to the left of: Windows Temp Current User Temp All Users Temp Temporary Internet Files Prefetch (Windows XP) only Java Cache The rest are optional - if you want to remove them all, check Select All. Click the Empty Selected button. When you get the Done Cleaning message, click OK. If you use the Firefox browser: Click Firefox at the top and choose: Select All. Click the Empty Selected button. When you get the Done Cleaning message, click OK. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use the Opera browser: Click Opera at the top and choose: Select All. Click the Empty Selected button. When you get the Done Cleaning message, click OK. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. If needed, Tutorial on ATF Cleaner with pictures. Do not run it yet. Step 7 Please disconnect from the Internet. Please close ALL browser windows (including this one). Step 8 Is this your Internet Service Provider (ISP)? If this is not your ISP, you need to use HijackThis to fix item(s). O17 - HKLM\System\CCS\Services\Tcpip\..\{D0293C35-6A3A-423B-9411-E14FEF5C4837}: NameServer = 192.168.0.1,194.126.115.18 Step 9 Now we will address the HijackThis fixes. Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.raadiojaam.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {6D0386B3-FD72-488E-9740-90355AE21735} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O16 - DPF: {096DCF31-53FA-4BA6-A729-D85D29FC0D70} – https://installer.id.ee/IDInstaller.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) – http://www.sk.ee/id-kontroll/20070223.cab Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked. Step 10 Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself. Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time. Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run. Read the articles below to see if it applies to your computer problem with being slow to respond. Slow_Computer_Check_here_first_it_may_not_be_malware. Help! My computer is slow! ]Help! My computer is slow![/url] 50 Tips for a Super Fast PC 4 Ways to Speed Up Your Computer's Performance It's not always malware: How to fix the top 10 Internet Explorer issues If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself. Step 11 If you did not add the listed domain to the Trusted Zones yourself, have HijackThis fix it. O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com O1 - Hosts: 209.234.247.4 2moons.acclaimdownloads.com Step 12 Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer. Step 13 Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan. Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans. Please advise me of any problems you still have. -------------------- You don't stop laughing when you get old; you get old when you stop laughing. A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators) Malware Removal University Masters Graduate Join The Fight Against Malware

suebaby41

Aug 12 2008, 06:08 AM

Post #7

W.A.M. (Women Against Malware)

Group: HJT Team
Posts: 1,717
Joined: 3-January 05
From: South Carolina, USA
Member No.: 8,530

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

--------------------

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified