My Hijackthis Log

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

< 1 2

My Hijackthis Log, Check up?

Options

Nakahira View Member Profile	Aug 28 2008, 11:34 PM Post #16
Member Group: Members Posts: 25 Joined: 12-June 06 Member No.: 71,802	Sigh.. I'm sorry but I think I just infected myself with something else. I think it's that fake Antivirus XP 2008 I've been seeing around the forums. I quickly opened taskmanager and deleted anything I did not see before, not sure if that would affect the HijackThis Log so I thought I would inform you with that. Currently running an Avira scan, found a couple of things already and moved to quarantine. I can give you theAvira log on my next post. I can't get on this site on my current computer so I'm on my laptop.. Here's a new HijackThis Log... I'm sorry about this. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:28:28 PM, on 8/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\explorer.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Winamp\winamp.exe c:\program files\avira\antivir personaledition classic\avcenter.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Charles Tseng\Desktop\New Folder (2)\HiJackThis(2).exe C:\Program Files\Internet Explorer\Iexplore.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [inrhcgh0j0ej7e] C:\Documents and Settings\Charles Tseng\Local Settings\temp\.tt5B.tmp.exe /CR=7A58C7C65B49562366289DC37768C62B59F34B0C57F457DC43A04652A442C8275022AF0DBA2BC 51D456AF30CC4DEA941F1EF46E27BC999861A52D795127665A817DDCDB007F86E734EA6E8C8948C0 514E91BA1 O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 5922 bytes This post has been edited by Nakahira*: Aug 28 2008, 11:42 PM

farbar View Member Profile	Aug 29 2008, 05:35 AM Post #17
Bleeping Curious Group: HJT Team Posts: 1,539 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	QUOTE So only the drives with the drive letter F is infected? My externals are all letter E and appear under the "Hard Disk Drives" section instead of the "Devices with Removable Storage". As I told you any removable storage device might be infected. But I suspected the infection might be transferred via drive F. Drive E might have been infected later on. So tell me if you did as instructed and connected the memory stick and your externals when Flash-disinfector asked. If not please repeat the step 3 this time connect all externals after applying MBAM as it is given below. It would not take that long. QUOTE Sigh.. dry.gif I'm sorry but I think I just infected myself with something else. I think it's that fake Antivirus XP 2008 I've been seeing around the forums. I quickly opened taskmanager and deleted anything I did not see before, not sure if that would affect the HijackThis Log so I thought I would inform you with that. Currently running an Avira scan, found a couple of things already and moved to quarantine. I can give you theAvira log on my next post. I can't get on this site on my current computer so I'm on my laptop.. Here's a new HijackThis Log... sad.gif I'm sorry about this. No need to apologize and thanks for letting me know, I see it on your log too. The rogue antivirus might even interfere with Avira. Please update MBAM and select perform full scan. If you can't get connected to update just run it anyway without updating. Let it remove what it finds and copy/paste the log. If you did not connected your externals, please repeat the step 3 from the previous post to make sure your externals are clean. Please run Combofix by double clicking and post the logs as we have to proceed from the current situation. Tell me if you recognize the folder and file located on your desktop: C:\Documents and Settings\Charles Tseng\Desktop\ak47_jesus\BitBlt Cy@.exe One of the files sent to Virustotal named jesus.exe was flagged by some scanners as Trojan and it is possibly related to this one. Please post the Avira log and a fresh Hijackthis log. And tell me if you get connected with your computer. In your next reply: The log of MBAM. The Combofix log. The Avira log. A fresh Hijackthis log. Tell me about your action on externals and if you get connected. --------------------

Nakahira View Member Profile	Aug 29 2008, 03:19 PM Post #18
Member Group: Members Posts: 25 Joined: 12-June 06 Member No.: 71,802	I'm now able to view the website, thanks. Yes, I did perform step 3 from the previous post. As for the folder and file, yes I recognize it, I tried to remove it before but it did not delete, so I went into save mode and deleted it from there. Is it still there? My Avira log says I aborted the scan, I don't remember aborting it. Malwarebytes' Anti-Malware 1.25 Database version: 1096 Windows 5.1.2600 Service Pack 2 12:59:04 PM 8/29/2008 mbam-log-08-29-2008 (12-59-04).txt Scan type: Full Scan (C:\\|) Objects scanned: 108160 Time elapsed: 24 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcgh0j0ej7e (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\WINDOWS\PIF (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\blphclh0j0ej7e.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\phclh0j0ej7e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. ComboFix 08-08-28.04 - Charles Tseng 2008-08-29 13:06:30.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1637 [GMT -7:00] Running from: C:\Documents and Settings\Charles Tseng\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\a.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV -------\Service_TDSSserv ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 ))))))))))))))))))))))))))))))) . 2008-08-27 23:12 . 2008-08-27 23:12 <DIR> d-------- C:\rsit 2008-08-26 21:13 . 2008-08-26 21:13 <DIR> d-------- C:\Program Files\Sun 2008-08-26 21:13 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-26 21:12 . 2008-08-26 21:12 <DIR> d-------- C:\Program Files\Common Files\Java 2008-08-25 20:16 . 2008-08-25 20:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-25 20:16 . 2008-08-25 20:16 <DIR> d-------- C:\Documents and Settings\Charles Tseng\Application Data\Malwarebytes 2008-08-25 20:16 . 2008-08-25 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-25 20:16 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-25 20:16 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-25 17:20 . 2008-08-25 17:20 <DIR> d-------- C:\Program Files\Avira 2008-08-25 17:20 . 2008-08-25 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-08-25 13:06 . 2008-08-25 13:06 <DIR> d-------- C:\Program Files\Lavasoft 2008-08-25 13:06 . 2008-08-25 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-17 18:11 . 2008-08-17 18:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-17 18:11 . 2008-08-17 18:11 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-14 02:25 . 2008-08-14 02:26 144 --a------ C:\WINDOWS\INpact_CSS_Hud_tweaker_1.19.INI 2008-08-13 19:25 . 2008-08-13 19:25 <DIR> d-------- C:\Documents and Settings\Administrator 2008-08-13 18:41 . 2008-08-27 23:12 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-13 16:57 . 2008-08-13 18:32 <DIR> d-------- C:\Documents and Settings\Charles Tseng\.housecall6.6 2008-08-13 16:50 . 2008-08-13 16:50 135,168 --a------ C:\WINDOWS\jesus.exe 2008-08-13 16:50 . 2008-08-13 16:50 24,576 --a------ C:\WINDOWS\jesus.dll 2008-08-13 03:11 . 2008-08-14 01:58 <DIR> d-------- C:\Fraps 2008-08-13 03:11 . 2008-08-14 01:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-11 02:25 . 2008-08-11 02:25 <DIR> d-------- C:\Program Files\YouTube Downloader 2008-08-08 13:35 . 2008-08-08 13:35 <DIR> d-------- C:\j 2008-08-08 13:07 . 2008-08-08 13:07 <DIR> d-------- C:\Program Files\AMX Mod X 2008-08-05 15:03 . 2008-08-06 02:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania 2008-08-02 03:43 . 2008-08-02 03:44 <DIR> d-------- C:\Program Files\SmartFTP Client . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-29 20:10 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\Skype 2008-08-29 20:09 --------- d-----w C:\Program Files\Steam 2008-08-29 04:17 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\uTorrent 2008-08-27 04:13 --------- d-----w C:\Program Files\Java 2008-08-27 04:06 --------- d-----w C:\Program Files\Viewpoint 2008-08-27 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-08-26 21:55 --------- d-----w C:\Program Files\Warcraft III 2008-08-26 08:30 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\HLSW 2008-08-25 23:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-08-25 20:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-08-25 07:27 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\skypePM 2008-08-14 20:38 --------- d-----w C:\Program Files\DivX 2008-08-11 10:01 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\mIRC 2008-08-11 01:36 --------- d-----w C:\Program Files\mIRC 2008-08-08 21:17 --------- d-s---w C:\Program Files\HLSW 2008-08-05 19:04 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-05 19:04 --------- d-----w C:\Program Files\Custom-Strike 2008-08-05 19:03 --------- d-----w C:\Program Files\id Software 2008-08-03 18:26 --------- d-----w C:\Program Files\PowerISO 2008-07-29 03:13 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\vlc 2008-07-29 03:12 --------- d-----w C:\Program Files\VideoLAN 2008-07-19 11:00 --------- d-----w C:\Program Files\Lightside - Legend Ragnarok 2008-07-19 07:33 --------- d-----w C:\Program Files\VS Revo Group 2008-07-18 18:45 --------- d-----w C:\Program Files\Legacy Online 2008-07-18 09:54 --------- d-----w C:\Program Files\AIM 2008-07-08 08:03 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\XnView 2008-07-08 08:02 --------- d-----w C:\Program Files\XnView 2008-07-08 07:59 --------- d-----w C:\Program Files\IrfanView 2008-07-08 07:58 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\ESTSoft 2008-07-08 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESTsoft 2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys 2008-07-04 02:41 --------- d-----w C:\Program Files\Diablo II 2008-07-03 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield 2008-07-03 22:57 --------- d-----w C:\Program Files\GALA-NET 2008-07-03 22:57 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-07-02 18:11 --------- d-----w C:\Program Files\Audacity 2008-07-01 21:31 --------- d-----w C:\Program Files\SystemRequirementsLab 2008-07-01 21:31 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\SystemRequirementsLab 2008-06-30 17:34 94,208 ----a-w C:\WINDOWS\DIIUnin.exe 2008-06-30 17:34 2,829 ----a-w C:\WINDOWS\DIIUnin.pif 2007-12-27 05:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat . ((((((((((((((((((((((((((((( snapshot@2008-08-28_19.40.02.53 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE - 2008-08-25 20:33:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-08-29 19:51:58 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-08-25 20:33:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-08-29 19:51:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-08-25 20:33:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-08-29 19:51:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-08-29 02:32:41 71,154 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-08-29 20:04:45 71,154 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-08-29 02:32:41 423,718 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-08-29 20:04:45 423,718 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\steam\steam.exe" [2008-03-27 21:14 1271032] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 22:34 868352] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-09 22:28 36352] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm "VIDC.MJPG"= Pvmjpg30.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2008-06-06 09:04 50528 C:\Program Files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] --a------ 2007-03-21 15:41 145496 C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher] --a------ 2007-12-14 19:04 38128 C:\Program Files\NCSoft\Launcher\NCLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2008-07-07 00:34 167936 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] --a------ 2003-06-23 22:12 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] --a------ 2003-06-25 01:18 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] --a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Bonjour Service"=2 (0x2) "AresChatServer"=3 (0x3) "Apple Mobile Device"=2 (0x2) "PCLEPCI"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Steam\\steamapps\\nakahira3\\counter-strike\\hl.exe"= "C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\ijji\\ENGLISH\\u_gbound.exe"= "C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"= "C:\\Program Files\\Steam\\steamapps\\nakahira3\\team fortress 2\\hl2.exe"= "C:\\Program Files\\Steam\\steamapps\\qwever_2\\counter-strike source\\hl2.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"= "C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"= "C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"= "C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"= "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= S3 cpuz129;cpuz129;C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\cpuz_x32.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\key.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{102486e0-c09d-11dc-8ecc-001d6072b173}] \Shell\AutoRun\command - Autorun.exe /run \Shell\Shell00\Command - Autorun.exe /run \Shell\Shell01\Command - Autorun.exe /action \Shell\Shell02\Command - Autorun.exe /uninstall [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86aedd5f-ecd9-11dc-9820-001d6072b173}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0406CF5F-120F-CDF8-2220-4CF1CB2E62C3}] C:\Documents and Settings\Charles Tseng\Desktop\ak47_jesus\BitBlt Cy@.exe . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Charles Tseng\Application Data\Mozilla\Firefox\Profiles\gdbk4v80.default\ FF -: plugin - C:\Documents and Settings\Charles Tseng\Application Data\Mozilla\Firefox\Profiles\gdbk4v80.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************ disk not found C:\ please note that you need administrator rights to perform deep scan scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv] "imagepath"="\systemroot\system32\drivers\TDSSserv.sys" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-08-29 13:11:54 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-29 20:11:52 ComboFix2.txt 2008-08-29 02:40:15 Pre-Run: 179,539,091,456 bytes free Post-Run: 179,476,705,280 bytes free 231 --- E O F --- 2008-08-14 02:22:37 Avira AntiVir Personal Report file date: Thursday, August 28, 2008 21:18 Scanning for 1581048 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: NAKAHIRA Version information: BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00 AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 17:57:53 AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40 LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19 LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34 ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 22:54:15 ANTIVIR2.VDF : 7.0.6.60 2802176 Bytes 8/24/2008 00:21:02 ANTIVIR3.VDF : 7.0.6.88 171520 Bytes 8/28/2008 00:20:37 Engineversion : 8.1.1.23 AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 17:46:50 AESCRIPT.DLL : 8.1.0.68 315770 Bytes 8/26/2008 00:21:11 AESCN.DLL : 8.1.0.23 119156 Bytes 8/26/2008 00:21:10 AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 17:46:50 AEPACK.DLL : 8.1.2.1 364917 Bytes 8/26/2008 00:21:09 AEOFFICE.DLL : 8.1.0.22 192890 Bytes 8/26/2008 00:21:08 AEHEUR.DLL : 8.1.0.50 1388918 Bytes 8/26/2008 00:21:08 AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 17:46:50 AEGEN.DLL : 8.1.0.36 315764 Bytes 8/26/2008 00:21:06 AEEMU.DLL : 8.1.0.7 430452 Bytes 8/26/2008 00:21:05 AECORE.DLL : 8.1.1.8 172406 Bytes 8/26/2008 00:21:04 AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 17:50:42 AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05 AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01 AVREP.DLL : 8.0.0.2 98344 Bytes 8/26/2008 00:21:03 AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40 AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49 SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40 NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07 RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Thursday, August 28, 2008 21:18 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned Scan process 'msiexec.exe' - '1' Module(s) have been scanned Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned Scan process 'winamp.exe' - '1' Module(s) have been scanned Scan process 'Ventrilo.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'aim.exe' - '1' Module(s) have been scanned Scan process 'nSvcIp.exe' - '1' Module(s) have been scanned Scan process 'nSvcAppFlt.exe' - '1' Module(s) have been scanned Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'winampa.exe' - '1' Module(s) have been scanned Scan process 'SMax4.exe' - '1' Module(s) have been scanned Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 38 processes with 38 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan the registry. C:\WINDOWS\system32\lphclh0j0ej7e.exe [DETECTION] Contains a recognition pattern of the (harmful) BDS/Frauder.AT back-door program [NOTE] The file was moved to '491f793b.qua'! The registry was scanned ( '58' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\Charles Tseng\Local Settings\temp\.tt58.tmp.vbs [DETECTION] Contains recognition pattern of the VBS/Agent.1002 VBS script virus [NOTE] The file was moved to '492b7ae7.qua'! C:\Documents and Settings\Charles Tseng\Local Settings\temp\nsg5F.tmp\euladlg.dll [DETECTION] Is the TR/FakeAV.AM Trojan [NOTE] The file was moved to '49237aeb.qua'! End of the scan: Thursday, August 28, 2008 21:42 Used time: 24:03 Minute(s) The scan has been canceled! 5472 Scanning directories 249370 Files were scanned 3 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 3 files were moved to quarantine 0 files were renamed 1 Files cannot be scanned 249366 Files not concerned 1493 Archives were scanned 1 Warnings 3 Notes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:18:19 PM, on 8/29/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AIM\aim.exe C:\Documents and Settings\Charles Tseng\Desktop\New Folder (2)\HiJackThis(2).exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 5345 bytes

farbar View Member Profile	Aug 29 2008, 05:25 PM Post #19
Bleeping Curious Group: HJT Team Posts: 1,539 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	QUOTE My Avira log says I aborted the scan, I don't remember aborting it. As I said the Rogue program interferes with working of Antivirus. Close any open browsers. Open notepad and copy/paste the text in the quote box below into it: CODE Driver:: TDSSserv File:: C:\WINDOWS\jesus.exe C:\WINDOWS\jesus.dll C:\WINDOWS\system32\tdssadw.dll C:\WINDOWS\system32\tdssl.dll C:\WINDOWS\system32\tdssserf.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\tdssinit.dll C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\tdssservers.dat C:\WINDOWS\system32\drivers\tdssserv.sys C:\systemroot\system32\drivers\TDSSserv.sys Folder:: C:\Documents and Settings\Charles Tseng\Desktop\ak47_jesus C:\Program Files\Viewpoint C:\Documents and Settings\All Users\Application Data\Viewpoint DirLook:: C:\j Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0406CF5F-120F-CDF8-2220-4CF1CB2E62C3}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{102486e0-c09d-11dc-8ecc-001d6072b173}] Save this as CFScript.txt, in the same location as ComboFix.exe Referring to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected. Copy and paste the text in code box into it. CODE REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Save the file to the desktop as regfix.reg Make sure the Save as type field says All files. Locate regfix.reg on the desktop and double-click on it and confirm. A window pops up asking if you are sure to add the file to the registry. Click Yes. You get another window popup saying that regfix.reg successfully added to the registry. Note: You have to turn off any registry protector software you have in order the changes to be taken place. Please copy/paste a fresh Hijackthis to your reply. In your next reply: The Combofix log. A fresh Hijackthis log. --------------------

Nakahira View Member Profile	Aug 29 2008, 08:09 PM Post #20
Member Group: Members Posts: 25 Joined: 12-June 06 Member No.: 71,802	ComboFix 08-08-29.02 - Charles Tseng 2008-08-29 18:04:55.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1622 [GMT -7:00] Running from: C:\Documents and Settings\Charles Tseng\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Charles Tseng\Desktop\CFScript.txt * Created a new restore point FILE :: C:\systemroot\system32\drivers\TDSSserv.sys C:\WINDOWS\jesus.dll C:\WINDOWS\jesus.exe C:\WINDOWS\system32\drivers\tdssserv.sys C:\WINDOWS\system32\tdssadw.dll C:\WINDOWS\system32\tdssinit.dll C:\WINDOWS\system32\tdssl.dll C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\tdssserf.dll C:\WINDOWS\system32\tdssservers.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Viewpoint C:\Program Files\Viewpoint C:\WINDOWS\jesus.dll C:\WINDOWS\jesus.exe . ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 ))))))))))))))))))))))))))))))) . 2008-08-27 23:12 . 2008-08-27 23:12 <DIR> d-------- C:\rsit 2008-08-26 21:13 . 2008-08-26 21:13 <DIR> d-------- C:\Program Files\Sun 2008-08-26 21:13 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-26 21:12 . 2008-08-26 21:12 <DIR> d-------- C:\Program Files\Common Files\Java 2008-08-25 20:16 . 2008-08-25 20:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-25 20:16 . 2008-08-25 20:16 <DIR> d-------- C:\Documents and Settings\Charles Tseng\Application Data\Malwarebytes 2008-08-25 20:16 . 2008-08-25 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-25 20:16 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-25 20:16 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-25 17:20 . 2008-08-25 17:20 <DIR> d-------- C:\Program Files\Avira 2008-08-25 17:20 . 2008-08-25 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-08-25 13:06 . 2008-08-25 13:06 <DIR> d-------- C:\Program Files\Lavasoft 2008-08-25 13:06 . 2008-08-25 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-17 18:11 . 2008-08-17 18:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-17 18:11 . 2008-08-17 18:11 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-14 02:25 . 2008-08-14 02:26 144 --a------ C:\WINDOWS\INpact_CSS_Hud_tweaker_1.19.INI 2008-08-13 19:25 . 2008-08-13 19:25 <DIR> d-------- C:\Documents and Settings\Administrator 2008-08-13 18:41 . 2008-08-27 23:12 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-13 16:57 . 2008-08-13 18:32 <DIR> d-------- C:\Documents and Settings\Charles Tseng\.housecall6.6 2008-08-13 03:11 . 2008-08-14 01:58 <DIR> d-------- C:\Fraps 2008-08-13 03:11 . 2008-08-14 01:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-11 02:25 . 2008-08-11 02:25 <DIR> d-------- C:\Program Files\YouTube Downloader 2008-08-08 13:35 . 2008-08-08 13:35 <DIR> d-------- C:\j 2008-08-08 13:07 . 2008-08-08 13:07 <DIR> d-------- C:\Program Files\AMX Mod X 2008-08-05 15:03 . 2008-08-06 02:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania 2008-08-02 03:43 . 2008-08-02 03:44 <DIR> d-------- C:\Program Files\SmartFTP Client 2008-07-28 20:13 . 2008-07-28 20:13 <DIR> d-------- C:\Documents and Settings\Charles Tseng\Application Data\vlc 2008-07-28 20:12 . 2008-07-28 20:12 <DIR> d-------- C:\Program Files\VideoLAN 2008-07-25 16:08 . 2008-08-05 12:04 <DIR> d-------- C:\Program Files\Custom-Strike 2008-07-25 16:08 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL 2008-07-23 09:48 . 2008-07-23 09:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2008-07-23 09:48 . 2008-07-23 09:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2008-07-19 00:35 . 2008-08-10 18:36 <DIR> d-------- C:\Program Files\mIRC 2008-07-19 00:33 . 2008-07-19 00:33 <DIR> d-------- C:\Program Files\VS Revo Group 2008-07-16 22:04 . 2008-07-18 11:45 <DIR> d-------- C:\Program Files\Legacy Online 2008-07-08 01:02 . 2008-07-08 01:02 <DIR> d-------- C:\Program Files\XnView 2008-07-08 01:02 . 2008-07-08 01:03 <DIR> d-------- C:\Documents and Settings\Charles Tseng\Application Data\XnView 2008-07-08 00:59 . 2008-07-08 00:59 <DIR> d-------- C:\Program Files\IrfanView 2008-07-08 00:56 . 2008-07-08 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESTsoft 2008-07-08 00:55 . 2008-07-08 00:58 <DIR> d-------- C:\Documents and Settings\Charles Tseng\Application Data\ESTSoft 2008-07-07 00:40 . 2008-07-07 00:40 56,108 --a------ C:\WINDOWS\system32\drivers\scdemu.sys 2008-07-05 18:23 . 2004-08-04 00:56 1,689,088 ---h---t- C:\WINDOWS\system32\6dbf144.dll 2008-07-05 18:23 . 2004-08-04 00:56 1,689,088 ---h---t- C:\WINDOWS\system32\1490f139.dll 2008-07-05 18:23 . 2004-08-04 00:56 82,944 ---h---t- C:\WINDOWS\system32\ad1eb3a.dll 2008-07-05 18:23 . 2004-08-04 00:56 82,944 ---h---t- C:\WINDOWS\system32\17482b4a.dll 2008-07-05 16:43 . 2004-08-04 00:56 1,689,088 ---h---t- C:\WINDOWS\system32\2e62d0c0.dll 2008-07-05 16:43 . 2004-08-04 00:56 1,689,088 ---h---t- C:\WINDOWS\system32\13641f74.dll 2008-07-05 16:43 . 2004-08-04 00:56 82,944 ---h---t- C:\WINDOWS\system32\44c508c.dll 2008-07-05 16:43 . 2004-08-04 00:56 82,944 ---h---t- C:\WINDOWS\system32\12731fba.dll 2008-07-03 16:00 . 2008-07-03 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield 2008-07-03 15:57 . 2008-07-03 15:57 <DIR> d-------- C:\Program Files\GALA-NET 2008-07-03 15:57 . 2005-08-11 15:29 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl 2008-07-02 11:11 . 2008-07-02 11:11 <DIR> d-------- C:\Program Files\Audacity 2008-07-01 14:31 . 2008-07-01 14:31 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-07-01 14:31 . 2008-07-01 14:31 <DIR> d-------- C:\Documents and Settings\Charles Tseng\Application Data\SystemRequirementsLab . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-29 20:10 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\Skype 2008-08-29 20:09 --------- d-----w C:\Program Files\Steam 2008-08-29 04:17 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\uTorrent 2008-08-27 04:13 --------- d-----w C:\Program Files\Java 2008-08-26 21:55 --------- d-----w C:\Program Files\Warcraft III 2008-08-26 08:30 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\HLSW 2008-08-25 23:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-08-25 20:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-08-25 07:27 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\skypePM 2008-08-14 20:38 --------- d-----w C:\Program Files\DivX 2008-08-11 10:01 --------- d-----w C:\Documents and Settings\Charles Tseng\Application Data\mIRC 2008-08-08 21:17 --------- d-s---w C:\Program Files\HLSW 2008-08-05 19:04 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-05 19:03 --------- d-----w C:\Program Files\id Software 2008-08-03 18:26 --------- d-----w C:\Program Files\PowerISO 2008-07-19 11:00 --------- d-----w C:\Program Files\Lightside - Legend Ragnarok 2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 09:54 --------- d-----w C:\Program Files\AIM 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-04 02:41 --------- d-----w C:\Program Files\Diablo II 2008-07-03 22:57 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-30 17:43 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll 2008-06-30 17:43 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll 2008-06-30 17:43 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll 2008-06-30 17:34 94,208 ----a-w C:\WINDOWS\DIIUnin.exe 2008-06-30 17:34 2,829 ----a-w C:\WINDOWS\DIIUnin.pif 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-12 22:08 58,800 ----a-w C:\WINDOWS\system32\ijjiPlugin2.dll 2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-12-27 05:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\j ---- 2003-05-04 22:18 201048 --a------ C:\j\cb_iceworld.bsp 2003-05-01 22:46 256 --a------ C:\j\cb_iceworld.txt ((((((((((((((((((((((((((((( snapshot@2008-08-28_19.40.02.53 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE - 2008-08-25 20:33:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-08-29 19:51:58 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-08-25 20:33:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-08-29 19:51:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-08-25 20:33:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-08-29 19:51:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-08-29 02:32:41 71,154 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-08-29 20:13:45 71,154 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-08-29 02:32:41 423,718 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-08-29 20:13:45 423,718 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\steam\steam.exe" [2008-03-27 21:14 1271032] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 22:34 868352] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-09 22:28 36352] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm "VIDC.MJPG"= Pvmjpg30.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2008-06-06 09:04 50528 C:\Program Files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] --a------ 2007-03-21 15:41 145496 C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher] --a------ 2007-12-14 19:04 38128 C:\Program Files\NCSoft\Launcher\NCLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2008-07-07 00:34 167936 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] --a------ 2003-06-23 22:12 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] --a------ 2003-06-25 01:18 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] --a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Bonjour Service"=2 (0x2) "AresChatServer"=3 (0x3) "Apple Mobile Device"=2 (0x2) "PCLEPCI"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Steam\\steamapps\\nakahira3\\counter-strike\\hl.exe"= "C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\ijji\\ENGLISH\\u_gbound.exe"= "C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"= "C:\\Program Files\\Steam\\steamapps\\nakahira3\\team fortress 2\\hl2.exe"= "C:\\Program Files\\Steam\\steamapps\\qwever_2\\counter-strike source\\hl2.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"= "C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"= "C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"= "C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"= "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= S3 cpuz129;cpuz129;C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\cpuz_x32.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86aedd5f-ecd9-11dc-9820-001d6072b173}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . ************************************************************************ disk not found C:\ please note that you need administrator rights to perform deep scan scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************ . Completion time: 2008-08-29 18:06:01 ComboFix-quarantined-files.txt 2008-08-30 01:05:59 ComboFix2.txt 2008-08-29 20:11:55 ComboFix3.txt 2008-08-29 02:40:15 Pre-Run: 179,412,652,032 bytes free Post-Run: 179,399,434,240 bytes free 241 --- E O F --- 2008-08-14 02:22:37 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:09:14 PM, on 8/29/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\AIM\aim.exe C:\Program Files\Winamp\winamp.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Documents and Settings\Charles Tseng\Desktop\New Folder (2)\HiJackThis(2).exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 5437 bytes

Nakahira