Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/trojandownloader.ani.gen


  • This topic is locked This topic is locked
21 replies to this topic

#1 BabyMilo

BabyMilo

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 22 August 2007 - 10:01 AM

First, it detected with nod i have a Win32/TrojanDownloader.Ani.Gen from the site:
---->http://vip.yx456.com.cn/sg/ah.c
Then, it goes to C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 and the same thing Win32/TrojanDownloader.Ani.Gen.
I am not sure if the above info helps.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:08, on 22/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\wbem\svchost.exe
C:\Program Files\Microsoft SQL Server\Mssql$MA3\Binn\MSSQL$MA3\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Marcus\桌面\Download07\DSLite2\DSLite.exe (file missing)
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Marcus\桌面\Download07\DSLite2\DSLite.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169820912312
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) - http://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 8222 bytes

Thank you for your great help!~

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 22 August 2007 - 10:26 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Please download HostsXpert from here .
Unzip HostsXpert.zip
Open HostsXpert.exe
Then click on "Restore Microsoft's Host File", followed by OK at the prompt.
Close the program when complete.

Then scan once more with HijackThis and post back the new log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 BabyMilo

BabyMilo
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 22 August 2007 - 12:00 PM

I am sorry but the link you have provided it says "Unfortunately we can't process your request because it simply doesn't exist."
should i just download it anyway?? -->http://www.funkytoad.com/content/view/13/31/

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 22 August 2007 - 12:01 PM

Oh sorry, I didn't realise the link did not work. Please use the other link you found :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 BabyMilo

BabyMilo
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 22 August 2007 - 12:03 PM

thanks Charles

here is the log after i've restored Microsoft's Host File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:27, on 23/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\wbem\svchost.exe
C:\Program Files\Microsoft SQL Server\Mssql$MA3\Binn\MSSQL$MA3\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Marcus\桌面\Download07\DSLite2\DSLite.exe (file missing)
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Marcus\桌面\Download07\DSLite2\DSLite.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169820912312
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) - http://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 5979 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 22 August 2007 - 03:08 PM

Before we continue, I would like to see a Combofix log from you.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 BabyMilo

BabyMilo
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 22 August 2007 - 04:05 PM

ComboFix 07-08-17.2 - "Adam" 2007-08-23 5:00:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.109 [GMT 8:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\a.exe


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-23 04:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-22 23:46 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-22 23:46 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-22 23:46 40,264 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-22 23:46 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-22 23:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-22 23:46 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\PC Tools
2007-08-22 22:53 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-22 22:53 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-22 22:53 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-20 13:20 <DIR> d-------- C:\Program Files\RivaTuner v2.02
2007-08-19 19:53 <DIR> d-------- C:\Program Files\ATITool
2007-08-17 11:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-17 11:23 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-13 19:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-12 17:49 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-08-11 16:08 <DIR> d-------- C:\Program Files\Attack on Pearl Harbor
2007-08-10 13:37 <DIR> d-------- C:\Program Files\RegScrubXP
2007-08-09 03:00 <DIR> d-------- C:\Program Files\Opera
2007-08-09 03:00 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\Opera
2007-08-09 02:18 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-08 17:58 92,160 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-08-08 17:58 <DIR> d-------- C:\Program Files\MagicDisc
2007-08-08 13:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-07 13:55 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-06 17:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Real
2007-08-06 00:28 <DIR> d-------- C:\DOCUME~1\Marcus\APPLIC~1\Talkback
2007-08-05 19:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Bluetooth
2007-08-05 19:13 <DIR> d-------- C:\Program Files\IVT Corporation
2007-08-05 19:07 51,712 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-08-05 19:06 82,148 --a------ C:\WINDOWS\system32\drivers\VcommMgr.sys
2007-08-05 19:06 77,824 -ra------ C:\WINDOWS\system32\drivers\SioUi2k.dll
2007-08-05 19:06 7,680 --a------ C:\WINDOWS\system32\btinstall.dll
2007-08-05 19:06 63,488 -ra------ C:\WINDOWS\system32\drivers\wssbtr1f.sys
2007-08-05 19:06 61,312 --a------ C:\WINDOWS\system32\drivers\VComm.sys
2007-08-05 19:06 51,169 -ra------ C:\WINDOWS\system32\drivers\OXSER.SYS
2007-08-05 19:06 49,152 --a------ C:\WINDOWS\system32\btfunc.dll
2007-08-05 19:06 48,556 -ra------ C:\WINDOWS\system32\drivers\SktBt2k.sys
2007-08-05 19:06 48,076 -ra------ C:\WINDOWS\system32\drivers\Sio9502k.sys
2007-08-05 19:06 40,960 -ra------ C:\WINDOWS\system32\drivers\SCTray.exe
2007-08-05 19:06 28,271 --a------ C:\WINDOWS\system32\drivers\BTHidMgr.sys
2007-08-05 19:06 23,000 --a------ C:\WINDOWS\system32\drivers\btcusb.sys
2007-08-05 19:06 20,480 --a------ C:\WINDOWS\system32\drivers\blueletaudio.sys
2007-08-05 19:06 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys
2007-08-05 19:06 13,304 --a------ C:\WINDOWS\system32\drivers\BTNetFilter.sys
2007-08-05 19:06 116,021 --a------ C:\WINDOWS\system32\drivers\fw203x.sys
2007-08-05 19:06 11,860 --a------ C:\WINDOWS\system32\drivers\vbtenum.sys
2007-08-05 19:06 11,736 --a------ C:\WINDOWS\system32\drivers\VHIDMini.sys
2007-08-05 19:06 10,804 --a------ C:\WINDOWS\system32\drivers\BtNetDrv.sys
2007-08-05 18:38 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\foobar2000
2007-08-03 01:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-02 21:53 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\VMware
2007-08-02 21:52 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\VMware
2007-08-02 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\VMware
2007-08-02 14:57 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\Nero
2007-08-02 02:28 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-07-31 17:21 <DIR> d-------- C:\Program Files\FMA 2
2007-07-31 17:21 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\FMA
2007-07-31 17:12 <DIR> d-------- C:\Program Files\Fma
2007-07-31 16:05 40,448 --a------ C:\WINDOWS\system32\drivers\SUSCOM.SYS
2007-07-31 16:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2007-07-31 16:02 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-07-31 03:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI
2007-07-31 02:29 1,324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-31 00:03 996,648 --a------ C:\WINDOWS\system32\ShellManager10E2D762.dll
2007-07-30 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-30 23:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-30 19:40 3,328 --a------ C:\WINDOWS\system32\drivers\qv2kux.sys
2007-07-28 11:37 8,237,056 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-07-28 11:31 344,064 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-07-28 11:06 176,128 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-07-28 11:01 972,072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-07-28 11:01 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-07-28 11:01 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-07-27 20:23 <DIR> d-------- C:\DOCUME~1\Adam\Luna QQ + Wall + Icons
2007-07-26 20:20 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-07-26 20:20 <DIR> d-------- C:\Program Files\ffdshow
2007-07-26 03:06 <DIR> d-------- C:\DOCUME~1\Adam\「開始」
2007-07-26 02:52 <DIR> d-------- C:\Program Files\Electronic Arts
2007-07-24 01:17 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2007-07-23 03:34 <DIR> d-------- C:\DOCUME~1\Adam\.unlimitedftp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 23:48 --------- d-------- C:\Program Files\FlashGet
2007-08-21 00:30 --------- d-------- C:\Program Files\SpeedFan
2007-08-06 14:10 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Apple Computer
2007-08-05 19:13 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-31 18:58 --------- d-------- C:\Program Files\PPStream
2007-07-31 18:58 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\ppstream
2007-07-31 03:15 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\ATI
2007-07-31 03:13 --------- d-------- C:\Program Files\ATI Technologies
2007-07-30 23:51 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-28 13:44 45296 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-07-28 11:30 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-07-28 11:30 2371584 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-28 11:24 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-07-28 11:23 143360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-07-28 11:23 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-07-28 11:22 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-07-28 11:22 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-07-28 11:22 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-07-28 11:21 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-07-28 11:20 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-07-28 11:12 3067712 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-07-28 11:01 1550208 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-07-28 10:50 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-07-28 10:47 266240 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-07-28 10:46 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-07-28 10:45 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-07-28 10:40 450560 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-07-24 23:57 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\DivX
2007-07-22 11:32 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-07-20 23:13 --------- d-------- C:\Program Files\Ingenuware
2007-07-19 01:19 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Ahead
2007-07-18 23:19 --------- d-------- C:\Program Files\Windows Live
2007-07-18 23:19 --------- d-------- C:\Program Files\MSN Messenger
2007-07-18 23:19 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-07-16 23:45 --------- d-------- C:\Program Files\Foolish Entertainment
2007-07-15 23:41 --------- d-------- C:\Program Files\Winamp
2007-07-15 07:09 --------- d-------- C:\Program Files\Aspyr
2007-07-14 02:40 --------- d-------- C:\Program Files\AWC
2007-07-14 00:47 --------- d-------- C:\Program Files\MSBuild
2007-07-14 00:40 --------- d-------- C:\Program Files\Reference Assemblies
2007-07-12 15:17 --------- d-------- C:\Program Files\OO Software
2007-07-11 18:09 --------- d-------- C:\Program Files\eMule
2007-07-10 21:38 --------- d-------- C:\Program Files\Theorica Divx ;-) Codecs
2007-07-10 16:55 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-10 04:01 --------- d-------- C:\Program Files\HD Tune
2007-07-10 00:31 --------- d-------- C:\Program Files\PPLive
2007-07-10 00:30 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\PPLive
2007-07-09 19:37 --------- d-------- C:\Program Files\BitComet
2007-07-09 12:21 --------- d-------- C:\Program Files\DivX
2007-07-08 21:59 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg
2007-07-08 21:59 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-07-08 21:58 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-07-08 21:50 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-08 15:53 --------- d-------- C:\Program Files\iTunes
2007-07-08 15:52 --------- d-------- C:\Program Files\QuickTime
2007-07-08 15:52 --------- d-------- C:\Program Files\iPod
2007-07-08 15:49 --------- d-------- C:\Program Files\Apple Software Update
2007-07-08 15:48 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-03 19:10 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-03 19:10 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-03 03:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-03 03:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-03 03:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-03 03:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-03 03:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-03 03:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-03 03:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-03 03:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-03 03:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-03 03:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-03 03:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-03 03:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-03 03:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-03 03:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-03 03:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-03 03:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-03 03:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-03 03:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe
2007-06-26 14:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 21:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:22 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-19 09:22 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-19 09:22 118056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-13 21:22 977920 --a------ C:\WINDOWS\explorer.exe
2001-11-23 12:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-01-26 01:28]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [2007-07-02 03:20]
"ATIModeChange"="Ati2mdxx.exe" [2007-07-28 11:22 C:\WINDOWS\system32\Ati2mdxx.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-11 18:16]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Adam^「開始」功能表^程式集^啟動^MagicDisc.lnk.disabled]
path=C:\Documents and Settings\Adam\「開始」功能表\程式集\啟動\MagicDisc.lnk.disabled
backup=C:\WINDOWS\pss\MagicDisc.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CJIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
"C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\PROGRA~1\FlashGet\FlashGet.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NTService1"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"NBService"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"StarWindService"=2 (0x2)
"iPod Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"NMIndexingService"=3 (0x3)
"idsvc"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R2 MivsNT;Microsoft Application Suppost NT;C:\WINDOWS\system32\wbem\svchost.exe
R2 MSSQL$MA3;MSSQL$MA3;C:\Program Files\Microsoft SQL Server\Mssql$MA3\Binn\MSSQL$MA3\Binn\sqlservr.exe -sMA3
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
R3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.02\RivaTuner32.sys
S3 38ac6c6d.sys;38ac6c6d.sys;\??\C:\WINDOWS\system32\drivers\38ac6c6d.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
S3 NOWMEMDF;NOWMEMDF;\??\C:\WINDOWS\system32\NOWMEMDF.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys
S3 QV2KUX;Casio Digital Camera;C:\WINDOWS\system32\DRIVERS\qv2kux.sys
S3 SQLAgent$MA3;SQLAgent$MA3;C:\Program Files\Microsoft SQL Server\Mssql$MA3\Binn\MSSQL$MA3\Binn\sqlagent.EXE -i MA3
S3 SUSCOM;Susteen Serial port driver;C:\WINDOWS\system32\DRIVERS\SUSCOM.SYS


Contents of the 'Scheduled Tasks' folder
2007-08-18 00:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-23 05:03:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-23 5:04:24
C:\ComboFix-quarantined-files.txt ... 2007-08-23 05:04

--- E O F ---

#8 BabyMilo

BabyMilo
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 23 August 2007 - 01:24 PM

Currently, I am also suffering a Trojan-PWS.Tanspy

Reg: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 24 August 2007 - 09:48 AM

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load]

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Reboot your computer, then post a new Combofix log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 BabyMilo

BabyMilo
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 24 August 2007 - 11:53 AM

ComboFix 07-08-17.2 - "Adam" 2007-08-25 0:49:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.105 [GMT 8:00]


((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))


2007-08-24 17:49 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-24 00:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-23 04:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-22 23:46 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-22 23:46 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-22 23:46 40,264 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-22 23:46 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-22 23:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-22 23:46 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\PC Tools
2007-08-22 22:53 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-22 22:53 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-22 22:53 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-20 13:20 <DIR> d-------- C:\Program Files\RivaTuner v2.02
2007-08-19 19:53 <DIR> d-------- C:\Program Files\ATITool
2007-08-17 11:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-17 11:23 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-13 19:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-12 17:49 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-08-11 16:08 <DIR> d-------- C:\Program Files\Attack on Pearl Harbor
2007-08-10 13:37 <DIR> d-------- C:\Program Files\RegScrubXP
2007-08-09 03:00 <DIR> d-------- C:\Program Files\Opera
2007-08-09 03:00 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\Opera
2007-08-09 02:18 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-08 17:58 92,160 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-08-08 17:58 <DIR> d-------- C:\Program Files\MagicDisc
2007-08-08 13:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-07 13:55 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-06 17:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Real
2007-08-06 00:28 <DIR> d-------- C:\DOCUME~1\Marcus\APPLIC~1\Talkback
2007-08-05 19:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Bluetooth
2007-08-05 19:13 <DIR> d-------- C:\Program Files\IVT Corporation
2007-08-05 19:07 51,712 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-08-05 19:06 82,148 --a------ C:\WINDOWS\system32\drivers\VcommMgr.sys
2007-08-05 19:06 77,824 -ra------ C:\WINDOWS\system32\drivers\SioUi2k.dll
2007-08-05 19:06 7,680 --a------ C:\WINDOWS\system32\btinstall.dll
2007-08-05 19:06 63,488 -ra------ C:\WINDOWS\system32\drivers\wssbtr1f.sys
2007-08-05 19:06 61,312 --a------ C:\WINDOWS\system32\drivers\VComm.sys
2007-08-05 19:06 51,169 -ra------ C:\WINDOWS\system32\drivers\OXSER.SYS
2007-08-05 19:06 49,152 --a------ C:\WINDOWS\system32\btfunc.dll
2007-08-05 19:06 48,556 -ra------ C:\WINDOWS\system32\drivers\SktBt2k.sys
2007-08-05 19:06 48,076 -ra------ C:\WINDOWS\system32\drivers\Sio9502k.sys
2007-08-05 19:06 40,960 -ra------ C:\WINDOWS\system32\drivers\SCTray.exe
2007-08-05 19:06 28,271 --a------ C:\WINDOWS\system32\drivers\BTHidMgr.sys
2007-08-05 19:06 23,000 --a------ C:\WINDOWS\system32\drivers\btcusb.sys
2007-08-05 19:06 20,480 --a------ C:\WINDOWS\system32\drivers\blueletaudio.sys
2007-08-05 19:06 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys
2007-08-05 19:06 13,304 --a------ C:\WINDOWS\system32\drivers\BTNetFilter.sys
2007-08-05 19:06 116,021 --a------ C:\WINDOWS\system32\drivers\fw203x.sys
2007-08-05 19:06 11,860 --a------ C:\WINDOWS\system32\drivers\vbtenum.sys
2007-08-05 19:06 11,736 --a------ C:\WINDOWS\system32\drivers\VHIDMini.sys
2007-08-05 19:06 10,804 --a------ C:\WINDOWS\system32\drivers\BtNetDrv.sys
2007-08-05 18:38 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\foobar2000
2007-08-03 01:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-02 21:53 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\VMware
2007-08-02 21:52 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\VMware
2007-08-02 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\VMware
2007-08-02 14:57 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\Nero
2007-08-02 02:28 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-07-31 17:21 <DIR> d-------- C:\Program Files\FMA 2
2007-07-31 17:21 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\FMA
2007-07-31 17:12 <DIR> d-------- C:\Program Files\Fma
2007-07-31 16:05 40,448 --a------ C:\WINDOWS\system32\drivers\SUSCOM.SYS
2007-07-31 16:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2007-07-31 16:02 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-07-31 03:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI
2007-07-31 02:29 1,324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-31 00:03 996,648 --a------ C:\WINDOWS\system32\ShellManager10E2D762.dll
2007-07-30 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-30 23:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-30 19:40 3,328 --a------ C:\WINDOWS\system32\drivers\qv2kux.sys
2007-07-28 11:37 8,237,056 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-07-28 11:31 344,064 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-07-28 11:06 176,128 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-07-28 11:01 972,072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-07-28 11:01 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-07-28 11:01 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-07-26 20:20 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-07-26 20:20 <DIR> d-------- C:\Program Files\ffdshow
2007-07-26 03:06 <DIR> d-------- C:\DOCUME~1\Adam\「開始」
2007-07-26 02:52 <DIR> d-------- C:\Program Files\Electronic Arts


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 02:24 --------- d-------- C:\Program Files\FlashGet
2007-08-21 00:30 --------- d-------- C:\Program Files\SpeedFan
2007-08-06 14:10 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Apple Computer
2007-08-05 19:13 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-31 18:58 --------- d-------- C:\Program Files\PPStream
2007-07-31 18:58 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\ppstream
2007-07-31 03:15 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\ATI
2007-07-31 03:13 --------- d-------- C:\Program Files\ATI Technologies
2007-07-30 23:51 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-28 13:44 45296 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-07-28 11:30 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-07-28 11:30 2371584 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-28 11:24 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-07-28 11:23 143360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-07-28 11:23 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-07-28 11:22 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-07-28 11:22 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-07-28 11:22 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-07-28 11:21 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-07-28 11:20 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-07-28 11:12 3067712 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-07-28 11:01 1550208 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-07-28 10:50 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-07-28 10:47 266240 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-07-28 10:46 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-07-28 10:45 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-07-28 10:40 450560 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-07-24 23:57 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\DivX
2007-07-24 01:17 --------- d-------- C:\Program Files\Common Files\eSellerate
2007-07-22 11:32 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-07-19 01:19 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Ahead
2007-07-18 23:19 --------- d-------- C:\Program Files\Windows Live
2007-07-18 23:19 --------- d-------- C:\Program Files\MSN Messenger
2007-07-18 23:19 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-07-16 23:45 --------- d-------- C:\Program Files\Foolish Entertainment
2007-07-15 23:41 --------- d-------- C:\Program Files\Winamp
2007-07-15 07:09 --------- d-------- C:\Program Files\Aspyr
2007-07-14 02:40 --------- d-------- C:\Program Files\AWC
2007-07-14 00:47 --------- d-------- C:\Program Files\MSBuild
2007-07-14 00:40 --------- d-------- C:\Program Files\Reference Assemblies
2007-07-12 15:17 --------- d-------- C:\Program Files\OO Software
2007-07-11 18:09 --------- d-------- C:\Program Files\eMule
2007-07-10 21:38 --------- d-------- C:\Program Files\Theorica Divx ;-) Codecs
2007-07-10 16:55 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-10 04:01 --------- d-------- C:\Program Files\HD Tune
2007-07-10 00:31 --------- d-------- C:\Program Files\PPLive
2007-07-10 00:30 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\PPLive
2007-07-09 19:37 --------- d-------- C:\Program Files\BitComet
2007-07-09 12:21 --------- d-------- C:\Program Files\DivX
2007-07-08 21:59 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg
2007-07-08 21:59 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-07-08 21:58 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-07-08 21:50 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-08 15:53 --------- d-------- C:\Program Files\iTunes
2007-07-08 15:52 --------- d-------- C:\Program Files\QuickTime
2007-07-08 15:52 --------- d-------- C:\Program Files\iPod
2007-07-08 15:49 --------- d-------- C:\Program Files\Apple Software Update
2007-07-08 15:48 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-03 19:10 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-03 19:10 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-03 03:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-03 03:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-03 03:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-03 03:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-03 03:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-03 03:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-03 03:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-03 03:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-03 03:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-03 03:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-03 03:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-03 03:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-03 03:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-03 03:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-03 03:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-03 03:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-03 03:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-03 03:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe
2007-06-26 14:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 21:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:22 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-19 09:22 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-19 09:22 118056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-13 21:22 977920 --a------ C:\WINDOWS\explorer.exe
2001-11-23 12:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-01-26 01:28]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [2007-07-02 03:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-11 18:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Adam^「開始」功能表^程式集^啟動^MagicDisc.lnk.disabled]
path=C:\Documents and Settings\Adam\「開始」功能表\程式集\啟動\MagicDisc.lnk.disabled
backup=C:\WINDOWS\pss\MagicDisc.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CJIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
"C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\PROGRA~1\FlashGet\FlashGet.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NTService1"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"NBService"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"StarWindService"=2 (0x2)
"iPod Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"NMIndexingService"=3 (0x3)
"idsvc"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R2 MivsNT;Microsoft Application Suppost NT;C:\WINDOWS\system32\wbem\svchost.exe
R2 MSSQL$MA3;MSSQL$MA3;C:\Program Files\Microsoft SQL Server\Mssql$MA3\Binn\MSSQL$MA3\Binn\sqlservr.exe -sMA3
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
R3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.02\RivaTuner32.sys
S3 38ac6c6d.sys;38ac6c6d.sys;\??\C:\WINDOWS\system32\drivers\38ac6c6d.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
S3 NOWMEMDF;NOWMEMDF;\??\C:\WINDOWS\system32\NOWMEMDF.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys
S3 QV2KUX;Casio Digital Camera;C:\WINDOWS\system32\DRIVERS\qv2kux.sys
S3 SQLAgent$MA3;SQLAgent$MA3;C:\Program Files\Microsoft SQL Server\Mssql$MA3\Binn\MSSQL$MA3\Binn\sqlagent.EXE -i MA3
S3 SUSCOM;Susteen Serial port driver;C:\WINDOWS\system32\DRIVERS\SUSCOM.SYS


Contents of the 'Scheduled Tasks' folder
2007-08-18 00:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 00:52:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-25 0:53:16
C:\ComboFix-quarantined-files.txt ... 2007-08-25 00:53

--- E O F ---

#11 BabyMilo

BabyMilo
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 25 August 2007 - 07:09 AM

I found a simlar post in the bc forum
--->http://www.bleepingcomputer.com/forums/index.php?showtopic=98418&hl=Tanspy&st=15

should i copy what he is doing?
and also i understand this Trojan-PWS.Tanspy keeps coming back!

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 25 August 2007 - 11:32 AM

No that's not necessary, we should be able to remove it ourselves :thumbsup:

Go to the Control Panel.
If you are using Windows XP's "Category View", select the Network and Internet Connections category. If you are in "Classic View", go to the next step .
Double click the Network Connections icon
Right click the Local Area Connection icon and select 'Properties'.
Highlight 'Internet Protocol (TCP/IP)' and click the 'Properties' button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

Go to Start | Run and type in cmd
Click OK.
This will open a command prompt window.
Copy and paste the following line into the window:

ipconfig /flushdns

Hit 'Enter'.
Exit the command window.

Please download Fixwareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe
Save it to your Desktop and run it by double clicking.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer, please do so.
Your system may take longer than usual to load; this is normal.
Once the Desktop loads save the text that will open (report.txt) and post it in your next reply.

Run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Please include the report.txt along with the Panda report in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 BabyMilo

BabyMilo
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 26 August 2007 - 02:04 AM

Panda's ActiveScan:

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Adam\Application Data\Mozilla\Firefox\Profiles\7ods0qea.default\cookies.txt[ad.yieldmanager.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Adam\My Documents\ComboFix.exe[nircmd.exe]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Doris\Cookies\doris@overture[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Fixwareout:

"遙遙?End report 遙遙?"

Edited by BabyMilo, 26 August 2007 - 02:04 AM.


#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 26 August 2007 - 02:39 AM

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Open the extracted SDFix folder and double click runThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any key and it will restart the PC.
When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Post this in your next reply, along with a new Fixwareout log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 BabyMilo

BabyMilo
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 26 August 2007 - 03:23 AM

It didn't prompt me to press any key to Reboot. The thing just disappeared. leaving nothing there. i just press Ctrl Alt Del to reBoot.
During the cleanup process, it said something like "integer overflow"
Also, when i restart the fixtool did not run again.
moreover, i did not find the Report.txt in the SDFix folder.

Do I need to run this program as Administrator? but isn't normal user is admin?


For the new Fixwareout log, it stays the same:

"™™?End report ™™?"

Edited by BabyMilo, 26 August 2007 - 03:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users