Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove Smitfraud.c, Aconti, Accoona And Some Annoying Messages


  • This topic is locked This topic is locked
31 replies to this topic

#1 Smitfraud.C

Smitfraud.C

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 08:39 AM

I keep getting messages like 'You have to do a full system scan' and 'Somebody's is trying to infect your computer with spyware ... blablabla ... click here' - in their dreams, 'Someone is hacking your computer and activating spyware' ... I also have an annoying desktop background named 'default' and located in C:\WINDOWS\.

I also got such as Aconti, 7FaSSt... in the same folder. I'm also infected with Deskwizz, SWAgent, Smitfraud-C, Accoona...
, AdBreak
I got Spybot + a million other apps for removal and all of them delete the files but they come back in about 2 minutes.

I GOT SmitFraudFix, HijackThis, Spybot S & D, AVG Anti-Spyware, Xoftspy SE, Norton...





If i dont fix this in gonna go :thumbsup:

BC AdBot (Login to Remove)

 


#2 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 08:41 AM

I have to go off the computer at about 3:20 GMT and ill be back on at about 6:00 GMT

#3 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 08:47 AM

Just finished scanning and I got Norton always warning me about C:\WINDOWS\winh32.exe being a trojan, quarantining it and getting it again in a few minutes, Spybot gets 7FaSSt, Accoonna, Aconti, AdBreak, CnsMin, Deskwizz, INetSpeak, Smitfraud-C., SWAgent, Virtumonde and Microsoft.WindowsSecurityCenter.TaskManager (Smitfraud deactivated Task Manager)

#4 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 08:48 AM

I'm currently on my other computer, the infected 1 is hibernating

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 03 September 2007 - 09:01 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Smitfraud.C :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please read and follow the imformation in the link below.
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Once you've completed all the steps in the above link,post a Hijackthis log into this topic if you still require help.
Posted Image
Posted Image

#6 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 09:07 AM

In a sec...

Logfile of HijackThis v1.99.1
Scan saved at 3:55:53 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\alen\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\alen\DAEMON Tools\daemon.exe
D:\alen\PowerIso\PWRISOVM.EXE
D:\alen\Microsoft\Enterprise\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ALEN\Desktop\tip\VisualToolTip.exe
D:\alen\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\alen\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\ALEN\Desktop\yod'm\Yodm3D.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\alen\WinZip\WZQKPICK.EXE
D:\Program Files\MagicDisc\MagicDisc.exe
D:\alen\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
D:\alen\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\system32\wuauclt.exe
D:\alen\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:80
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNM] D:\alen\Spynomore\SNM.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools] "D:\alen\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\alen\PowerIso\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "D:\alen\Microsoft\Enterprise\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [jirotexk] rundll32.exe "C:\Program Files\jirotexk\hcfypojo.dll",Init
O4 - HKLM\..\Run: [VisualTooltip] C:\Documents and Settings\ALEN\Desktop\tip\VisualToolTip.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\alen\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [sxwlibob] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sxwlibob.dll"
O4 - HKLM\..\Run: [tojmncbc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tojmncbc.dll"
O4 - HKLM\..\Run: [fchivehq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fchivehq.dll"
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\System Files Updater.exe /S
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKCU\..\Run: [longjump] C:\DOCUME~1\ALEN\APPLIC~1\SLOWDO~1\refeggsbone.exe
O4 - HKCU\..\Run: [RocketDock] "D:\alen\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TransBar] D:\alen\Vista Inspirat 2\TransBar\TransBar.exe /s
O4 - HKCU\..\Run: [Yodm3D] C:\Documents and Settings\ALEN\Desktop\yod'm\Yodm3D.exe
O4 - HKCU\..\Run: [ObjectDock] C:\Program Files\ObjectDock\ObjectDock.exe
O4 - HKCU\..\Run: [Taskbar Hide] D:\alen\TAKBAR~1\TaskBar.exe -Start
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = Microsoft\Enterprise\Office12\ONENOTEM.EXE
O4 - Startup: RocketDock.lnk = Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\alen\MICROS~1\ENTERP~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\alen\MICROS~1\ENTERP~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\alen\MICROS~1\ENTERP~1\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\alen\MICROS~1\ENTERP~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00000005-0000-0000-0000-100011000004} - http://c.imputati.com/l/8ee0eec63cbc34e7d2...b97235ff_35.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\alen\MICROS~1\ENTERP~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WBSrv - D:\alen\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\alen\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Edited by Smitfraud.C, 03 September 2007 - 12:15 PM.


#7 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 09:14 AM

I will have to go after 10 minutes or so, so could we continue this at about 18:00 GMT?

Edited by Smitfraud.C, 03 September 2007 - 09:16 AM.


#8 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 09:21 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Smitfraud.C :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please read and follow the imformation in the link below.
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Once you've completed all the steps in the above link,post a Hijackthis log into this topic if you still require help.


Now what? i got 2 go in 5 minutes so i'll be off for the next 2 and a half hours, plz help me when i return

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 03 September 2007 - 09:37 AM

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#10 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 12:16 PM

Rebooted OK, gonna fetch log when it finishes

#11 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 12:19 PM

Running hijackthis

#12 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 12:24 PM

Combofix

ComboFix 07-09-03 - "ALEN" 2007-09-03 19:05:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.274 [GMT 2:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\LEON\Desktop\internet.lnk
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 )))))))))))))))))))))))))))))))


2007-09-03 19:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-03 14:38 32,512 --a------ C:\WINDOWS\settn.dll
2007-09-03 14:38 29,696 --a------ C:\WINDOWS\kvnab.exe
2007-09-03 14:38 27,904 --a------ C:\WINDOWS\kvnab$.exe
2007-09-03 14:38 23,808 --a------ C:\WINDOWS\wbeInst$.exe
2007-09-03 14:38 23,040 --a------ C:\WINDOWS\wbeCheck.exe
2007-09-03 14:38 22,272 --a------ C:\WINDOWS\iexplorr23.dll
2007-09-03 14:38 22,016 --a------ C:\WINDOWS\kvnab.dll
2007-09-03 14:38 16,384 --a------ C:\WINDOWS\hcwprn.exe
2007-09-03 14:38 12,800 --a------ C:\WINDOWS\pbsysie.dll
2007-09-03 14:38 <DIR> d-------- C:\Program Files\Accoona
2007-09-03 14:27 8,704 --a------ C:\WINDOWS\aconti.exe
2007-09-03 14:16 <DIR> d-------- C:\Program Files\amsys
2007-09-03 13:23 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-09-03 13:22 8,448 --a------ C:\WINDOWS\system32\msole32.exe
2007-09-03 13:22 32,768 --a------ C:\WINDOWS\xadbrk.dll
2007-09-03 13:22 32,000 --a------ C:\WINDOWS\liqad.dll
2007-09-03 13:22 31,744 --a------ C:\WINDOWS\kkcomp.dll
2007-09-03 13:22 31,232 --a------ C:\WINDOWS\hotporn.exe
2007-09-03 13:22 24,064 --a------ C:\WINDOWS\liqui.dll
2007-09-03 13:22 20,224 --a------ C:\WINDOWS\xxxvideo.exe
2007-09-03 13:22 17,408 --a------ C:\WINDOWS\fhfmm.exe
2007-09-03 13:22 12,288 --a------ C:\WINDOWS\system32\ESHOPEE.exe
2007-09-03 13:22 <DIR> d-------- C:\Program Files\akl
2007-09-03 13:20 21,504 --a------ C:\WINDOWS\system32\oembios32.dll
2007-09-02 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-02 18:58 28,416 --a------ C:\WINDOWS\system32\ace16win.dll
2007-09-02 18:42 <DIR> d-------- C:\Program Files\e-zshopper
2007-09-02 18:20 0 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-09-02 16:15 <DIR> d-------- C:\Program Files\ObjectDock
2007-09-02 16:14 <DIR> d--h----- C:\WINDOWS\FlyakiteOSX
2007-09-02 15:21 <DIR> d-------- C:\DOCUME~1\MASTER~1\APPLIC~1\SLOW DOG
2007-09-02 15:16 <DIR> d-------- C:\DOCUME~1\MASTER~1\APPLIC~1\DivX
2007-09-02 15:15 98,304 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\fchivehq.dll
2007-09-02 15:15 <DIR> d-------- C:\Program Files\Pmctvaxe
2007-09-02 15:14 98,304 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\tojmncbc.dll
2007-09-02 15:14 <DIR> d-------- C:\Program Files\Ijpwbhid
2007-09-01 15:51 98,304 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\sxwlibob.dll
2007-09-01 15:51 <DIR> d-------- C:\WINDOWS\system32\wowrlegl
2007-08-28 12:54 <DIR> d-------- C:\DOCUME~1\OCI\APPLIC~1\SLOW DOG
2007-08-27 13:29 4,329 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-08-26 15:38 <DIR> d-------- C:\DOCUME~1\RUNESC~1\APPLIC~1\Yahoo!
2007-08-26 14:59 <DIR> d-------- C:\DOCUME~1\RUNESC~1\APPLIC~1\SLOW DOG
2007-08-26 14:54 <DIR> d-------- C:\DOCUME~1\RUNESC~1\APPLIC~1\Teleca
2007-08-26 14:54 <DIR> d-------- C:\DOCUME~1\RUNESC~1\APPLIC~1\Sony Ericsson
2007-08-26 14:54 <DIR> d-------- C:\DOCUME~1\RUNESC~1\APPLIC~1\ATI
2007-08-26 14:53 <DIR> d-------- C:\DOCUME~1\RUNESC~1\APPLIC~1\Real
2007-08-26 08:24 19,656 --a------ C:\DOCUME~1\ALEN\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\Yahoo!
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\WinRAR
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\uTorrent
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\Teleca
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\Sony Ericsson
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\SmartFTP
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\SLOW DOG
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\Skype
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\Real
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\Petroglyph
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\Oxin's Style!
2007-08-26 08:23 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\NetPumper
2007-08-25 23:03 <DIR> d-------- C:\DOCUME~1\MASTER~1\APPLIC~1\Teleca
2007-08-25 23:02 <DIR> d-------- C:\DOCUME~1\MASTER~1\APPLIC~1\Sony Ericsson
2007-08-25 23:02 <DIR> d-------- C:\DOCUME~1\MASTER~1\APPLIC~1\Real
2007-08-25 23:02 <DIR> d-------- C:\DOCUME~1\MASTER~1\APPLIC~1\ATI
2007-08-25 15:01 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Teleca
2007-08-25 15:01 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Sony Ericsson
2007-08-25 15:00 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Moveax
2007-08-25 14:03 <DIR> d-------- C:\DOCUME~1\LEON\APPLIC~1\Moveax
2007-08-24 09:19 <DIR> d-------- C:\DOCUME~1\MAMI\APPLIC~1\Moveax
2007-08-22 22:20 110,592 --a------ C:\WINDOWS\system32\ccrpbds6.dll
2007-08-22 16:04 77,824 --a------ C:\WINDOWS\system32\FLKill.exe
2007-08-22 16:04 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2007-08-22 16:04 110,592 --a------ C:\WINDOWS\system32\suppdll.dll
2007-08-22 15:50 <DIR> d-------- C:\DOCUME~1\ALEN\APPLIC~1\Moveax
2007-08-17 20:04 <DIR> d-------- C:\WINDOWS\.mpr_file_store_32
2007-08-17 16:20 <DIR> d-------- C:\DOCUME~1\MAMI\APPLIC~1\Yahoo!
2007-08-17 12:43 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-08-17 12:42 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-08-17 12:42 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-08-17 12:42 <DIR> d-------- C:\Program Files\OpenAL
2007-08-16 00:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-15 23:42 <DIR> d-------- C:\WINDOWS\Performance
2007-08-15 23:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Corporation
2007-08-15 13:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-12 11:06 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-12 11:06 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-12 11:06 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 15:25 170 --a------ C:\Delme.bat
2007-08-11 15:24 <DIR> d-------- C:\Program Files\QuickScape 1.03
2007-08-10 18:41 <DIR> d-------- C:\Program Files\jirotexk
2007-08-10 13:55 22,016 --a------ C:\WINDOWS\system32\winghy32.dll
2007-08-09 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-09 23:39 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-08-09 23:39 <DIR> d-------- C:\Program Files\Yahoo!
2007-08-09 23:24 <DIR> d--hs---- C:\DOCUME~1\ALEN\UserData
2007-08-09 14:30 <DIR> d-------- C:\DOCUME~1\ALEN\.unlimitedftp
2007-08-06 19:45 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-08-06 19:45 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2007-08-06 19:42 <DIR> d-------- C:\Program Files\MSBuild
2007-08-06 19:16 <DIR> d-------- C:\Program Files\Microsoft Works


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-03 19:09 18688 --a------ C:\WINDOWS\764.exe
2007-09-03 15:57 4206 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-03 09:51 --------- d-------- C:\DOCUME~1\ALEN\APPLIC~1\Corel
2007-09-03 09:49 3454 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-02 18:42 9728 --a------ C:\WINDOWS\liqad.exe
2007-09-02 18:42 8192 --a------ C:\WINDOWS\xadbrk_.exe
2007-09-02 18:42 31488 --a------ C:\WINDOWS\liqui.exe
2007-09-02 18:42 31488 --a------ C:\WINDOWS\daxtime.dll
2007-09-02 18:42 30720 --a------ C:\WINDOWS\kkcomp.exe
2007-09-02 18:42 29696 --a------ C:\WINDOWS\liqad$.exe
2007-09-02 18:42 28928 --a------ C:\WINDOWS\adbar.dll
2007-09-02 18:42 27904 --a------ C:\WINDOWS\jd2002.dll
2007-09-02 18:42 27904 --a------ C:\WINDOWS\fhfmm-Uninstaller.exe
2007-09-02 18:42 25344 --a------ C:\WINDOWS\liqui-Uninstaller.exe
2007-09-02 18:42 24064 --a------ C:\WINDOWS\spredirect.dll
2007-09-02 18:42 19200 --a------ C:\WINDOWS\ngd.dll
2007-09-02 18:42 16384 --a------ C:\WINDOWS\kkcomp$.exe
2007-09-02 18:42 16128 --a------ C:\WINDOWS\ie_32.exe
2007-09-02 18:42 14592 --a------ C:\WINDOWS\xadbrk.exe
2007-09-02 18:42 12800 --a------ C:\WINDOWS\eventlowg.dll
2007-09-02 18:42 12544 --a------ C:\WINDOWS\dp0.dll
2007-09-02 18:42 12032 --a------ C:\WINDOWS\cbinst$.exe
2007-08-28 16:48 --------- d-------- C:\DOCUME~1\OCI\APPLIC~1\Skype
2007-08-27 13:33 61713 --a------ C:\WINDOWS\BricoPackUninst.cmd
2007-08-24 10:23 --------- d-------- C:\DOCUME~1\MAMI\APPLIC~1\Skype
2007-08-22 22:21 737280 --a------ C:\WINDOWS\iun6002.exe
2007-08-21 17:22 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-08-21 17:22 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-08-21 10:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-18 01:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
2007-08-17 11:54 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Five dash heck does
2007-08-16 17:18 --------- d-------- C:\DOCUME~1\ALEN\APPLIC~1\AdobeUM
2007-08-11 14:00 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-08-10 18:07 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-08 12:34 --------- d-------- C:\DOCUME~1\LEON\APPLIC~1\Corel
2007-08-04 17:56 --------- d-------- C:\DOCUME~1\OCI\APPLIC~1\Corel
2007-08-02 09:44 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\does dog two city
2007-08-02 09:43 --------- d-------- C:\Program Files\SLOW DOG
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 68440 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 12:26 248839 --a------ C:\WINDOWS\CoffeeCup Visual Site Designer Uninstaller.exe
2007-07-30 12:11 --------- d-------- C:\Program Files\TrendyFlash Site Builder
2007-07-30 12:07 --------- d-------- C:\DOCUME~1\ALEN\APPLIC~1\Ahead
2007-07-28 19:01 --------- d-------- C:\DOCUME~1\LEON\APPLIC~1\NetPumper
2007-07-28 18:54 --------- d-------- C:\DOCUME~1\MAMI\APPLIC~1\Corel
2007-07-28 17:31 --------- d-------- C:\DOCUME~1\MAMI\APPLIC~1\NetPumper
2007-07-28 12:21 765952 --a------ C:\WINDOWS\system32\svdhost.exe
2007-07-27 19:57 218624 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-07-27 16:12 --------- d-------- C:\DOCUME~1\MAMI\APPLIC~1\DivX
2007-07-21 20:50 --------- d-------- C:\DOCUME~1\OCI\APPLIC~1\Teleca
2007-07-21 20:50 --------- d-------- C:\DOCUME~1\OCI\APPLIC~1\Sony Ericsson
2007-07-20 14:26 --------- d-------- C:\Program Files\Orca
2007-07-19 18:29 --------- d-------- C:\DOCUME~1\MAMI\APPLIC~1\Teleca
2007-07-19 18:29 --------- d-------- C:\DOCUME~1\MAMI\APPLIC~1\Sony Ericsson
2007-07-19 13:02 --------- d-------- C:\DOCUME~1\LEON\APPLIC~1\Teleca
2007-07-19 13:01 --------- d-------- C:\DOCUME~1\LEON\APPLIC~1\Sony Ericsson
2007-07-19 12:39 --------- d-------- C:\Program Files\Sony Ericsson
2007-07-19 12:38 --------- d-------- C:\Program Files\Intuwave
2007-07-19 12:38 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-07-19 12:38 --------- d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-07-19 12:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Teleca
2007-07-19 12:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2007-07-17 11:16 --------- d-------- C:\DOCUME~1\LEON\APPLIC~1\Skype
2007-07-05 23:22 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-05 23:21 --------- d-------- C:\Program Files\Nero
2007-07-05 23:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-26 08:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 15:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 12:23 975360 --a------ C:\WINDOWS\explorer.exe
2004-08-03 23:56:54 60,416 --sha-w C:\WINDOWS\BricoPacks\SysFiles\80_msimn.exe
2007-03-31 09:30:54 88 --sh--r C:\WINDOWS\system32\7B62BB14AA.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236}]
2007-09-03 13:20 21504 --a------ C:\WINDOWS\system32\oembios32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 12:15]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 20:54 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 08:15]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-09-29 11:37]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-10-31 12:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-21 23:33]
"SNM"="D:\alen\Spynomore\SNM.exe" []
"DAEMON Tools"="D:\alen\DAEMON Tools\daemon.exe" [2007-04-15 08:20]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"PWRISOVM.EXE"="D:\alen\PowerIso\PWRISOVM.EXE" [2007-04-09 14:23]
"GrooveMonitor"="D:\alen\Microsoft\Enterprise\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"jirotexk"="C:\Program Files\jirotexk\hcfypojo.dll" [2007-08-10 18:41]
"VisualTooltip"="C:\Documents and Settings\ALEN\Desktop\tip\VisualToolTip.exe" [2007-04-25 09:45]
"!AVG Anti-Spyware"="D:\alen\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-15 15:04]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-10-31 11:10]
"sxwlibob"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\sxwlibob.dll" []
"tojmncbc"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\tojmncbc.dll" []
"fchivehq"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\fchivehq.dll" []
"System Files Updater"="C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" [2006-01-15 08:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-23 00:31]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 11:54]
"longjump"="C:\DOCUME~1\ALEN\APPLIC~1\SLOWDO~1\refeggsbone.exe" [2007-08-02 09:43]
"RocketDock"="D:\alen\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-19 00:05]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-08-03 11:44]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"TransBar"="D:\alen\Vista Inspirat 2\TransBar\TransBar.exe" [2005-06-01 21:41]
"Yodm3D"="C:\Documents and Settings\ALEN\Desktop\yod'm\Yodm3D.exe" [2007-06-26 19:26]
"ObjectDock"="C:\Program Files\ObjectDock\ObjectDock.exe" [2005-07-15 00:13]
"Taskbar Hide"="D:\alen\TAKBAR~1\TaskBar.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Updates"=svehost.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2004-09-29 11:37:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
WinZip Quick Pick.lnk - D:\alen\WinZip\WZQKPICK.EXE [2007-04-15 07:42:53]

C:\DOCUME~1\ALEN\STARTM~1\Programs\Startup\
MagicDisc.lnk - D:\Program Files\MagicDisc\MagicDisc.exe [2007-06-03 07:23:31]
OneNote 2007 Screen Clipper and Launcher.lnk - D:\alen\Microsoft\Enterprise\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
RocketDock.lnk - D:\alen\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-08-26 15:09:15]
TransBar.lnk - D:\alen\Vista Inspirat 2\TransBar\TransBar.exe [2007-08-26 15:09:14]
UberIcon.lnk - D:\alen\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2007-08-26 15:09:11]
Y'z Shadow.lnk - D:\alen\Vista Inspirat 2\YzShadow\YzShadow.exe [2007-08-26 15:09:10]

C:\DOCUME~1\LEON\STARTM~1\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - D:\alen\Microsoft\Enterprise\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
D:\alen\WINDOW~1\wbsrv.dll 2007-02-07 17:31 226992 D:\alen\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]
winghy32.dll 2007-08-10 13:55 22016 C:\WINDOWS\system32\winghy32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll
R0 SiSRaid;SiSRaid;C:\WINDOWS\system32\DRIVERS\SiSRaid.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
S3 FXDRV;FXDRV;\??\F:\Fxdrv.sys
S3 P1001VID;Creative WebCam (WDM);C:\WINDOWS\system32\DRIVERS\P1001Vid.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
AutoRun\command- N:\autorun.exe
directx\command- N:\DirectX9\dxsetup.exe
setup\command- N:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\O]
AutoRun\command- O:\CDCheck.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]
AutoRun\command- P:\CDCheck.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
AutoRun\command- Q:\setup\3DHADSD80_setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad74d808-d955-11db-9bf8-00e04c40284d}]
AutoRun\command- QuickTel.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]
C:\WINDOWS\system32\nusrmgr.exe

Contents of the 'Scheduled Tasks' folder
2007-09-03 17:00:01 C:\WINDOWS\Tasks\AE39671D914EE31D.job - c:\docume~1\alen\applic~1\slowdo~1\realdashjoy.exe
2007-09-03 17:12:46 C:\WINDOWS\Tasks\XoftSpySE 2.job - D:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-10 12:46:23 C:\WINDOWS\Tasks\XoftSpySE.job - D:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 19:13:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-03 19:18:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-03 19:18

--- E O F ---







HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 7:21:17 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\alen\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\alen\DAEMON Tools\daemon.exe
D:\alen\PowerIso\PWRISOVM.EXE
D:\alen\Microsoft\Enterprise\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ALEN\Desktop\tip\VisualToolTip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\alen\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\alen\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ALEN\Desktop\yod'm\Yodm3D.exe
C:\Program Files\ObjectDock\ObjectDock.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\alen\WinZip\WZQKPICK.EXE
D:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:\alen\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
D:\alen\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\nusrmgr.exe
D:\alen\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:80
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNM] D:\alen\Spynomore\SNM.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools] "D:\alen\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\alen\PowerIso\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "D:\alen\Microsoft\Enterprise\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [jirotexk] rundll32.exe "C:\Program Files\jirotexk\hcfypojo.dll",Init
O4 - HKLM\..\Run: [VisualTooltip] C:\Documents and Settings\ALEN\Desktop\tip\VisualToolTip.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\alen\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [sxwlibob] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sxwlibob.dll"
O4 - HKLM\..\Run: [tojmncbc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tojmncbc.dll"
O4 - HKLM\..\Run: [fchivehq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fchivehq.dll"
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\System Files Updater.exe /S
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKCU\..\Run: [longjump] C:\DOCUME~1\ALEN\APPLIC~1\SLOWDO~1\refeggsbone.exe
O4 - HKCU\..\Run: [RocketDock] "D:\alen\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TransBar] D:\alen\Vista Inspirat 2\TransBar\TransBar.exe /s
O4 - HKCU\..\Run: [Yodm3D] C:\Documents and Settings\ALEN\Desktop\yod'm\Yodm3D.exe
O4 - HKCU\..\Run: [ObjectDock] C:\Program Files\ObjectDock\ObjectDock.exe
O4 - HKCU\..\Run: [Taskbar Hide] D:\alen\TAKBAR~1\TaskBar.exe -Start
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = Microsoft\Enterprise\Office12\ONENOTEM.EXE
O4 - Startup: RocketDock.lnk = Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\alen\MICROS~1\ENTERP~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\alen\MICROS~1\ENTERP~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\alen\MICROS~1\ENTERP~1\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\alen\MICROS~1\ENTERP~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00000005-0000-0000-0000-100011000004} - http://c.imputati.com/l/8ee0eec63cbc34e7d2...b97235ff_35.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\alen\MICROS~1\ENTERP~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WBSrv - D:\alen\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\alen\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe



Seems to have done at least something :thumbsup:

#13 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 12:29 PM

Its good to see some working it all out

#14 Smitfraud.C

Smitfraud.C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 September 2007 - 12:56 PM

Hello......?

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 03 September 2007 - 01:23 PM

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall NetPumper,then restart your pc.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\Tasks\AE39671D914EE31D.job
C:\WINDOWS\settn.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\764.exe
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\DOCUME~1\ALLUSE~1\APPLIC~1\fchivehq.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\tojmncbc.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\sxwlibob.dll
C:\WINDOWS\system32\winghy32.dll
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\spredirect.dll
C:\WINDOWS\ngd.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\cbinst$.exe

Folder::
C:\WINDOWS\system32\wowrlegl
C:\Program Files\Ijpwbhid
C:\Program Files\Pmctvaxe
C:\Program Files\Accoona
C:\Program Files\akl
C:\Program Files\e-zshopper
C:\Program Files\jirotexk
C:\DOCUME~1\ALEN\APPLIC~1\NetPumper
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Five dash heck does
C:\DOCUME~1\ALLUSE~1\APPLIC~1\does dog two city
C:\DOCUME~1\LEON\APPLIC~1\NetPumper
C:\DOCUME~1\MAMI\APPLIC~1\NetPumper

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jirotexk"=-
"sxwlibob"=-
"tojmncbc"=-
"fchivehq"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"longjump"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Updates"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users