Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request For Spyware.cyberlog-x Removal Assistance


  • Please log in to reply
7 replies to this topic

#1 Jupiter23

Jupiter23

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 29 September 2007 - 05:31 PM

The yellow flashing triangle appears and declares that there is a "Trojan-Spy.Win32@mx." Various pop-ups ask me to buy their anti-spyware. This is the "Antivirgear" version of the virus, and I've tried both the manual and automatic processes listed by Grinler on September 14. No luck. I'm not very computer-savy, so I may have made mistakes during those attempts. Here is the hijackthis log; thanks for your time:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:09 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Online Video Add-on\icthis.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Online Video Add-on\icmntr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Online Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: cacomixls - {5feba593-3e6d-4606-ae6e-0680501cd29e} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8261 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 30 September 2007 - 04:34 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Jupiter23 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SmitfraudFix (by S!Ri),to your desktop.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the Smitfraudfix report into your next reply.

================================================

Note:
If you have previously downloaded ComboFix,please delete that version and download it again from below.
Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Jupiter23

Jupiter23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 30 September 2007 - 02:37 PM

Hi, Richie. Thanks for helping me out. Here is the Smitfraudfix log:


Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5feba593-3e6d-4606-ae6e-0680501cd29e}"="cacomixls"


Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3E35C756-4B94-441F-A3BC-330BE20C75D5}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3E35C756-4B94-441F-A3BC-330BE20C75D5}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3E35C756-4B94-441F-A3BC-330BE20C75D5}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5feba593-3e6d-4606-ae6e-0680501cd29e}"="cacomixls"



End



The Combofix log:

ComboFix 07-09-30.10 - Owner 2007-09-30 15:26:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1715 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-30 15:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-29 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-29 15:26 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-29 15:26 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-09-28 15:23 3,538 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-28 15:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-28 15:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-28 15:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-28 15:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-28 15:22 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-09-28 15:22 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix
2007-09-28 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-28 09:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-28 09:58 <DIR> d-------- C:\Program Files\Online Video Add-on
2007-09-26 09:17 1,073,152 -ra------ C:\WINDOWS\system32\cdintf210.dll
2007-09-26 09:17 <DIR> d-------- C:\Program Files\Final Draft Tagger
2007-09-26 09:17 <DIR> d-------- C:\Program Files\Final Draft 7
2007-09-26 09:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-12 14:46 <DIR> d-------- C:\Program Files\Antares Audio Technologies
2007-09-12 14:35 153,088 --a------ C:\UNWISE.EXE
2007-09-12 14:35 <DIR> d-------- C:\Program Files\FXpansion
2007-09-12 08:14 <DIR> d-------- C:\Program Files\Native Instruments
2007-09-11 22:51 40,960 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-09-11 22:50 577,536 --a------ C:\WINDOWS\soundman.exe
2007-09-11 22:50 307,200 --a------ C:\WINDOWS\alcupd.exe
2007-09-11 22:50 3,842,560 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-09-11 22:50 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2007-09-11 22:50 135,168 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2007-09-11 22:50 10,476,032 --a------ C:\WINDOWS\system32\RTLCPL.exe
2007-09-11 22:50 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-09-11 22:50 <DIR> d-------- C:\Program Files\Realtek AC97
2007-09-11 22:50 <DIR> d-------- C:\Program Files\AvRack
2007-09-11 22:49 <DIR> d-------- C:\cabs
2007-09-11 19:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Steinberg
2007-09-11 19:51 <DIR> d-------- C:\Program Files\Steinberg
2007-09-11 19:48 708,608 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2007-09-11 19:48 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-09-11 19:48 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-09-11 19:48 16,896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys
2007-09-11 19:48 147,456 --a------ C:\WINDOWS\system32\SynsoLChk.dll
2007-09-11 19:48 <DIR> d-------- C:\Program Files\Syncrosoft
2007-09-11 17:57 <DIR> d-------- C:\Digidesign Databases
2007-09-11 16:32 <DIR> d-------- C:\Program Files\Common Files\iZotope
2007-09-10 22:24 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-10 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-10 21:19 <DIR> d-------- C:\Program Files\InterLok
2007-09-10 21:19 <DIR> d-------- C:\Program Files\Common Files\PACE Anti-Piracy
2007-09-10 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PACE Anti-Piracy
2007-09-10 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
2007-09-10 21:17 <DIR> d-------- C:\Program Files\Digidesign
2007-09-10 21:17 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2007-08-22 16:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Final Draft
2007-08-22 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Final Draft
2007-08-22 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-08-10 20:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2007-08-10 08:39 <DIR> d-------- C:\Program Files\Winamp
2007-08-10 08:37 <DIR> d-------- C:\Program Files\i-Sound Pro
2007-08-10 08:35 <DIR> d-------- C:\Temp
2007-08-10 08:32 <DIR> d-------- C:\Program Files\ImTOO
2007-08-08 09:59 94,208 --a------ C:\WINDOWS\system32\eSellerateControl365.dll
2007-08-08 09:59 75,264 --a------ C:\WINDOWS\system32\ztvunacev2.dll
2007-08-08 09:59 65,536 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-08-08 09:59 58,904 --a------ C:\WINDOWS\system32\sysfolderazipcnt.dll
2007-08-08 09:59 58,904 --a------ C:\WINDOWS\system32\azipcontmn.dll
2007-08-08 09:59 360,580 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2007-08-08 09:59 178,176 --a------ C:\WINDOWS\system32\7-zip32.dll
2007-08-08 09:59 156,160 --a------ C:\WINDOWS\system32\ztvunrar3.dll
2007-08-08 09:59 <DIR> d-------- C:\Program Files\AlphaZIP
2007-08-05 09:53 <DIR> d-------- C:\Program Files\UnRar for Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 18:05 --------- d-------- C:\Program Files\Trend Micro
2007-09-29 10:51 --------- d--hs---- C:\Program Files\outlook
2007-09-28 09:12 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-28 07:14 --------- d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-09-12 14:35 --------- d-------- C:\Program Files\VstPlugins
2007-09-11 22:50 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-10 22:24 --------- d-------- C:\Program Files\QuickTime
2007-09-10 22:24 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-10 21:36 --------- d-------- C:\Program Files\Spyware Doctor
2007-09-10 21:36 --------- d-------- C:\Program Files\BigFix
2007-09-10 21:35 --------- d-------- C:\Program Files\Real
2007-09-10 21:34 --------- d-------- C:\Program Files\Common Files\Real
2007-09-10 21:34 --------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-09-10 21:31 --------- d-------- C:\Program Files\LochJournal
2007-09-10 21:27 --------- d-------- C:\Program Files\Image-Line
2007-08-10 08:42 --------- d-------- C:\Program Files\Napster
2007-08-10 08:42 --------- d-------- C:\Documents and Settings\All Users\Application Data\Napster
2007-07-31 17:36 --------- d-------- C:\Documents and Settings\Owner\Application Data\Viewpoint
2007-07-31 17:36 --------- d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-02 15:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 15:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 15:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 15:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 15:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 15:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 15:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 15:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 15:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 15:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 15:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 15:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 15:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 15:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 15:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
1993-11-24 15:18 93835 -ra------ C:\Documents and Settings\Owner\CC.DLL
1993-11-24 15:18 932864 -ra------ C:\Documents and Settings\Owner\EM.DLL
1993-11-24 15:18 92688 -ra------ C:\Documents and Settings\Owner\CHESSAPP.EXE
1993-11-24 15:18 8704 -ra------ C:\Documents and Settings\Owner\INSTALL.EXE
1993-11-24 15:18 744960 -ra------ C:\Documents and Settings\Owner\DV.DLL
1993-11-24 15:18 701440 -ra------ C:\Documents and Settings\Owner\LS.DLL
1993-11-24 15:18 6512 -ra------ C:\Documents and Settings\Owner\TRYAPI.DLL
1993-11-24 15:18 64512 -ra------ C:\Documents and Settings\Owner\CW256.DLL
1993-11-24 15:18 611328 -ra------ C:\Documents and Settings\Owner\LO.DLL
1993-11-24 15:18 600400 -ra------ C:\Documents and Settings\Owner\XCHESS.EXE
1993-11-24 15:18 589824 -ra------ C:\Documents and Settings\Owner\YO.DLL
1993-11-24 15:18 572928 -ra------ C:\Documents and Settings\Owner\AT.DLL
1993-11-24 15:18 537088 -ra------ C:\Documents and Settings\Owner\ST.DLL
1993-11-24 15:18 503296 -ra------ C:\Documents and Settings\Owner\SP.DLL
1993-11-24 15:18 481792 -ra------ C:\Documents and Settings\Owner\CB.DLL
1993-11-24 15:18 47632 -ra------ C:\Documents and Settings\Owner\SCHESS.EXE
1993-11-24 15:18 40644 -ra------ C:\Documents and Settings\Owner\CW.DLL
1993-11-24 15:18 389120 -ra------ C:\Documents and Settings\Owner\R2.DLL
1993-11-24 15:18 381952 -ra------ C:\Documents and Settings\Owner\C3.DLL
1993-11-24 15:18 33640 -ra------ C:\Documents and Settings\Owner\CWDIB.DLL
1993-11-24 15:18 330240 -ra------ C:\Documents and Settings\Owner\BF.DLL
1993-11-24 15:18 3000832 -ra------ C:\Documents and Settings\Owner\SWCAUDIO.DLL
1993-11-24 15:18 19968 -ra------ C:\Documents and Settings\Owner\RESSPN.DLL
1993-11-24 15:18 19968 -ra------ C:\Documents and Settings\Owner\RESGER.DLL
1993-11-24 15:18 19968 -ra------ C:\Documents and Settings\Owner\RESFRN.DLL
1993-11-24 15:18 19968 -ra------ C:\Documents and Settings\Owner\RESENG.DLL
1993-11-24 15:18 19590 -ra------ C:\Documents and Settings\Owner\TWRXDDE.DLL
1993-11-24 15:18 12068 -ra------ C:\Documents and Settings\Owner\DSP.DLL
1993-11-24 15:18 1092096 -ra------ C:\Documents and Settings\Owner\TITLERES.DLL
1993-11-24 15:18 100352 -ra------ C:\Documents and Settings\Owner\CC256.DLL
1993-11-24 15:18 100352 -ra------ C:\Documents and Settings\Owner\CC16.DLL
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}"= C:\Program Files\Online Video Add-on\ictmdl.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 15:50]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 09:09]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 00:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-10 16:30]
"nwiz"="nwiz.exe" [2006-03-10 16:30 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-10 16:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"SoundMan"="SOUNDMAN.EXE" [2005-12-14 21:06 C:\WINDOWS\soundman.exe]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 04:59]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 15:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 18:37]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 13:12]
"areslite"="C:\Program Files\Ares Lite Edition\AresLite.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
S3 USB_RNDIS_XP;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bc2b7eb-80af-11da-8ba9-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 15:29:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-30 15:30:25
C:\ComboFix-quarantined-files.txt ... 2007-09-30 15:30
.
--- E O F ---




And the Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:15 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Online Video Add-on\icthis.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Online Video Add-on\icmntr.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: cacomixls - {5feba593-3e6d-4606-ae6e-0680501cd29e} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8140 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 30 September 2007 - 02:55 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\ChCfg.exe

Folder::
C:\Program Files\outlook
C:\Program Files\Online Video Add-on
C:\Documents and Settings\Owner\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5feba593-3e6d-4606-ae6e-0680501cd29e}"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 Jupiter23

Jupiter23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 30 September 2007 - 03:29 PM

ComboFix 07-09-30.10 - Owner 2007-09-30 16:22:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1683 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ChCfg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1382086689.mtj&p2=0&p3=10089183405782194196901312657184&p4=0
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1578130517_1.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1861885435_1.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-527851720.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-750579253.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\937336961.mtj&p2=1&p3=10089183405782194196901312657184&p4=50463258
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1543515199.mtz
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-511941585.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-738647349.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-80508940.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1054459834.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1825696196_1.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1991437604.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\266788760_1.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\407034558.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1850579979.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\2042980089.mtj&p2=0&p3=10089183405782194196901312657184&p4=0
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\670487064.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\882268789.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9\FLFBootStrap.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus\FLFBootStrap.mtx
C:\Documents and Settings\Owner\Application Data\Viewpoint
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1241215004.mtx
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1233786184.mtx
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1355542221.mts
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1556976103.mtj&p2=1&p3=01049518395655575101373402943605&p4=50528303
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\418914864.mtj&p2=1&p3=01049518395655575101373402943605&p4=50463258
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\Program Files\Online Video Add-on
C:\Program Files\Online Video Add-on\icmntr.exe
C:\Program Files\Online Video Add-on\icthis.exe
C:\Program Files\Online Video Add-on\ictun.exe
C:\Program Files\Online Video Add-on\isfmm.exe
C:\Program Files\Online Video Add-on\isfun.exe
C:\Program Files\Online Video Add-on\ot.ico
C:\Program Files\Online Video Add-on\ts.ico
C:\Program Files\outlook
C:\WINDOWS\system32\ChCfg.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-30 15:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-29 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-29 15:26 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-29 15:26 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-09-28 15:23 3,538 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-28 15:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-28 15:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-28 15:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-28 15:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-28 15:22 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-09-28 15:22 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix
2007-09-28 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-28 09:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-26 09:17 1,073,152 -ra------ C:\WINDOWS\system32\cdintf210.dll
2007-09-26 09:17 <DIR> d-------- C:\Program Files\Final Draft Tagger
2007-09-26 09:17 <DIR> d-------- C:\Program Files\Final Draft 7
2007-09-26 09:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-12 14:46 <DIR> d-------- C:\Program Files\Antares Audio Technologies
2007-09-12 14:35 153,088 --a------ C:\UNWISE.EXE
2007-09-12 14:35 <DIR> d-------- C:\Program Files\FXpansion
2007-09-12 08:14 <DIR> d-------- C:\Program Files\Native Instruments
2007-09-11 22:50 577,536 --a------ C:\WINDOWS\soundman.exe
2007-09-11 22:50 307,200 --a------ C:\WINDOWS\alcupd.exe
2007-09-11 22:50 3,842,560 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-09-11 22:50 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2007-09-11 22:50 135,168 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2007-09-11 22:50 10,476,032 --a------ C:\WINDOWS\system32\RTLCPL.exe
2007-09-11 22:50 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-09-11 22:50 <DIR> d-------- C:\Program Files\Realtek AC97
2007-09-11 22:50 <DIR> d-------- C:\Program Files\AvRack
2007-09-11 22:49 <DIR> d-------- C:\cabs
2007-09-11 19:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Steinberg
2007-09-11 19:51 <DIR> d-------- C:\Program Files\Steinberg
2007-09-11 19:48 708,608 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2007-09-11 19:48 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-09-11 19:48 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-09-11 19:48 16,896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys
2007-09-11 19:48 147,456 --a------ C:\WINDOWS\system32\SynsoLChk.dll
2007-09-11 19:48 <DIR> d-------- C:\Program Files\Syncrosoft
2007-09-11 17:57 <DIR> d-------- C:\Digidesign Databases
2007-09-11 16:32 <DIR> d-------- C:\Program Files\Common Files\iZotope
2007-09-10 22:24 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-10 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-10 21:19 <DIR> d-------- C:\Program Files\InterLok
2007-09-10 21:19 <DIR> d-------- C:\Program Files\Common Files\PACE Anti-Piracy
2007-09-10 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PACE Anti-Piracy
2007-09-10 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
2007-09-10 21:17 <DIR> d-------- C:\Program Files\Digidesign
2007-09-10 21:17 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2007-08-22 16:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Final Draft
2007-08-22 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Final Draft
2007-08-22 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-08-10 20:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2007-08-10 08:39 <DIR> d-------- C:\Program Files\Winamp
2007-08-10 08:37 <DIR> d-------- C:\Program Files\i-Sound Pro
2007-08-10 08:35 <DIR> d-------- C:\Temp
2007-08-10 08:32 <DIR> d-------- C:\Program Files\ImTOO
2007-08-08 09:59 94,208 --a------ C:\WINDOWS\system32\eSellerateControl365.dll
2007-08-08 09:59 75,264 --a------ C:\WINDOWS\system32\ztvunacev2.dll
2007-08-08 09:59 65,536 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-08-08 09:59 58,904 --a------ C:\WINDOWS\system32\sysfolderazipcnt.dll
2007-08-08 09:59 58,904 --a------ C:\WINDOWS\system32\azipcontmn.dll
2007-08-08 09:59 360,580 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2007-08-08 09:59 178,176 --a------ C:\WINDOWS\system32\7-zip32.dll
2007-08-08 09:59 156,160 --a------ C:\WINDOWS\system32\ztvunrar3.dll
2007-08-08 09:59 <DIR> d-------- C:\Program Files\AlphaZIP
2007-08-05 09:53 <DIR> d-------- C:\Program Files\UnRar for Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 18:05 --------- d-------- C:\Program Files\Trend Micro
2007-09-28 09:12 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-28 07:14 --------- d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-09-12 14:35 --------- d-------- C:\Program Files\VstPlugins
2007-09-11 22:50 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-10 22:24 --------- d-------- C:\Program Files\QuickTime
2007-09-10 22:24 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-10 21:36 --------- d-------- C:\Program Files\Spyware Doctor
2007-09-10 21:36 --------- d-------- C:\Program Files\BigFix
2007-09-10 21:35 --------- d-------- C:\Program Files\Real
2007-09-10 21:34 --------- d-------- C:\Program Files\Common Files\Real
2007-09-10 21:34 --------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-09-10 21:31 --------- d-------- C:\Program Files\LochJournal
2007-09-10 21:27 --------- d-------- C:\Program Files\Image-Line
2007-08-10 08:42 --------- d-------- C:\Program Files\Napster
2007-08-10 08:42 --------- d-------- C:\Documents and Settings\All Users\Application Data\Napster
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-02 15:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 15:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 15:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 15:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 15:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 15:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 15:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 15:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 15:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 15:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 15:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 15:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 15:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 15:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 15:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
1993-11-24 15:18 93835 -ra------ C:\Documents and Settings\Owner\CC.DLL
1993-11-24 15:18 932864 -ra------ C:\Documents and Settings\Owner\EM.DLL
1993-11-24 15:18 92688 -ra------ C:\Documents and Settings\Owner\CHESSAPP.EXE
1993-11-24 15:18 8704 -ra------ C:\Documents and Settings\Owner\INSTALL.EXE
1993-11-24 15:18 744960 -ra------ C:\Documents and Settings\Owner\DV.DLL
1993-11-24 15:18 701440 -ra------ C:\Documents and Settings\Owner\LS.DLL
1993-11-24 15:18 6512 -ra------ C:\Documents and Settings\Owner\TRYAPI.DLL
1993-11-24 15:18 64512 -ra------ C:\Documents and Settings\Owner\CW256.DLL
1993-11-24 15:18 611328 -ra------ C:\Documents and Settings\Owner\LO.DLL
1993-11-24 15:18 600400 -ra------ C:\Documents and Settings\Owner\XCHESS.EXE
1993-11-24 15:18 589824 -ra------ C:\Documents and Settings\Owner\YO.DLL
1993-11-24 15:18 572928 -ra------ C:\Documents and Settings\Owner\AT.DLL
1993-11-24 15:18 537088 -ra------ C:\Documents and Settings\Owner\ST.DLL
1993-11-24 15:18 503296 -ra------ C:\Documents and Settings\Owner\SP.DLL
1993-11-24 15:18 481792 -ra------ C:\Documents and Settings\Owner\CB.DLL
1993-11-24 15:18 47632 -ra------ C:\Documents and Settings\Owner\SCHESS.EXE
1993-11-24 15:18 40644 -ra------ C:\Documents and Settings\Owner\CW.DLL
1993-11-24 15:18 389120 -ra------ C:\Documents and Settings\Owner\R2.DLL
1993-11-24 15:18 381952 -ra------ C:\Documents and Settings\Owner\C3.DLL
1993-11-24 15:18 33640 -ra------ C:\Documents and Settings\Owner\CWDIB.DLL
1993-11-24 15:18 330240 -ra------ C:\Documents and Settings\Owner\BF.DLL
1993-11-24 15:18 3000832 -ra------ C:\Documents and Settings\Owner\SWCAUDIO.DLL
1993-11-24 15:18 19968 -ra------ C:\Documents and Settings\Owner\RESSPN.DLL
1993-11-24 15:18 19968 -ra------ C:\Documents and Settings\Owner\RESGER.DLL
1993-11-24 15:18 19968 -ra------ C:\Documents and Settings\Owner\RESFRN.DLL
1993-11-24 15:18 19968 -ra------ C:\Documents and Settings\Owner\RESENG.DLL
1993-11-24 15:18 19590 -ra------ C:\Documents and Settings\Owner\TWRXDDE.DLL
1993-11-24 15:18 12068 -ra------ C:\Documents and Settings\Owner\DSP.DLL
1993-11-24 15:18 1092096 -ra------ C:\Documents and Settings\Owner\TITLERES.DLL
1993-11-24 15:18 100352 -ra------ C:\Documents and Settings\Owner\CC256.DLL
1993-11-24 15:18 100352 -ra------ C:\Documents and Settings\Owner\CC16.DLL
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}"= C:\Program Files\Online Video Add-on\ictmdl.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 15:50]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 09:09]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 00:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-10 16:30]
"nwiz"="nwiz.exe" [2006-03-10 16:30 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-10 16:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"SoundMan"="SOUNDMAN.EXE" [2005-12-14 21:06 C:\WINDOWS\soundman.exe]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 04:59]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 15:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 18:37]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 13:12]
"areslite"="C:\Program Files\Ares Lite Edition\AresLite.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
S3 USB_RNDIS_XP;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bc2b7eb-80af-11da-8ba9-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 16:25:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-30 16:26:09
C:\ComboFix ... 2007-09-30 16:26
C:\ComboFix-quarantined-files.txt ... 2007-09-30 16:25
C:\ComboFix2.txt ... 2007-09-30 15:30
.
--- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:50 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8078 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 30 September 2007 - 03:40 PM

Please disable Spybot S&Ds protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}"=-
[-HKEY_CLASSES_ROOT\CLSID\{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}]


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 Jupiter23

Jupiter23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 30 September 2007 - 09:18 PM

Everything seems to be running smoothly. The flashing triangle is gone, as are the pop-ups. Thanks for the great assistance. Here is the Superantispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/30/2007 at 09:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3316
Trace Rules Database Version: 1317

Scan type : Quick Scan
Total Scan Time : 00:11:40

Memory items scanned : 413
Memory threats detected : 0
Registry items scanned : 870
Registry threats detected : 1
File items scanned : 16106
File threats detected : 5

Trojan.Media-Codec/V4
HKU\S-1-5-21-309932524-355699941-1175186562-1006\Software\Online Add-on

Dialer.DialerPlatformLimited
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\GDNUS2218.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\GDNUS2218.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\GDNUS2218.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.4\GDNUS2218.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\GDNUS2218.EXE


And the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:55 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8073 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 01 October 2007 - 10:24 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
fix.reg

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.


Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
How to prevent Malware by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users