Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Lots Of Malware.


  • Please log in to reply
7 replies to this topic

#1 Furst

Furst

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 17 October 2007 - 09:28 PM

All right. To start off, the problems started a while ago when my friend wasn't paying attention and downloaded a song he wanted to show me. Unfortunately, it was a huge "package" of viruses. I ran every spyware/malware/virus scanner that I could, but none of them seemed to remove anything permanently.

McAfee also started acting up after these things got installed, and I also began to get a strange error. Anytime that I open a program now, I get an error that says, "DB not found" and I have to hit "OK" 3 times to get the error message to go away. Internet Explorer will randomly pop-up with ads, and Firefox will randomly go to a random ad page which I have to click out of. Clicking on the start button and going to "Explore" takes forever, and usually results in a computer crash. Last problem that began happening after I was infected: Trillian and other instant messaging programs have EXACTLY a 30 second lag time between when I press enter and when the message is actually sent. It might just be my router, which also seems to be acting up since I was infected.

Anyways, here is the hijack this log. It's huge, so I apologize. (If I wasn't specific enough, please tell me. I'll help you out as best I can. I'm a bit computer illiterate, so I apologize in advance!)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:45 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Downloads\BitTorrents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gunbound.ijji.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CTDrive] "rundll32.exe" C:\WINDOWS\system32\drvbur.dll,startup
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\kmwyuadp.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Etdt] "C:\DOCUME~1\NATHAN~1\MYDOCU~1\APPATC~1\ati2evxx.exe" -vt ndrv
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZCxdm473YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3340E934-5D1F-4BF6-A152-FE1552E0EA0C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3340E934-5D1F-4BF6-A152-FE1552E0EA0C}: NameServer = 192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 9330 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 October 2007 - 04:32 AM

Hi Furst and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 Furst

Furst
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 20 October 2007 - 02:59 AM

ComboFix 07-10-17.8@ - Nathan Watson 2007-10-20 2:29:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.377 [GMT -5:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nathan Watson\Application Data\install.dat
C:\Documents and Settings\Nathan Watson\Application Data\install.dat
C:\Documents and Settings\Nathan Watson\My Documents\APPATC~1
C:\Documents and Settings\Nathan Watson\My Documents\APPATC~1\A?pPatch\
C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~1\scanregw.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\setup.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aekjpewn.dll
C:\WINDOWS\system32\agihjrjg.dll
C:\WINDOWS\system32\ahmqeicc.dll
C:\WINDOWS\system32\ajnidsds.dll
C:\WINDOWS\system32\amhqpbvv.dll
C:\WINDOWS\system32\anvaojdc.dll
C:\WINDOWS\system32\aruotmgx.dll
C:\WINDOWS\system32\attmyykh.dll
C:\WINDOWS\system32\bihvudoe.dll
C:\WINDOWS\system32\bpa.dll
C:\WINDOWS\system32\bpsxvbxa.dll
C:\WINDOWS\system32\bykhyptr.dll
C:\WINDOWS\system32\cdjoavna.ini
C:\WINDOWS\system32\ceyxfwqo.dll
C:\WINDOWS\system32\cigpyimg.dll
C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\cmdhnwdp.dll
C:\WINDOWS\system32\cmgsikov.dll
C:\WINDOWS\system32\cwcyskah.dll
C:\WINDOWS\system32\dfsxsjyl.dll
C:\WINDOWS\system32\dihvkabp.dll
C:\WINDOWS\system32\dktqptug.dll
C:\WINDOWS\system32\dljqciqb.dll
C:\WINDOWS\system32\dwxorfop.dll
C:\WINDOWS\system32\eacqcqav.dll
C:\WINDOWS\system32\edlfdsew.dll
C:\WINDOWS\system32\edypslss.dll
C:\WINDOWS\system32\egagepqw.dll
C:\WINDOWS\system32\eieplsge.dll
C:\WINDOWS\system32\enidsycf.dll
C:\WINDOWS\system32\ettrxlcf.dll
C:\WINDOWS\system32\eyykdrdi.dll
C:\WINDOWS\system32\fehurums.dll
C:\WINDOWS\system32\fepeymru.dll
C:\WINDOWS\system32\fhivhipu.dll
C:\WINDOWS\system32\fqmjvcnd.dll
C:\WINDOWS\system32\frlelttr.ini
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\ggrcftgh.dll
C:\WINDOWS\system32\gkadfhhr.dll
C:\WINDOWS\system32\glnabmhg.dll
C:\WINDOWS\system32\gsypdccs.dll
C:\WINDOWS\system32\hbnxhswf.dll
C:\WINDOWS\system32\hgmuuvox.dll
C:\WINDOWS\system32\hkyymtta.ini
C:\WINDOWS\system32\hneotstx.dll
C:\WINDOWS\system32\huttrpsu.dll
C:\WINDOWS\system32\ielfsoiv.dll
C:\WINDOWS\system32\ignpcxhk.dll
C:\WINDOWS\system32\ijtjqifk.ini
C:\WINDOWS\system32\imamgspb.dll
C:\WINDOWS\system32\ivakryip.dll
C:\WINDOWS\system32\jfemtxlt.dll
C:\WINDOWS\system32\jmnqkmjf.dll
C:\WINDOWS\system32\jvfmudvi.dll
C:\WINDOWS\system32\jxpjcwbl.dll
C:\WINDOWS\system32\kfiqjtji.dll
C:\WINDOWS\system32\kicxkgct.dll
C:\WINDOWS\system32\kliiuhqa.dll
C:\WINDOWS\system32\kmwyuadp.dll
C:\WINDOWS\system32\lfhckjnl.dll
C:\WINDOWS\system32\lhydkofc.dll
C:\WINDOWS\system32\ltfwdmeu.dll
C:\WINDOWS\system32\lwcydsrs.dll
C:\WINDOWS\system32\mhuauhfn.dll
C:\WINDOWS\system32\mkexmwnd.dll
C:\WINDOWS\system32\mtbvxarp.dll
C:\WINDOWS\system32\nbsxtqim.dll
C:\WINDOWS\system32\ncbbxqgs.dll
C:\WINDOWS\system32\nifsgclo.dll
C:\WINDOWS\system32\npdkytkc.dll
C:\WINDOWS\system32\npljqjft.dll
C:\WINDOWS\system32\nrsqvucg.dll
C:\WINDOWS\system32\nvouysxq.dll
C:\WINDOWS\system32\ocbrhgpd.dll
C:\WINDOWS\system32\ofwbyxgn.dll
C:\WINDOWS\system32\oqwfxyec.ini
C:\WINDOWS\system32\ostansfk.dll
C:\WINDOWS\system32\pdauywmk.ini
C:\WINDOWS\system32\pgudutcp.dll
C:\WINDOWS\system32\pgwsisfr.dll
C:\WINDOWS\system32\piyrkavi.ini
C:\WINDOWS\system32\pmnmnlk.dll
C:\WINDOWS\system32\pmnmnlk.dll
C:\WINDOWS\system32\pmnmnlk.dll
C:\WINDOWS\system32\pnxcjibm.dll
C:\WINDOWS\system32\povpodao.dll
C:\WINDOWS\system32\pwolonau.dll
C:\WINDOWS\system32\qaockvlk.dll
C:\WINDOWS\system32\qdbqqsml.dll
C:\WINDOWS\system32\qlkwnuqt.dll
C:\WINDOWS\system32\qnfixinu.dll
C:\WINDOWS\system32\qptrgyfe.dll
C:\WINDOWS\system32\qtcdsotl.dll
C:\WINDOWS\system32\qtojsoca.dll
C:\WINDOWS\system32\qwfhkjad.dll
C:\WINDOWS\system32\qxemoqrc.dll
C:\WINDOWS\system32\qxrighwp.dll
C:\WINDOWS\system32\qyioxuad.dll
C:\WINDOWS\system32\rgnhfxox.dll
C:\WINDOWS\system32\rhobktyl.dll
C:\WINDOWS\system32\rnnjddha.dll
C:\WINDOWS\system32\rtpyhkyb.ini
C:\WINDOWS\system32\rttlelrf.dll
C:\WINDOWS\system32\saschykr.dll
C:\WINDOWS\system32\slxbvquy.dll
C:\WINDOWS\system32\svddijno.dll
C:\WINDOWS\system32\tapwakek.dll
C:\WINDOWS\system32\tlwnnlpb.dll
C:\WINDOWS\system32\tqfcljxx.dll
C:\WINDOWS\system32\tuvthief.dll
C:\WINDOWS\system32\txylswgd.dll
C:\WINDOWS\system32\tyuagpfj.dll
C:\WINDOWS\system32\ubodjlxi.dll
C:\WINDOWS\system32\udsxlhhf.dll
C:\WINDOWS\system32\uefpjadu.dll
C:\WINDOWS\system32\uhgbhala.dll
C:\WINDOWS\system32\umqtgyua.dll
C:\WINDOWS\system32\unlqfdtn.dll
C:\WINDOWS\system32\vqkrbutu.dll
C:\WINDOWS\system32\wduowdtt.dll
C:\WINDOWS\system32\weqbrwep.dll
C:\WINDOWS\system32\wkvfomra.dll
C:\WINDOWS\system32\wmitjgwg.dll
C:\WINDOWS\system32\xewhydud.dll
C:\WINDOWS\system32\xfkfnhpg.dll
C:\WINDOWS\system32\xhhuleby.dll
C:\WINDOWS\system32\xjgydvfj.dll
C:\WINDOWS\system32\xlvuscqu.dll
C:\WINDOWS\system32\xvgsxcdg.dll
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\ybeeg.tmp
C:\WINDOWS\system32\ybeeg.tmp
C:\WINDOWS\system32\ybeeg.tmp
C:\WINDOWS\system32\yxrkvkru.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-15 16:38 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-15 16:37 <DIR> d-------- C:\Program Files\Gabest
2007-10-15 16:37 <DIR> d-------- C:\Program Files\AutoGK
2007-10-14 22:18 <DIR> d-------- C:\SONY_DVD_RECORDER_VOLUME
2007-10-14 21:58 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-10-13 23:19 <DIR> d-------- C:\Program Files\MediaCoder
2007-10-13 20:34 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-09-23 15:22 <DIR> d-------- C:\Documents and Settings\Nathan Watson\Application Data\.purple
2007-09-23 15:21 <DIR> d-------- C:\Program Files\Aspell
2007-09-23 15:19 <DIR> d-------- C:\Program Files\Pidgin
2007-09-20 22:54 <DIR> d-------- C:\Program Files\AskPBar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 04:04 --------- d-----w C:\Program Files\Trillian
2007-10-14 04:00 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\uTorrent
2007-10-13 12:30 --------- d-----w C:\Program Files\uTorrent
2007-10-11 10:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-07 21:45 --------- d-----w C:\Program Files\dogproxy2
2007-10-02 18:40 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\.purple
2007-09-10 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-08 21:35 --------- d-----w C:\Program Files\Creative
2007-09-08 05:36 164 ----a-w C:\install.dat
2007-09-08 05:35 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\GetRightToGo
2007-08-20 20:23 --------- d-----w C:\Program Files\Xilisoft
2007-08-20 03:20 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Publish Providers
2007-08-20 03:19 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Sony
2007-08-20 03:14 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-08-20 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2007-08-20 03:12 --------- d-----w C:\Program Files\Vstplugins
2007-08-20 03:12 --------- d-----w C:\Program Files\Sony
2007-08-20 03:03 --------- d-----w C:\Program Files\Sony Setup
2007-08-20 03:03 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Sony Setup
2005-08-20 21:22 411,670 -c--a-w C:\Program Files\Cave Story Translation Installer.exe
2005-08-19 19:31 4,901 -c--a-w C:\Program Files\Cave Story Readme.txt
2005-01-31 03:00 201,576 -c--a-w C:\Program Files\OrgView Translation Installer.exe
2002-09-09 22:55 4,222,976 -c--a-w C:\Program Files\FinaleNotePad.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-26 04:12]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Etdt"="C:\DOCUME~1\NATHAN~1\MYDOCU~1\APPATC~1\ati2evxx.exe" []
"ares"="C:\Program Files\Ares\Ares.exe" [2007-07-16 16:54]

C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-06-12 09:16:33]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
backup=C:\WINDOWS\pss\PKZIP Attachments Status.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMSETTINGS]
"C:\WINDOWS\system32\ctbeg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dxlock]
C:\Program Files\Fox Magic\ScreenVirtuoso Pro 1.91\dxlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LFAgent]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magicantispy]
"C:\Program Files\Magicantispy\Magicantispy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
C:\Program Files\Creative\News\NewsUpd.EXE /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
C:\WINDOWS\system32\nvraidservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\program files\quick time\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tqlpm]
"C:\Program Files\Common Files\?dobe\scanregw.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R2 LF30FS;LF30FS;\??\C:\Program Files\Everstrike Software\Lock Folder XP 3.6\LF30XP.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
S0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 NMUSB;NMUSB;C:\WINDOWS\system32\drivers\nmusb.sys
S3 npkycryp;npkycryp;\??\C:\AAPrivateServerRO\Gravity\RO\npkycryp.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dea6b45-120f-11da-a09c-806d6172696f}]
AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57b78270-12f6-11da-a41e-806d6172696f}]
AutoRun\command - D:\Setupx.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 06:14:55 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-01 06:00:40 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 02:53:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-20 2:56:13
.
--- E O F ---

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 04:21 AM

Looking much better allready! :thumbsup:


Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\system32\ctbeg.exe
D:\Autorun.exe
Folder::
C:\Program Files\Magicantispy
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Etdt"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magicantispy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tqlpm]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dea6b45-120f-11da-a09c-806d6172696f}]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.

#5 Furst

Furst
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 20 October 2007 - 11:29 AM

ComboFix log

ComboFix 07-10-17.8@ - Nathan Watson 2007-10-20 11:18:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.391 [GMT -5:00]
Running from: C:\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nathan Watson\Desktop\CFScript.txt.lnk
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-20 02:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 16:38 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-15 16:38 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-10-15 16:37 <DIR> d-------- C:\Program Files\Gabest
2007-10-15 16:37 <DIR> d-------- C:\Program Files\AutoGK
2007-10-14 22:18 <DIR> d-------- C:\SONY_DVD_RECORDER_VOLUME
2007-10-14 21:58 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-10-13 23:19 <DIR> d-------- C:\Program Files\MediaCoder
2007-10-13 20:34 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-09-23 15:22 <DIR> d-------- C:\Documents and Settings\Nathan Watson\Application Data\.purple
2007-09-23 15:21 <DIR> d-------- C:\Program Files\Aspell
2007-09-23 15:19 <DIR> d-------- C:\Program Files\Pidgin
2007-09-20 22:54 <DIR> d-------- C:\Program Files\AskPBar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 08:03 --------- d-----w C:\Program Files\Furcadia
2007-10-17 04:04 --------- d-----w C:\Program Files\Trillian
2007-10-14 04:00 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\uTorrent
2007-10-13 12:30 --------- d-----w C:\Program Files\uTorrent
2007-10-11 10:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-07 21:45 --------- d-----w C:\Program Files\dogproxy2
2007-10-02 18:40 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\.purple
2007-09-10 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-08 21:35 --------- d-----w C:\Program Files\Creative
2007-09-08 05:36 164 ----a-w C:\install.dat
2007-09-08 05:35 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\GetRightToGo
2007-08-22 00:14 93,696 ----a-w C:\WINDOWS\system32\drvbur.dll
2007-08-22 00:14 15,360 ----a-w C:\WINDOWS\system32\drvburr.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 20:23 --------- d-----w C:\Program Files\Xilisoft
2007-08-20 03:20 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Publish Providers
2007-08-20 03:19 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Sony
2007-08-20 03:14 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-08-20 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2007-08-20 03:12 --------- d-----w C:\Program Files\Vstplugins
2007-08-20 03:12 --------- d-----w C:\Program Files\Sony
2007-08-20 03:03 --------- d-----w C:\Program Files\Sony Setup
2007-08-20 03:03 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Sony Setup
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-25 13:24 1,559,040 ----a-w C:\WINDOWS\system32\xvidcore.dll
2005-08-20 21:22 411,670 -c--a-w C:\Program Files\Cave Story Translation Installer.exe
2005-08-19 19:31 4,901 -c--a-w C:\Program Files\Cave Story Readme.txt
2005-01-31 03:00 201,576 -c--a-w C:\Program Files\OrgView Translation Installer.exe
2002-09-09 22:55 4,222,976 -c--a-w C:\Program Files\FinaleNotePad.EXE
.

((((((((((((((((((((((((((((( snapshot@2007-10-20_ 2.54.49.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 02:58:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-20 12:43:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-20 02:58:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-20 12:43:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-20 02:58:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-20 12:43:25 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-26 04:12]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Etdt"="C:\DOCUME~1\NATHAN~1\MYDOCU~1\APPATC~1\ati2evxx.exe" []
"ares"="C:\Program Files\Ares\Ares.exe" [2007-07-16 16:54]

C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-06-12 09:16:33]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
backup=C:\WINDOWS\pss\PKZIP Attachments Status.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMSETTINGS]
"C:\WINDOWS\system32\ctbeg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dxlock]
C:\Program Files\Fox Magic\ScreenVirtuoso Pro 1.91\dxlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LFAgent]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magicantispy]
"C:\Program Files\Magicantispy\Magicantispy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
C:\Program Files\Creative\News\NewsUpd.EXE /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
C:\WINDOWS\system32\nvraidservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\program files\quick time\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tqlpm]
"C:\Program Files\Common Files\?dobe\scanregw.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R2 LF30FS;LF30FS;\??\C:\Program Files\Everstrike Software\Lock Folder XP 3.6\LF30XP.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
S0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 NMUSB;NMUSB;C:\WINDOWS\system32\drivers\nmusb.sys
S3 npkycryp;npkycryp;\??\C:\AAPrivateServerRO\Gravity\RO\npkycryp.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dea6b45-120f-11da-a09c-806d6172696f}]
AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57b78270-12f6-11da-a41e-806d6172696f}]
AutoRun\command - D:\Setupx.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 06:14:55 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-01 06:00:40 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 11:22:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-10-20 11:23:53
C:\ComboFix2.txt ... 2007-10-20 02:56
.
--- E O F ---


Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:53 AM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\dogproxy2\DogProxy2.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\MSC\mcsync.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWUpdChk.exe
C:\WINDOWS\explorer.exe
C:\Downloads\BitTorrents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gunbound.ijji.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Etdt] "C:\DOCUME~1\NATHAN~1\MYDOCU~1\APPATC~1\ati2evxx.exe" -vt ndrv
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZCxdm473YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3340E934-5D1F-4BF6-A152-FE1552E0EA0C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3340E934-5D1F-4BF6-A152-FE1552E0EA0C}: NameServer = 192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 9557 bytes

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 12:27 PM

Right Click and Select Rename and Rename CFScript.txt and remove this part please

CFScript.txt.lnk

You should see it on the desktop as CFScript.txt

Once you get that changed,repeat the previous instructions please

#7 Furst

Furst
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 20 October 2007 - 01:27 PM

Oops, sorry!

ComboFix 07-10-17.8@ - Nathan Watson 2007-10-20 13:13:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.386 [GMT -5:00]
Running from: C:\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nathan Watson\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ctbeg.exe
D:\Autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctbeg.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-20 02:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 16:38 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-15 16:38 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-10-15 16:37 <DIR> d-------- C:\Program Files\Gabest
2007-10-15 16:37 <DIR> d-------- C:\Program Files\AutoGK
2007-10-14 22:18 <DIR> d-------- C:\SONY_DVD_RECORDER_VOLUME
2007-10-14 21:58 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-10-13 23:19 <DIR> d-------- C:\Program Files\MediaCoder
2007-10-13 20:34 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-09-23 15:22 <DIR> d-------- C:\Documents and Settings\Nathan Watson\Application Data\.purple
2007-09-23 15:21 <DIR> d-------- C:\Program Files\Aspell
2007-09-23 15:19 <DIR> d-------- C:\Program Files\Pidgin
2007-09-20 22:54 <DIR> d-------- C:\Program Files\AskPBar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 04:04 --------- d-----w C:\Program Files\Trillian
2007-10-14 04:00 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\uTorrent
2007-10-13 12:30 --------- d-----w C:\Program Files\uTorrent
2007-10-11 10:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-07 21:45 --------- d-----w C:\Program Files\dogproxy2
2007-10-02 18:40 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\.purple
2007-09-10 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-08 21:35 --------- d-----w C:\Program Files\Creative
2007-09-08 05:36 164 ----a-w C:\install.dat
2007-09-08 05:35 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\GetRightToGo
2007-08-22 00:14 93,696 ----a-w C:\WINDOWS\system32\drvbur.dll
2007-08-22 00:14 15,360 ----a-w C:\WINDOWS\system32\drvburr.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 20:23 --------- d-----w C:\Program Files\Xilisoft
2007-08-20 03:20 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Publish Providers
2007-08-20 03:19 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Sony
2007-08-20 03:14 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-08-20 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2007-08-20 03:12 --------- d-----w C:\Program Files\Vstplugins
2007-08-20 03:12 --------- d-----w C:\Program Files\Sony
2007-08-20 03:03 --------- d-----w C:\Program Files\Sony Setup
2007-08-20 03:03 --------- d-----w C:\Documents and Settings\Nathan Watson\Application Data\Sony Setup
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-25 13:24 1,559,040 ----a-w C:\WINDOWS\system32\xvidcore.dll
2005-08-20 21:22 411,670 -c--a-w C:\Program Files\Cave Story Translation Installer.exe
2005-08-19 19:31 4,901 -c--a-w C:\Program Files\Cave Story Readme.txt
2005-01-31 03:00 201,576 -c--a-w C:\Program Files\OrgView Translation Installer.exe
2002-09-09 22:55 4,222,976 -c--a-w C:\Program Files\FinaleNotePad.EXE
.

((((((((((((((((((((((((((((( snapshot@2007-10-20_ 2.54.49.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 02:58:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-20 12:43:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-20 02:58:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-20 12:43:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-20 02:58:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-20 12:43:25 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-26 04:12]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Etdt"="C:\DOCUME~1\NATHAN~1\MYDOCU~1\APPATC~1\ati2evxx.exe" []
"ares"="C:\Program Files\Ares\Ares.exe" [2007-07-16 16:54]

C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-06-12 09:16:33]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
backup=C:\WINDOWS\pss\PKZIP Attachments Status.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nathan Watson^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Nathan Watson\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMSETTINGS]
"C:\WINDOWS\system32\ctbeg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dxlock]
C:\Program Files\Fox Magic\ScreenVirtuoso Pro 1.91\dxlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LFAgent]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
C:\Program Files\Creative\News\NewsUpd.EXE /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
C:\WINDOWS\system32\nvraidservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\program files\quick time\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R2 LF30FS;LF30FS;\??\C:\Program Files\Everstrike Software\Lock Folder XP 3.6\LF30XP.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
S0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 NMUSB;NMUSB;C:\WINDOWS\system32\drivers\nmusb.sys
S3 npkycryp;npkycryp;\??\C:\AAPrivateServerRO\Gravity\RO\npkycryp.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57b78270-12f6-11da-a41e-806d6172696f}]
AutoRun\command - D:\Setupx.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 06:14:55 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-01 06:00:40 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 13:23:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-10-20 13:24:57
C:\ComboFix2.txt ... 2007-10-20 11:23
C:\ComboFix3.txt ... 2007-10-20 02:56
.
--- E O F ---


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:28 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\dogproxy2\DogProxy2.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\MSC\mcsync.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWUpdChk.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWUpdChk.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Downloads\BitTorrents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gunbound.ijji.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZCxdm473YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\bns shared\eng\ossysprv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3340E934-5D1F-4BF6-A152-FE1552E0EA0C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3340E934-5D1F-4BF6-A152-FE1552E0EA0C}: NameServer = 192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 9527 bytes

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 01:46 PM

See if you can locate and delete these 2 files please.

C:\WINDOWS\system32\drvbur.dll

C:\WINDOWS\system32\drvburr.dll

Let me know if you have any issues with either and Ill fix ya another little script to get em.


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O4 - Startup: PowerReg Scheduler.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please make sure any Internet Browsers are Closed before running the ATF Cleaner.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users