Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several Malware Problems: Xpantivirus/adware Remover2007/newmediacodec Virus


  • Please log in to reply
9 replies to this topic

#1 cdemikols

cdemikols

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 26 January 2008 - 01:33 AM

I believe my computer is infected with the NewMediaCodec Trojan.

Yesterday I downloaded a bogus codec (I know, stupid huh!) Afterward I began getting tons of spyware pop-ups. XP Antivirus, SYSCleaner, SysErrorFixer, etc. My system tray has a fake Red shield with an X through it, and continuously prompts me to download Spyware. In addition I get pop-ups supposedly from Windows that require immediate action.

I Also had one other spyware infection. I used the removal instructions on it and ran SmitFraudFix and I thought everything was fixed, but it wasn't. I tried several toehr tactics, and none of them worked.

Then I installed CA Anti-Spyware 2008, the newest and supposedly best! It found some spyware I couldn't, however it's quarantines only solve the problem for about 30 minutes. During one check however, I saw a High risk item label NewMediaCodec.

I searched online to see what NewMediaCodec does. CA has a section about it on their website with Regestry cues and everything. The URL is : http://www.ca.com/securityadvisor/pest/pes...px?id=453111498 .

In addition to the pop-ups, I also cannot remove programs from my Add/Remove Programs GUI in my control panel. After looking at CA's description, I am almost positive that NewMediaCodec is responsible for this.

Does anyone know how I can fix this?

Edit: Below is my HiJackThis log that I was directed to post. If anyone could help, I already tried SUPERAntiSpyware. Link to last topic below:

http://www.bleepingcomputer.com/forums/t/127497/how-to-remove-newmediacodec/





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:28 AM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Config\lsass.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\routing.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\ndt2.sys
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\Indt2.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O1 - Hosts: 82.98.86.173 bilincli.com
O2 - BHO: SXG Advisor - {69390657-F46E-457B-A84F-D5551C10C68A} - C:\WINDOWS\dpvtportnw.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chance DeMikols\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.umn.edu/adcs
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxyayx - byxyayx.dll (file missing)
O21 - SSODL: aswmklt - {4D6292A3-ED6F-42B4-9015-C38C5A317023} - C:\WINDOWS\aswmklt.dll
O21 - SSODL: bqxomdo - {3BC4FAC9-171F-4CB3-83F4-6CA1ED82A063} - C:\WINDOWS\bqxomdo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\CHANCE~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9830 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 29 January 2008 - 04:00 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum cdemikols
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.
* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 cdemikols

cdemikols
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 29 January 2008 - 06:57 PM

Thank You Richie, Below are the files you asked for. I appreciate your help!




SDFix Log:


SDFix: Version 1.133

Run by Chance DeMikols on Tue 01/29/2008 at 05:26 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\CHANCE~1\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Chance DeMikols\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Chance DeMikols\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Chance DeMikols\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Chance DeMikols\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Chance DeMikols\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\aswmklt.dll - Deleted
C:\WINDOWS\bqxomdo.dll - Deleted
C:\WINDOWS\Config\csrss.exe - Deleted
C:\WINDOWS\Config\lsass.exe - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\dpvtportnw.dll - Deleted
C:\WINDOWS\fvqkfsp.exe - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted



Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files...

ADS Check:




Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 17:33:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:a7,ff,07,20,8c,55,11,2e,30,62,fc,e4,34,10,67,20,a2,f9,a5,55,3b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:a7,ff,07,20,8c,55,11,2e,30,62,fc,e4,34,10,67,20,a2,f9,a5,55,3b,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A8847287-19C2-27E6-E543-77B0F1F7FBA6}]
"jaopjbgemalneiceieoa"=hex:69,61,66,6c,66,6f,63,6b,6d,6e,67,6d,6d,63,65,63,6e,61,00,00
"iaijpmhdfgcpddkjio"=hex:69,61,66,6c,66,6f,63,6b,6d,6e,67,6d,6d,63,65,63,6e,61,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\CHANCE~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 24 Apr 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 5 May 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Mon 4 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT14.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT12.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT16.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT15.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT17.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT13.tmp"
Sat 29 Mar 2003 29,696 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Dizzy Yerez\~WRL0320.tmp"
Mon 29 Dec 2003 29,184 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Dizzy Yerez\~WRL0934.tmp"
Mon 31 Mar 2003 33,280 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Dizzy Yerez\~WRL1085.tmp"
Tue 20 May 2003 19,456 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Dizzy Yerez\~WRL2301.tmp"
Mon 31 Mar 2003 30,208 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Dizzy Yerez\~WRL2713.tmp"
Mon 31 Mar 2003 33,280 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Dizzy Yerez\~WRL3788.tmp"
Sat 27 Dec 2003 22,016 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Dizzy Yerez\~WRL4053.tmp"
Mon 13 Jan 2003 1,293,824 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Harry Potter and the Crystal of Kryptonite\~WRL3595.tmp"
Mon 28 Feb 2005 30,208 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL0086.tmp"
Fri 18 Nov 2005 41,472 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL0488.tmp"
Fri 18 Nov 2005 48,128 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL0584.tmp"
Wed 16 Nov 2005 33,280 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL0646.tmp"
Fri 18 Nov 2005 50,176 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL1195.tmp"
Sun 11 Jan 2004 29,184 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL1488.tmp"
Fri 18 Nov 2005 40,960 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL1761.tmp"
Wed 14 Jan 2004 29,696 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL2044.tmp"
Mon 28 Feb 2005 30,208 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL2078.tmp"
Fri 18 Nov 2005 45,056 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL2934.tmp"
Mon 28 Feb 2005 34,816 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL3315.tmp"
Mon 28 Feb 2005 34,816 A..H. --- "C:\Documents and Settings\Chance DeMikols\Desktop\The New Writing Briefcase\Teen Issues\~WRL3970.tmp"
Sun 27 Nov 2005 4,348 A..H. --- "C:\Documents and Settings\Chance DeMikols\My Documents\My Music\License Backup\drmv1key.bak"
Mon 4 Sep 2006 401 A..H. --- "C:\Documents and Settings\Chance DeMikols\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 3 Jul 2006 400 A.SH. --- "C:\Documents and Settings\Chance DeMikols\My Documents\My Music\License Backup\drmv2key.bak"

Finished!








The ComboFix Log:

ComboFix 08-01-30.1 - Chance DeMikols 2008-01-29 17:44:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1464 [GMT -6:00]
Running from: C:\Documents and Settings\Chance DeMikols\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Chance DeMikols\Application Data\inst.exe
C:\Program Files\Common Files\{34192~1

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-29 17:24 . 2008-01-29 17:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-28 15:51 . 2008-01-28 15:53 <DIR> d-------- C:\Program Files\LimeWire
2008-01-26 00:31 . 2008-01-26 00:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 22:39 . 2008-01-25 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-25 22:39 . 2008-01-25 22:39 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-25 22:37 . 2008-01-25 23:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-25 22:37 . 2008-01-25 22:39 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-25 15:56 . 2008-01-25 15:56 250,368 --a------ C:\WINDOWS\system32\andt.sys
2008-01-25 04:33 . 2008-01-25 04:33 <DIR> d-------- C:\Program Files\DivX
2008-01-24 23:32 . 2008-01-25 21:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 23:32 . 2008-01-24 23:32 <DIR> d-------- C:\Documents and Settings\Chance DeMikols\Application Data\SUPERAntiSpyware.com
2008-01-24 23:32 . 2008-01-24 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-24 23:29 . 2008-01-24 23:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 02:21 . 2007-08-01 13:10 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-01-24 02:20 . 2008-01-24 03:33 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-24 02:20 . 2007-07-31 12:50 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-01-24 02:20 . 2007-07-31 12:50 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-01-24 02:20 . 2008-01-24 02:54 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-01-24 02:20 . 2008-01-24 02:54 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-01-24 02:20 . 2008-01-24 02:54 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-01-24 02:20 . 2008-01-24 02:54 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-01-23 01:20 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-23 01:20 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-23 01:20 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-23 01:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-23 01:20 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-23 01:20 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-23 01:20 . 2008-01-24 23:49 3,126 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-22 04:49 . 2008-01-26 01:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 04:49 . 2008-01-22 04:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 04:22 . 2008-01-22 04:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-22 04:21 . 2008-01-22 04:21 <DIR> d-------- C:\Program Files\Veoh Networks
2008-01-17 17:30 . 2008-01-17 17:31 1,905 --a------ C:\WINDOWS\diagwrn.xml
2008-01-17 17:30 . 2008-01-17 17:31 1,905 --a------ C:\WINDOWS\diagerr.xml
2008-01-07 19:16 . 2008-01-07 19:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-04 15:59 . 2008-01-04 15:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 15:59 . 2008-01-04 15:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 15:58 . 2008-01-04 15:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 15:58 . 2008-01-04 15:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 15:58 . 2008-01-04 15:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 15:56 . 2008-01-04 15:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 15:56 . 2008-01-04 15:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-03 14:43 . 2008-01-03 14:43 <DIR> d-------- C:\Program Files\SanDisk
2008-01-03 14:43 . 2008-01-03 14:43 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-01-03 14:43 . 2008-01-03 14:43 <DIR> d-------- C:\Documents and Settings\Chance DeMikols\Application Data\ArcSoft
2008-01-03 14:43 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-03 14:19 . 2008-01-03 14:19 <DIR> d-------- C:\Program Files\River Past
2008-01-03 14:19 . 2008-01-03 14:19 <DIR> d-------- C:\Program Files\Common Files\River Past
2008-01-03 14:19 . 2008-01-03 14:43 <DIR> d-------- C:\Documents and Settings\Chance DeMikols\Application Data\River Past G5
2008-01-03 14:19 . 2008-01-03 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-01-03 14:19 . 2008-01-03 14:19 164,359 --a------ C:\WINDOWS\Crazi Video for Sansa Uninstaller.exe
2008-01-03 13:44 . 2008-01-15 22:04 <DIR> d-------- C:\Program Files\mp3Tag 5
2008-01-02 12:31 . 2008-01-02 12:31 0 --a------ C:\WINDOWS\iPlayer.INI
2007-12-25 17:56 . 2007-12-25 17:56 <DIR> d-------- C:\Program Files\RocketDock
2007-12-19 13:04 . 2008-01-28 19:42 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-19 12:55 . 2007-12-19 12:55 <DIR> d-------- C:\Documents and Settings\Chance DeMikols\Application Data\Nero
2007-12-19 12:52 . 2007-12-19 12:52 <DIR> d-------- C:\Program Files\Nero
2007-12-19 12:52 . 2007-12-19 12:54 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-12-19 12:52 . 2007-12-19 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-12-14 00:55 . 2007-12-14 00:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-14 00:54 . 2007-12-14 00:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-14 00:54 . 2008-01-06 19:42 <DIR> d-------- C:\Documents and Settings\Chance DeMikols\Application Data\Roxio
2007-12-14 00:53 . 2007-12-14 00:53 <DIR> d-------- C:\Program Files\InterActual
2007-12-14 00:36 . 2007-12-14 00:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-14 00:32 . 2007-12-14 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-14 00:29 . 2007-12-14 00:29 <DIR> d-------- C:\Program Files\SmartSound Software
2007-12-14 00:29 . 2007-12-14 00:37 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-14 00:29 . 2007-12-14 00:36 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-14 00:29 . 2007-12-14 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2007-12-14 00:28 . 2007-12-14 00:38 <DIR> d-------- C:\Program Files\Roxio
2007-12-14 00:28 . 2007-12-14 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-14 00:02 . 2007-12-14 00:02 32,768 --a------ C:\WINDOWS\system32\routing.exe
2007-12-13 00:25 . 2007-12-13 00:25 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-12-13 00:23 . 2007-12-13 00:23 <DIR> d-------- C:\Program Files\LG Software Innovations
2007-12-11 12:03 . 2007-12-11 12:03 40 --a------ C:\WINDOWS\system32\drmgs.sys
2007-12-11 12:00 . 2007-12-11 12:00 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 23:17 --------- d-----w C:\Documents and Settings\Chance DeMikols\Application Data\Azureus
2008-01-29 22:48 --------- d-----w C:\Documents and Settings\Chance DeMikols\Application Data\LimeWire
2008-01-24 10:01 --------- d-----w C:\Program Files\%systemtool%
2008-01-24 08:54 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-01-24 08:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-01-24 08:22 --------- d-----w C:\Program Files\CA
2008-01-24 08:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-22 10:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 04:03 --------- d-----w C:\Program Files\Creative
2008-01-11 19:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 03:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-03 20:53 --------- d-----w C:\Program Files\QuickTime
2007-12-27 09:04 --------- d-----w C:\Program Files\FinePixViewer
2007-12-26 00:15 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-26 00:13 47,360 ----a-w C:\Documents and Settings\Chance DeMikols\Application Data\pcouffin.sys
2007-12-26 00:13 --------- d-----w C:\Program Files\VSO
2007-12-26 00:13 --------- d-----w C:\Documents and Settings\Chance DeMikols\Application Data\Vso
2007-12-23 15:23 --------- d-----w C:\Program Files\Azureus
2007-12-19 13:23 --------- d-----w C:\Program Files\Ahead
2007-12-14 06:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-12 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 08:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-12 20:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 20:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-02 14:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
2007-09-17 23:41 719,174,560 ----a-w C:\Program Files\ADBEPPROCS3_ALP.exe
2007-01-24 22:36 45,305 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-01-24 22:36 198,275 ----a-w C:\Program Files\FEB2007_XACT_x64.cab
2007-01-24 22:36 151,583 ----a-w C:\Program Files\FEB2007_XACT_x86.cab
2007-01-24 22:21 976,020 ------w C:\Program Files\BDAXP.cab
2007-01-24 22:21 917,318 ------w C:\Program Files\Apr2006_MDX1_x86.cab
2007-01-24 22:21 91,265 ------w C:\Program Files\OCT2006_xinput_x64.cab
2007-01-24 22:21 88,102 ------w C:\Program Files\AUG2006_xinput_x64.cab
2007-01-24 22:21 87,989 ------w C:\Program Files\Apr2006_xinput_x64.cab
2007-01-24 22:21 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab
2007-01-24 22:21 85,235 ----a-w C:\Program Files\dxupdate.cab
2007-01-24 22:21 77,160 ----a-w C:\Program Files\DSETUP.dll
2007-01-24 22:21 503,144 ----a-w C:\Program Files\DXSETUP.exe
2007-01-24 22:21 49,149 ------w C:\Program Files\OCT2006_xinput_x86.cab
2007-01-24 22:21 47,018 ------w C:\Program Files\AUG2006_xinput_x86.cab
2007-01-24 22:21 46,898 ------w C:\Program Files\Apr2006_xinput_x86.cab
2007-01-24 22:21 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab
2007-01-24 22:21 4,163,518 ------w C:\Program Files\Apr2006_MDX1_x86_Archive.cab
2007-01-24 22:21 213,767 ------w C:\Program Files\DEC2006_d3dx10_00_x64.cab
2007-01-24 22:21 193,435 ------w C:\Program Files\DEC2006_XACT_x64.cab
2007-01-24 22:21 192,680 ------w C:\Program Files\DEC2006_d3dx10_00_x86.cab
2007-01-24 22:21 183,863 ------w C:\Program Files\AUG2006_XACT_x64.cab
2007-01-24 22:21 183,321 ------w C:\Program Files\OCT2006_XACT_x64.cab
2007-01-24 22:21 181,745 ------w C:\Program Files\JUN2006_XACT_x64.cab
2007-01-24 22:21 180,021 ------w C:\Program Files\Apr2006_XACT_x64.cab
2007-01-24 22:21 179,247 ------w C:\Program Files\Feb2006_XACT_x64.cab
2007-01-24 22:21 146,559 ------w C:\Program Files\DEC2006_XACT_x86.cab
2007-01-24 22:21 138,977 ------w C:\Program Files\OCT2006_XACT_x86.cab
2007-01-24 22:21 138,195 ------w C:\Program Files\AUG2006_XACT_x86.cab
2007-01-24 22:21 134,631 ------w C:\Program Files\JUN2006_XACT_x86.cab
2007-01-24 22:21 133,991 ------w C:\Program Files\Apr2006_XACT_x86.cab
2007-01-24 22:21 133,297 ------w C:\Program Files\Feb2006_XACT_x86.cab
2007-01-24 22:21 13,265,040 ------w C:\Program Files\dxnt.cab
2007-01-24 22:21 1,673,576 ----a-w C:\Program Files\dsetup32.dll
2007-01-24 22:21 1,575,336 ------w C:\Program Files\DEC2006_d3dx9_32_x86.cab
2007-01-24 22:21 1,572,114 ------w C:\Program Files\DEC2006_d3dx9_32_x64.cab
2007-01-24 22:21 1,413,862 ------w C:\Program Files\OCT2006_d3dx9_31_x64.cab
2007-01-24 22:21 1,398,718 ------w C:\Program Files\Apr2006_d3dx9_30_x64.cab
2007-01-24 22:21 1,363,684 ------w C:\Program Files\Feb2006_d3dx9_29_x64.cab
2007-01-24 22:21 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab
2007-01-24 22:21 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab
2007-01-24 22:21 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab
2007-01-24 22:21 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab
2007-01-24 22:21 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab
2007-01-24 22:21 1,156,363 ------w C:\Program Files\BDANT.cab
2007-01-24 22:21 1,128,177 ------w C:\Program Files\OCT2006_d3dx9_31_x86.cab
2007-01-24 22:21 1,116,109 ------w C:\Program Files\Apr2006_d3dx9_30_x86.cab
2007-01-24 22:21 1,085,608 ------w C:\Program Files\Feb2006_d3dx9_29_x86.cab
2007-01-24 22:21 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab
2007-01-24 22:21 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab
2007-01-24 22:21 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab
2007-01-24 22:21 1,065,813 ------w C:\Program Files\Jun2005_d3dx9_26_x86.cab
2007-01-24 22:21 1,014,113 ------w C:\Program Files\Feb2005_d3dx9_24_x86.cab
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 12:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Google Update"="C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe" [2008-01-12 20:12 21488]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 04:29 220544]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2003-08-20 12:56 45056 C:\WINDOWS\system32\VTTimer.exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-01-24 02:54 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-01-24 02:54 234760]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-01 14:28 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 15:52 240112]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 03:44 113136]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyayx]
byxyayx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-03 14:53 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-06-28 22:29 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

R2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe [2007-12-14 00:02]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-01-24 02:54]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe" [2007-08-24 15:53]
S2 RoxLiveShare10;LiveShare P2P Server 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [2007-08-24 15:52]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe" [2007-08-24 15:52]
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\CHANCE~1\LOCALS~1\Temp\DX9\SessionLauncher.exe []
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" [2007-08-24 15:53]
S3 RoxMediaDB10;RoxMediaDB10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe" [2007-08-24 15:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{261fe6de-f235-11db-904d-0040caa99e12}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78e7774c-14a2-11dc-906a-0040caa99e12}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 09:31:36 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Chance DeMikols at 2 23 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 17:50:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\routing.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
.
**************************************************************************
.
Completion time: 2008-01-30 17:54:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 23:54:19
.
2008-01-09 09:03:09 --- E O F ---


New HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:26 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\routing.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chance DeMikols\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.umn.edu/adcs
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxyayx - byxyayx.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\CHANCE~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9092 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 30 January 2008 - 06:18 AM

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
Read this article:
http://www.clickz.com/news/article.php/3561546
You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\system32\routing.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyayx]
Service::
Routing
Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 cdemikols

cdemikols
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 30 January 2008 - 08:16 PM

Thank you Richie, here are the additional files you requested.



New ComboFix Log:



ComboFix 08-01-30.1 - Chance DeMikols 2008-01-31 17:53:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1170 [GMT -6:00]
Running from: C:\Documents and Settings\Chance DeMikols\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chance DeMikols\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\routing.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\routing.exe
E:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-29 17:24 . 2008-01-29 17:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-28 15:51 . 2008-01-28 15:53 <DIR> d-------- C:\Program Files\LimeWire
2008-01-26 00:31 . 2008-01-26 00:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 22:39 . 2008-01-25 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-25 22:39 . 2008-01-25 22:39 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-25 22:37 . 2008-01-25 23:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-25 22:37 . 2008-01-25 22:39 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-25 15:56 . 2008-01-25 15:56 250,368 --a------ C:\WINDOWS\system32\andt.sys
2008-01-25 04:33 . 2008-01-25 04:33 <DIR> d-------- C:\Program Files\DivX
2008-01-24 23:32 . 2008-01-25 21:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 23:32 . 2008-01-24 23:32 <DIR> d-------- C:\Documents and Settings\Chance DeMikols\Application Data\SUPERAntiSpyware.com
2008-01-24 23:32 . 2008-01-24 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-24 23:29 . 2008-01-24 23:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 02:21 . 2007-08-01 13:10 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-01-24 02:20 . 2008-01-24 03:33 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-24 02:20 . 2007-07-31 12:50 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-01-24 02:20 . 2007-07-31 12:50 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-01-24 02:20 . 2008-01-24 02:54 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-01-24 02:20 . 2008-01-24 02:54 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-01-24 02:20 . 2008-01-24 02:54 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-01-24 02:20 . 2008-01-24 02:54 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-01-23 01:20 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-23 01:20 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-23 01:20 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-23 01:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-23 01:20 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-23 01:20 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-23 01:20 . 2008-01-24 23:49 3,126 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-22 04:22 . 2008-01-22 04:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-22 04:21 . 2008-01-22 04:21 <DIR> d-------- C:\Program Files\Veoh Networks
2008-01-17 17:30 . 2008-01-17 17:31 1,905 --a------ C:\WINDOWS\diagwrn.xml
2008-01-17 17:30 . 2008-01-17 17:31 1,905 --a------ C:\WINDOWS\diagerr.xml
2008-01-07 19:16 . 2008-01-07 19:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-04 15:59 . 2008-01-04 15:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 15:59 . 2008-01-04 15:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 15:58 . 2008-01-04 15:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 15:58 . 2008-01-04 15:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 15:58 . 2008-01-04 15:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 15:56 . 2008-01-04 15:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 15:56 . 2008-01-04 15:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-03 14:43 . 2008-01-03 14:43 <DIR> d-------- C:\Program Files\SanDisk
2008-01-03 14:43 . 2008-01-03 14:43 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-01-03 14:43 . 2008-01-03 14:43 <DIR> d-------- C:\Documents and Settings\Chance DeMikols\Application Data\ArcSoft
2008-01-03 14:43 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-03 14:19 . 2008-01-03 14:19 <DIR> d-------- C:\Program Files\River Past
2008-01-03 14:19 . 2008-01-03 14:19 <DIR> d-------- C:\Program Files\Common Files\River Past
2008-01-03 14:19 . 2008-01-03 14:43 <DIR> d-------- C:\Documents and Settings\Chance DeMikols\Application Data\River Past G5
2008-01-03 14:19 . 2008-01-03 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-01-03 14:19 . 2008-01-03 14:19 164,359 --a------ C:\WINDOWS\Crazi Video for Sansa Uninstaller.exe
2008-01-03 13:44 . 2008-01-15 22:04 <DIR> d-------- C:\Program Files\mp3Tag 5
2008-01-02 12:31 . 2008-01-02 12:31 0 --a------ C:\WINDOWS\iPlayer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 23:58 --------- d-----w C:\Documents and Settings\Chance DeMikols\Application Data\Azureus
2008-01-31 22:24 --------- d-----w C:\Documents and Settings\Chance DeMikols\Application Data\LimeWire
2008-01-24 10:01 --------- d-----w C:\Program Files\%systemtool%
2008-01-24 08:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-01-24 08:22 --------- d-----w C:\Program Files\CA
2008-01-24 08:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-22 10:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 04:03 --------- d-----w C:\Program Files\Creative
2008-01-11 19:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 03:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-07 01:42 --------- d-----w C:\Documents and Settings\Chance DeMikols\Application Data\Roxio
2008-01-03 20:53 --------- d-----w C:\Program Files\QuickTime
2007-12-27 09:04 --------- d-----w C:\Program Files\FinePixViewer
2007-12-26 00:15 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-26 00:13 47,360 ----a-w C:\Documents and Settings\Chance DeMikols\Application Data\pcouffin.sys
2007-12-26 00:13 --------- d-----w C:\Program Files\VSO
2007-12-26 00:13 --------- d-----w C:\Documents and Settings\Chance DeMikols\Application Data\Vso
2007-12-25 23:56 --------- d-----w C:\Program Files\RocketDock
2007-12-23 15:23 --------- d-----w C:\Program Files\Azureus
2007-12-19 18:55 --------- d-----w C:\Documents and Settings\Chance DeMikols\Application Data\Nero
2007-12-19 18:54 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-19 18:52 --------- d-----w C:\Program Files\Nero
2007-12-19 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-19 13:23 --------- d-----w C:\Program Files\Ahead
2007-12-14 06:55 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-14 06:55 --------- d-----w C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-14 06:53 --------- d-----w C:\Program Files\InterActual
2007-12-14 06:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-14 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2007-12-14 06:38 --------- d-----w C:\Program Files\Roxio
2007-12-14 06:37 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-14 06:36 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-14 06:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-14 06:29 --------- d-----w C:\Program Files\SmartSound Software
2007-12-14 06:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-14 06:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-13 06:25 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-13 06:23 --------- d-----w C:\Program Files\LG Software Innovations
2007-12-12 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-11 18:00 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-09-17 23:41 719,174,560 ----a-w C:\Program Files\ADBEPPROCS3_ALP.exe
2007-01-24 22:36 45,305 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-01-24 22:36 198,275 ----a-w C:\Program Files\FEB2007_XACT_x64.cab
2007-01-24 22:36 151,583 ----a-w C:\Program Files\FEB2007_XACT_x86.cab
2007-01-24 22:21 976,020 ------w C:\Program Files\BDAXP.cab
2007-01-24 22:21 917,318 ------w C:\Program Files\Apr2006_MDX1_x86.cab
2007-01-24 22:21 91,265 ------w C:\Program Files\OCT2006_xinput_x64.cab
2007-01-24 22:21 88,102 ------w C:\Program Files\AUG2006_xinput_x64.cab
2007-01-24 22:21 87,989 ------w C:\Program Files\Apr2006_xinput_x64.cab
2007-01-24 22:21 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab
2007-01-24 22:21 85,235 ----a-w C:\Program Files\dxupdate.cab
2007-01-24 22:21 77,160 ----a-w C:\Program Files\DSETUP.dll
2007-01-24 22:21 503,144 ----a-w C:\Program Files\DXSETUP.exe
2007-01-24 22:21 49,149 ------w C:\Program Files\OCT2006_xinput_x86.cab
2007-01-24 22:21 47,018 ------w C:\Program Files\AUG2006_xinput_x86.cab
2007-01-24 22:21 46,898 ------w C:\Program Files\Apr2006_xinput_x86.cab
2007-01-24 22:21 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab
2007-01-24 22:21 4,163,518 ------w C:\Program Files\Apr2006_MDX1_x86_Archive.cab
2007-01-24 22:21 213,767 ------w C:\Program Files\DEC2006_d3dx10_00_x64.cab
2007-01-24 22:21 193,435 ------w C:\Program Files\DEC2006_XACT_x64.cab
2007-01-24 22:21 192,680 ------w C:\Program Files\DEC2006_d3dx10_00_x86.cab
2007-01-24 22:21 183,863 ------w C:\Program Files\AUG2006_XACT_x64.cab
2007-01-24 22:21 183,321 ------w C:\Program Files\OCT2006_XACT_x64.cab
2007-01-24 22:21 181,745 ------w C:\Program Files\JUN2006_XACT_x64.cab
2007-01-24 22:21 180,021 ------w C:\Program Files\Apr2006_XACT_x64.cab
2007-01-24 22:21 179,247 ------w C:\Program Files\Feb2006_XACT_x64.cab
2007-01-24 22:21 146,559 ------w C:\Program Files\DEC2006_XACT_x86.cab
2007-01-24 22:21 138,977 ------w C:\Program Files\OCT2006_XACT_x86.cab
2007-01-24 22:21 138,195 ------w C:\Program Files\AUG2006_XACT_x86.cab
2007-01-24 22:21 134,631 ------w C:\Program Files\JUN2006_XACT_x86.cab
2007-01-24 22:21 133,991 ------w C:\Program Files\Apr2006_XACT_x86.cab
2007-01-24 22:21 133,297 ------w C:\Program Files\Feb2006_XACT_x86.cab
2007-01-24 22:21 13,265,040 ------w C:\Program Files\dxnt.cab
2007-01-24 22:21 1,673,576 ----a-w C:\Program Files\dsetup32.dll
2007-01-24 22:21 1,575,336 ------w C:\Program Files\DEC2006_d3dx9_32_x86.cab
2007-01-24 22:21 1,572,114 ------w C:\Program Files\DEC2006_d3dx9_32_x64.cab
2007-01-24 22:21 1,413,862 ------w C:\Program Files\OCT2006_d3dx9_31_x64.cab
2007-01-24 22:21 1,398,718 ------w C:\Program Files\Apr2006_d3dx9_30_x64.cab
2007-01-24 22:21 1,363,684 ------w C:\Program Files\Feb2006_d3dx9_29_x64.cab
2007-01-24 22:21 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab
2007-01-24 22:21 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab
2007-01-24 22:21 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab
2007-01-24 22:21 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab
2007-01-24 22:21 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab
2007-01-24 22:21 1,156,363 ------w C:\Program Files\BDANT.cab
2007-01-24 22:21 1,128,177 ------w C:\Program Files\OCT2006_d3dx9_31_x86.cab
2007-01-24 22:21 1,116,109 ------w C:\Program Files\Apr2006_d3dx9_30_x86.cab
2007-01-24 22:21 1,085,608 ------w C:\Program Files\Feb2006_d3dx9_29_x86.cab
2007-01-24 22:21 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab
2007-01-24 22:21 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab
2007-01-24 22:21 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab
2007-01-24 22:21 1,065,813 ------w C:\Program Files\Jun2005_d3dx9_26_x86.cab
2007-01-24 22:21 1,014,113 ------w C:\Program Files\Feb2005_d3dx9_24_x86.cab
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 12:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Google Update"="C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe" [2008-01-12 20:12 21488]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 04:29 220544]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2003-08-20 12:56 45056 C:\WINDOWS\system32\VTTimer.exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-01-24 02:54 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-01-24 02:54 234760]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-01 14:28 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 15:52 240112]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 03:44 113136]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-03 14:53 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-06-28 22:29 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-01-24 02:54]
S2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe []
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe" [2007-08-24 15:53]
S2 RoxLiveShare10;LiveShare P2P Server 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [2007-08-24 15:52]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe" [2007-08-24 15:52]
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\CHANCE~1\LOCALS~1\Temp\DX9\SessionLauncher.exe []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" [2007-08-24 15:53]
S3 RoxMediaDB10;RoxMediaDB10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe" [2007-08-24 15:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{261fe6de-f235-11db-904d-0040caa99e12}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78e7774c-14a2-11dc-906a-0040caa99e12}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 09:31:36 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Chance DeMikols at 2 23 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 18:01:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
.
**************************************************************************
.
Completion time: 2008-01-31 18:05:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 00:05:26
ComboFix2.txt 2008-01-30 23:54:27
.
2008-01-09 09:03:09 --- E O F ---



New HiJackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:50 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chance DeMikols\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.umn.edu/adcs
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\CHANCE~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 9029 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 30 January 2008 - 08:24 PM

Copy and paste the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.
@echo off
sc stop Routing
sc delete Routing
del fix.bat
Restart your pc.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.It does not provide an option to clean/disinfect,i need to see the scan results.
Now click on the Save as Text button.
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html

Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 cdemikols

cdemikols
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 02 February 2008 - 03:34 PM

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:09 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\GRETECH\GomPlayer\GOM.exe
C:\Program Files\Azureus\Azureus.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chance DeMikols\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chance DeMikols\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.umn.edu/adcs
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\CHANCE~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 02 February 2008 - 07:26 PM

Post the Kaspersky Online Scanner report please.
Posted Image
Posted Image

#9 cdemikols

cdemikols
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 04 February 2008 - 09:00 PM

The online scanner won't give me access, even though I have active X and an Admin account. I downloaded the program, but I can't copy and paste that log, and the upload function on the site won't upload the saved log. Is there another way to access the online scanner?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 05 February 2008 - 05:21 AM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Viewpoint Manager Service
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chance DeMikols\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users