Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Heres My Hijackthis


  • This topic is locked This topic is locked
10 replies to this topic

#1 xplicit

xplicit

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 02 March 2008 - 09:25 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:16 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Gamevance\gamevance32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\QdrModule\QdrModule13.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\QdrPack\QdrPack13.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: BndAero6 IE Helper - {82E5E2FF-9260-4d88-B0C6-7CC358C5D418} - C:\Program Files\QdrDrive\QdrDrive11.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: UrlHelper Class - {A1123C1A-5D52-4df7-B639-6346165FCD58} - C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixIEHelper.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: BearFlix MediaBar - {0388BA0C-C7F1-4E6A-BD7A-B59623F33363} - C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixMediaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [QdrPack13] "C:\Program Files\QdrPack\QdrPack13.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12236 bytes


any help would be appreicated thanks

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:14 AM

Posted 03 March 2008 - 11:28 AM

Hello xplicit,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 xplicit

xplicit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 04 March 2008 - 08:11 PM

thanks for replying i did what you ask and heres the rapport info you askd for

SmitFraudFix v2.300

Scan done at 17:03:13.25, Tue 03/04/2008
Run from C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\764.exe Deleted
C:\WINDOWS\7search.dll Deleted
C:\WINDOWS\absolute key logger.lnk Deleted
C:\WINDOWS\aconti.exe Deleted
C:\WINDOWS\aconti.ini Deleted
C:\WINDOWS\aconti.log Deleted
C:\WINDOWS\aconti.sdb Deleted
C:\WINDOWS\acontidialer.txt Deleted
C:\WINDOWS\adbar.dll Deleted
C:\WINDOWS\cbinst$.exe Deleted
C:\WINDOWS\daxtime.dll Deleted
C:\WINDOWS\default.htm Deleted
C:\WINDOWS\dp0.dll Deleted
C:\WINDOWS\eventlowg.dll Deleted
C:\WINDOWS\fhfmm-Uninstaller.exe Deleted
C:\WINDOWS\fhfmm.exe Deleted
C:\WINDOWS\flt.dll Deleted
C:\WINDOWS\hcwprn.exe Deleted
C:\WINDOWS\hotporn.exe Deleted
C:\WINDOWS\iexplorr23.dll Deleted
C:\WINDOWS\ie_32.exe Deleted
C:\WINDOWS\jd2002.dll Deleted
C:\WINDOWS\kkcomp$.exe Deleted
C:\WINDOWS\kkcomp.dll Deleted
C:\WINDOWS\kkcomp.exe Deleted
C:\WINDOWS\kvnab$.exe Deleted
C:\WINDOWS\kvnab.dll Deleted
C:\WINDOWS\kvnab.exe Deleted
C:\WINDOWS\liqad$.exe Deleted
C:\WINDOWS\liqad.dll Deleted
C:\WINDOWS\liqad.exe Deleted
C:\WINDOWS\liqui-Uninstaller.exe Deleted
C:\WINDOWS\liqui.dll Deleted
C:\WINDOWS\liqui.exe Deleted
C:\WINDOWS\ngd.dll Deleted
C:\WINDOWS\pbar.dll Deleted
C:\WINDOWS\pbsysie.dll Deleted
C:\WINDOWS\settn.dll Deleted
C:\WINDOWS\spredirect.dll Deleted
C:\WINDOWS\vxddsk.exe Deleted
C:\WINDOWS\wbeCheck.exe Deleted
C:\WINDOWS\wbeInst$.exe Deleted
C:\WINDOWS\wml.exe Deleted
C:\WINDOWS\xadbrk.dll Deleted
C:\WINDOWS\xadbrk.exe Deleted
C:\WINDOWS\xadbrk_.exe Deleted
C:\WINDOWS\xxxvideo.exe Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\ESHOPEE.exe Deleted
C:\WINDOWS\system32\msole32.exe Deleted
C:\WINDOWS\system32\vxddsk.exe Deleted
C:\WINDOWS\system32\winfrun32.bin Deleted
C:\WINDOWS\system32\wml.exe Deleted
C:\WINDOWS\system32\acespy\ Deleted
C:\Program Files\3721\ Deleted
C:\Program Files\Accoona\ Deleted
C:\Program Files\akl\ Deleted
C:\Program Files\amsys\ Deleted
C:\Program Files\e-zshopper\ Deleted
C:\Program Files\p2pnetworks\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{17CCC774-41C8-40DF-BCCA-6A5AED381EF0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{17CCC774-41C8-40DF-BCCA-6A5AED381EF0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{17CCC774-41C8-40DF-BCCA-6A5AED381EF0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:14 AM

Posted 04 March 2008 - 09:51 PM

Hi xplicit,

You forgot to post a fresh Hijackthis log. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 xplicit

xplicit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 March 2008 - 06:30 PM

Oh sorry heres the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:20 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Gamevance\gamevance32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: UrlHelper Class - {A1123C1A-5D52-4df7-B639-6346165FCD58} - C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: BearFlix MediaBar - {0388BA0C-C7F1-4E6A-BD7A-B59623F33363} - C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixMediaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QdrPack13] "C:\Program Files\QdrPack\QdrPack13.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9436 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:14 AM

Posted 05 March 2008 - 07:10 PM

Hi xplicit,

You have some nasty infections on this computer, so we will run ComboFix.

You need to disable your Norton Antivirus before running ComboFix, as it will prevent it from running.

To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT
You do not need Windows CDs to install Recovery Console.

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 xplicit

xplicit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 March 2008 - 08:35 PM

heres the combofix log

ComboFix 08-03-05.1 - Vanouen 2008-03-05 17:17:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.333 [GMT -8:00]
Running from: C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\inetget2
C:\Program Files\inetget2\Installeur.exe
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\system32\000070.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 17:14 . 2004-08-09 20:00 388,608 --a------ C:\CF1911.exe
2008-03-05 15:36 . 2008-03-05 17:29 <DIR> d-------- C:\Program Files\Steam
2008-03-04 17:03 . 2008-03-04 17:03 1,416 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-04 16:58 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-04 16:58 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-04 16:58 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-04 16:58 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-04 16:58 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-04 16:58 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-04 16:58 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-04 16:56 . 2008-03-04 16:56 <DIR> d-------- C:\Documents and Settings\vannyz\Application Data\Yahoo!
2008-03-04 16:55 . 2006-10-27 14:19 <DIR> d-------- C:\Documents and Settings\vannyz\WINDOWS
2008-03-04 16:55 . 2006-10-27 14:43 <DIR> d-------- C:\Documents and Settings\vannyz\Application Data\Symantec
2008-03-04 16:55 . 2006-10-27 14:21 <DIR> d-------- C:\Documents and Settings\vannyz\Application Data\Intuit
2008-03-04 07:13 . 2008-03-04 07:13 <DIR> d-------- C:\Program Files\RcvSystem
2008-03-03 23:49 . 2008-03-03 23:49 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-03 13:31 . 2006-06-01 10:47 163,840 --------- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-03-03 13:31 . 2006-06-01 10:47 27,648 --------- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-03-03 13:30 . 2006-03-16 16:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-03-03 13:29 . 2006-05-05 01:41 453,120 --------- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-03-03 12:52 . 2008-03-03 12:52 <DIR> d--h----- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\ijjigame
2008-03-02 17:56 . 2008-03-02 17:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 11:25 . 2008-03-02 11:25 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\MSNInstaller
2008-03-02 11:21 . 2008-03-02 11:21 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Netscape
2008-03-02 10:20 . 2008-03-02 10:22 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-02 10:20 . 2008-03-02 10:22 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-27 14:42 . 2008-02-27 14:42 <DIR> d-------- C:\Program Files\Gamevance
2008-02-26 12:20 . 2008-02-26 12:20 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Template
2008-02-26 12:20 . 2008-03-02 12:17 162 --a------ C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\wklnhst.dat
2008-02-25 23:23 . 2008-02-25 23:23 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Sonic
2008-02-25 23:22 . 2008-02-25 23:22 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Leadertech
2008-02-25 18:02 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-25 18:02 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-25 18:00 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-25 18:00 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-25 18:00 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-25 18:00 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-24 14:31 . 2008-02-24 14:31 5,120 --a------ C:\WINDOWS\ons.dll
2008-02-22 13:55 . 2008-02-22 13:55 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Yahoo!
2008-02-22 13:55 . 2008-02-22 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-22 10:35 . 2008-02-22 10:35 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\HPQ
2008-02-20 18:05 . 2008-02-20 18:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-20 18:05 . 2008-02-20 18:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-20 14:20 . 2008-02-20 14:20 <DIR> d-------- C:\Program Files\Chessmaster Challenge
2008-02-20 14:20 . 2008-03-02 16:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-18 22:59 . 2008-02-18 22:59 <DIR> d---s---- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\UserData
2008-02-18 16:20 . 2008-02-18 16:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-18 12:55 . 2008-03-05 17:29 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\LimeWire
2008-02-18 12:49 . 2008-02-18 12:49 <DIR> d-------- C:\Program Files\BearFlix Applications
2008-02-18 12:49 . 2008-02-18 12:52 <DIR> d-------- C:\Program Files\BearFlix
2008-02-18 10:39 . 2008-02-18 10:39 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\ArcSoft
2008-02-18 10:25 . 2008-02-18 10:25 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\acccore
2008-02-18 10:23 . 2006-10-27 14:19 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\WINDOWS
2008-02-18 10:23 . 2006-10-27 14:43 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Symantec
2008-02-18 10:23 . 2006-10-27 14:21 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Intuit
2008-02-17 21:18 . 2008-02-17 21:18 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-02-17 21:17 . 2003-07-17 01:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-02-17 21:17 . 2004-12-31 16:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-02-17 21:12 . 2008-02-17 21:12 <DIR> d-------- C:\Program Files\NHN USA
2008-02-17 21:12 . 2008-02-17 21:12 <DIR> d-------- C:\ijji
2008-02-17 21:12 . 2008-01-16 18:25 679,936 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2008-02-17 21:12 . 2007-06-21 18:59 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2008-02-17 21:07 . 2008-02-17 21:17 <DIR> d-------- C:\Program Files\softnyx
2008-02-17 20:48 . 2008-02-17 20:48 1,832 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_RB103AA-ABA a1547c_YC_0Pavi_QCN5625_E63NAemMPA2_48_INAGAMI2_SASUSTek Computer INC._V2.00_B3.11_T060919_WXP2_L409_M959_J250_7AMD_8Athlon 64_92.4_#061229_N_Z14F12F20_G10DE0241_OTSSTcorp CD DVDW TS-H652L.MRK
2008-02-17 20:44 . 2006-10-27 14:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-02-17 18:13 . 2008-03-04 23:08 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-02-17 17:34 . 2008-02-17 18:23 <DIR> d-------- C:\Documents and Settings\The Twins\Application Data\AOL
2008-02-17 16:46 . 2008-02-17 16:46 <DIR> d-------- C:\Documents and Settings\Gayy Steven !\Application Data\Viewpoint
2008-02-17 16:26 . 2008-02-17 16:26 <DIR> d-------- C:\Documents and Settings\Gayy Steven !\Application Data\AOL
2008-02-17 14:11 . 2008-02-17 14:11 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\You've Got Pictures Screensaver
2008-02-17 14:10 . 2008-02-17 14:13 <DIR> d-------- C:\Program Files\America Online 9.0a
2008-02-17 14:00 . 2008-02-17 14:00 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\MSNInstaller
2008-02-17 13:14 . 2008-02-17 18:32 <DIR> d-------- C:\Program Files\Netscape Internet Service
2008-02-17 13:14 . 2008-02-17 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
2008-02-17 13:10 . 2008-02-17 13:10 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\Viewpoint
2008-02-17 13:10 . 2008-02-17 14:12 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\AOL
2008-02-17 12:38 . 2008-02-17 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-17 08:53 . 2008-02-17 08:53 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\Netscape
2008-02-16 20:06 . 2008-02-16 20:06 5,120 --a------ C:\WINDOWS\estrictions.dll
2008-02-16 20:06 . 2008-02-16 20:06 5,120 --a------ C:\info.exe
2008-02-16 17:15 . 2008-02-16 21:08 <DIR> d-------- C:\NVIDIA Display Driver
2008-02-16 16:17 . 2008-02-16 21:07 <DIR> d-------- C:\Program Files\directx
2008-02-16 04:20 . 2008-02-16 04:20 16,384 --ahs---- C:\Thumbs.db
2008-02-14 21:00 . 2008-02-14 21:00 <DIR> d-------- C:\WINDOWS\.silabclient_store_32
2008-02-12 00:53 . 2008-02-12 00:53 <DIR> d-------- C:\Program Files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 00:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-02 18:46 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-02 18:22 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-02 18:22 --------- d-----w C:\Program Files\Symantec
2008-02-22 21:55 --------- d-----w C:\Program Files\Yahoo!
2008-02-22 21:55 --------- d-----w C:\Program Files\DivX
2008-02-18 20:55 --------- d-----w C:\Program Files\LimeWire
2008-02-18 06:14 --------- d-----w C:\Program Files\Google
2008-02-18 05:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 04:48 1,832 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_RB103AA-ABA a1547c_YC_0Pavi_QCN5625_E63NAemMPA2_48_INAGAMI2_SASUSTek Computer INC._V2.00_B3.11_T060919_WXP2_L409_M959_J250_7AMD_8Athlon 64_92.4_#061229_N_Z14F12F20_G10DE0241_OTSSTcorp CD DVDW TS-H652L.MRK
2008-02-18 02:28 --------- d-----w C:\Program Files\Apple Software Update
2008-02-18 02:25 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-18 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-18 02:23 --------- d-----w C:\Documents and Settings\vanOuen\Application Data\AOL
2008-02-18 02:23 --------- d-----w C:\Documents and Settings\Steven\Application Data\AOL
2008-02-18 02:18 --------- d-----w C:\Program Files\QuickTime
2008-02-18 02:17 --------- d-----w C:\Program Files\Acoustica Beatcraft
2008-02-17 22:26 --------- d-----w C:\Program Files\Trillian
2008-02-17 22:10 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-16 22:50 --------- d-----w C:\Documents and Settings\vanouenisawesome\Application Data\LimeWire
2008-02-16 11:44 --------- d-----w C:\Program Files\AIM6
2008-02-16 11:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 08:51 918 ----a-w C:\Documents and Settings\vanouenisawesome\Application Data\wklnhst.dat
2008-01-29 00:40 --------- d-----w C:\Documents and Settings\vanouenisawesome\Application Data\CyberLink
2008-01-23 03:44 --------- d-----w C:\Documents and Settings\The Twins\Application Data\Talkback
2008-01-18 21:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-18 21:02 --------- d-----w C:\Program Files\illiminable
2008-01-18 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo
2008-01-16 03:32 --------- d-----w C:\Documents and Settings\The Twins\Application Data\Netscape
2008-01-16 00:37 --------- d-----w C:\Documents and Settings\Gayy Steven !\Application Data\CyberLink
2008-01-12 03:42 --------- d-----w C:\Program Files\Zune
2008-01-12 03:20 --------- d-----w C:\Program Files\DIFX
2008-01-12 03:20 --------- d-----w C:\Program Files\Common Files\ComponentOne
2008-01-08 23:29 --------- d-----w C:\Documents and Settings\Gayy Steven !\Application Data\Apple Computer
2007-06-05 15:35 0 ----a-w C:\Documents and Settings\vanouen`s\Application Data\wklnhst.dat
2007-05-28 20:08 4,240 ----a-w C:\Documents and Settings\vanOuen\Application Data\wklnhst.dat
2007-03-26 23:58 0 ----a-w C:\Documents and Settings\Steven\Application Data\wklnhst.dat
2001-09-29 00:00 164,864 ------w C:\Program Files\UNWISE.EXE
.

------- Sigcheck -------

515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\ntkrnlpa.exe
----a-w 2,056,832 2005-03-02 00:36:40 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
----a-w 2,059,392 2006-12-19 16:12:16 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
-c----w 2,056,832 2005-03-02 00:34:40 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
-c----w 2,057,600 2006-12-19 12:55:39 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
------w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\system32\ntkrnlpa.exe

582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\ntoskrnl.exe
----a-w 2,179,456 2005-03-02 01:04:22 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
----a-w 2,182,016 2006-12-19 16:51:12 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
-c----w 2,179,328 2005-03-02 00:59:53 C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
-c----w 2,180,352 2006-12-19 14:17:19 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
------w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7370F91F-6994-4595-9949-601FA2261C8D}]
02/27/2008 02:42 PM 225280 --a------ C:\Program Files\Gamevance\gvtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1123C1A-5D52-4df7-B639-6346165FCD58}]
12/02/2007 06:14 AM 411064 --a------ C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C4069E3A-68F1-403E-B40E-20066696354B}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{0388BA0C-C7F1-4E6A-BD7A-B59623F33363}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}

[HKEY_CLASSES_ROOT\clsid\{0388ba0c-c7f1-4e6a-bd7a-b59623f33363}]
[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{FF3A7D74-C160-42c7-BA49-0B6AB56DEAC3}]
[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0388BA0C-C7F1-4E6A-BD7A-B59623F33363}"= C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixMediaBar.dll [12/02/2007 06:14 AM 480696]

[HKEY_CLASSES_ROOT\clsid\{0388ba0c-c7f1-4e6a-bd7a-b59623f33363}]
[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{FF3A7D74-C160-42c7-BA49-0B6AB56DEAC3}]
[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/09/2004 08:00 PM 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 03:24 PM 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 01:17 PM 50736]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/27/2007 07:35 AM 68856]
"QdrPack13"="C:\Program Files\QdrPack\QdrPack13.exe" [ ]
"Steam"="C:\Program Files\Steam\Steam.exe" [09/12/2007 05:15 PM 1258744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/24/2006 06:15 PM 7311360]
"nwiz"="nwiz.exe" [01/24/2006 06:15 PM 1519616 C:\WINDOWS\system32\nwiz.exe]
"Gamevance"="C:\Program Files\Gamevance\gamevance32.exe" [02/27/2008 02:42 PM 77824]

C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2/8/2008 1:32:57 PM 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 04/27/2007 01:17 PM 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--------- 08/02/2005 10:19 PM 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
C:\Program Files\BearFlix\BearFlix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 01/22/2007 10:19 PM 52840 c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 08/09/2004 08:00 PM 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 03/16/2006 01:12 AM 1077248 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 03/16/2006 01:11 AM 61440 C:\Program Files\DISC\DiscUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 03/20/2006 08:05 AM 90112 c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 09/29/2005 08:01 PM 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 12/15/2005 05:18 PM 49152 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 02/15/2006 09:34 PM 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 06/01/2005 10:35 PM 49152 c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 10/13/2004 03:24 PM 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 07/22/2005 09:14 PM 237568 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 03/08/2006 03:54 AM 16010240 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 07/27/2007 07:35 AM 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 10/27/2006 02:07 PM 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 04:47:51 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
"2008-03-01 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 17:29:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Gamevance\gvwslib.dll
-> C:\Program Files\Gamevance\gvcfglib.dll
-> C:\Program Files\Gamevance\gvhlp.dll
-> C:\Program Files\Gamevance\gvpop.dll
-> C:\Program Files\Gamevance\gvutil.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 03/05/2008 17:34:38 - machine was rebooted [Vanouen]
ComboFix-quarantined-files.txt 2008-03-06 01:34:35
.
2008-03-05 07:08:32 --- E O F ---

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:14 AM

Posted 05 March 2008 - 11:28 PM

Hi xplicit,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\ons.dll


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\estrictions.dll
C:\info.exe
C:\Program Files\Gamevance\gvtl.dll
C:\Program Files\Gamevance\gamevance32.exe



Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.


*******************************

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\Program Files\QdrPack\QdrPack13.exe

Folder::
C:\Program Files\webHancer

Registry:: 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrPack13"=-	
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt, a new HijackThis log and results of the Virus Total scans.

Edited by SifuMike, 05 March 2008 - 11:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 xplicit

xplicit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 March 2008 - 05:58 PM

COMBOFIX

ComboFix 08-03-05.1 - Vanouen 2008-03-06 14:48:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512 [GMT -8:00]
Running from: C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\QdrPack\QdrPack13.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 17:14 . 2004-08-09 20:00 388,608 --a------ C:\CF1911.exe
2008-03-05 15:36 . 2008-03-06 14:20 <DIR> d-------- C:\Program Files\Steam
2008-03-04 17:03 . 2008-03-04 17:03 1,416 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-04 16:58 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-04 16:58 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-04 16:58 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-04 16:58 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-04 16:58 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-04 16:58 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-04 16:58 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-04 07:13 . 2008-03-04 07:13 <DIR> d-------- C:\Program Files\RcvSystem
2008-03-03 23:49 . 2008-03-03 23:49 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-03 13:31 . 2006-06-01 10:47 163,840 --------- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-03-03 13:31 . 2006-06-01 10:47 27,648 --------- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-03-03 13:30 . 2006-03-16 16:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-03-03 13:29 . 2006-05-05 01:41 453,120 --------- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-03-03 12:52 . 2008-03-03 12:52 <DIR> d--h----- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\ijjigame
2008-03-02 17:56 . 2008-03-02 17:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 11:25 . 2008-03-02 11:25 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\MSNInstaller
2008-03-02 11:21 . 2008-03-02 11:21 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Netscape
2008-03-02 10:20 . 2008-03-02 10:22 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-02 10:20 . 2008-03-02 10:22 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-27 14:42 . 2008-02-27 14:42 <DIR> d-------- C:\Program Files\Gamevance
2008-02-26 12:20 . 2008-02-26 12:20 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Template
2008-02-26 12:20 . 2008-03-02 12:17 162 --a------ C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\wklnhst.dat
2008-02-25 23:23 . 2008-02-25 23:23 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Sonic
2008-02-25 23:22 . 2008-02-25 23:22 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Leadertech
2008-02-25 18:02 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-25 18:02 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-25 18:00 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-25 18:00 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-25 18:00 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-25 18:00 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-24 14:31 . 2008-02-24 14:31 5,120 --a------ C:\WINDOWS\ons.dll
2008-02-22 13:55 . 2008-02-22 13:55 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Yahoo!
2008-02-22 13:55 . 2008-02-22 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-22 10:35 . 2008-02-22 10:35 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\HPQ
2008-02-20 18:05 . 2008-02-20 18:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-20 18:05 . 2008-02-20 18:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-20 14:20 . 2008-02-20 14:20 <DIR> d-------- C:\Program Files\Chessmaster Challenge
2008-02-20 14:20 . 2008-03-02 16:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-18 22:59 . 2008-02-18 22:59 <DIR> d---s---- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\UserData
2008-02-18 16:20 . 2008-02-18 16:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-18 12:55 . 2008-03-06 14:21 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\LimeWire
2008-02-18 12:49 . 2008-02-18 12:49 <DIR> d-------- C:\Program Files\BearFlix Applications
2008-02-18 12:49 . 2008-02-18 12:52 <DIR> d-------- C:\Program Files\BearFlix
2008-02-18 10:39 . 2008-02-18 10:39 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\ArcSoft
2008-02-18 10:25 . 2008-02-18 10:25 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\acccore
2008-02-18 10:23 . 2006-10-27 14:19 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\WINDOWS
2008-02-18 10:23 . 2006-10-27 14:43 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Symantec
2008-02-18 10:23 . 2006-10-27 14:21 <DIR> d-------- C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Application Data\Intuit
2008-02-17 21:18 . 2008-02-17 21:18 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-02-17 21:17 . 2003-07-17 01:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-02-17 21:17 . 2004-12-31 16:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-02-17 21:12 . 2008-02-17 21:12 <DIR> d-------- C:\Program Files\NHN USA
2008-02-17 21:12 . 2008-02-17 21:12 <DIR> d-------- C:\ijji
2008-02-17 21:12 . 2008-01-16 18:25 679,936 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2008-02-17 21:12 . 2007-06-21 18:59 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2008-02-17 21:07 . 2008-02-17 21:17 <DIR> d-------- C:\Program Files\softnyx
2008-02-17 20:48 . 2008-02-17 20:48 1,832 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_RB103AA-ABA a1547c_YC_0Pavi_QCN5625_E63NAemMPA2_48_INAGAMI2_SASUSTek Computer INC._V2.00_B3.11_T060919_WXP2_L409_M959_J250_7AMD_8Athlon 64_92.4_#061229_N_Z14F12F20_G10DE0241_OTSSTcorp CD DVDW TS-H652L.MRK
2008-02-17 20:44 . 2006-10-27 14:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-02-17 18:13 . 2008-03-04 23:08 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-02-17 17:34 . 2008-02-17 18:23 <DIR> d-------- C:\Documents and Settings\The Twins\Application Data\AOL
2008-02-17 16:46 . 2008-02-17 16:46 <DIR> d-------- C:\Documents and Settings\Gayy Steven !\Application Data\Viewpoint
2008-02-17 16:26 . 2008-02-17 16:26 <DIR> d-------- C:\Documents and Settings\Gayy Steven !\Application Data\AOL
2008-02-17 14:11 . 2008-02-17 14:11 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\You've Got Pictures Screensaver
2008-02-17 14:10 . 2008-02-17 14:13 <DIR> d-------- C:\Program Files\America Online 9.0a
2008-02-17 14:00 . 2008-02-17 14:00 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\MSNInstaller
2008-02-17 13:14 . 2008-02-17 18:32 <DIR> d-------- C:\Program Files\Netscape Internet Service
2008-02-17 13:14 . 2008-02-17 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
2008-02-17 13:10 . 2008-02-17 13:10 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\Viewpoint
2008-02-17 13:10 . 2008-02-17 14:12 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\AOL
2008-02-17 12:38 . 2008-02-17 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-17 08:53 . 2008-02-17 08:53 <DIR> d-------- C:\Documents and Settings\vanouenisawesome\Application Data\Netscape
2008-02-16 20:06 . 2008-02-16 20:06 5,120 --a------ C:\WINDOWS\estrictions.dll
2008-02-16 20:06 . 2008-02-16 20:06 5,120 --a------ C:\info.exe
2008-02-16 17:15 . 2008-02-16 21:08 <DIR> d-------- C:\NVIDIA Display Driver
2008-02-16 16:17 . 2008-02-16 21:07 <DIR> d-------- C:\Program Files\directx
2008-02-16 04:20 . 2008-02-16 04:20 16,384 --ahs---- C:\Thumbs.db
2008-02-14 21:00 . 2008-02-14 21:00 <DIR> d-------- C:\WINDOWS\.silabclient_store_32
2008-02-12 00:53 . 2008-02-12 00:53 <DIR> d-------- C:\Program Files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 00:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-02 18:46 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-02 18:22 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-02 18:22 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-02 18:22 --------- d-----w C:\Program Files\Symantec
2008-02-22 21:55 --------- d-----w C:\Program Files\Yahoo!
2008-02-22 21:55 --------- d-----w C:\Program Files\DivX
2008-02-18 20:55 --------- d-----w C:\Program Files\LimeWire
2008-02-18 06:14 --------- d-----w C:\Program Files\Google
2008-02-18 05:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 04:48 1,832 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_RB103AA-ABA a1547c_YC_0Pavi_QCN5625_E63NAemMPA2_48_INAGAMI2_SASUSTek Computer INC._V2.00_B3.11_T060919_WXP2_L409_M959_J250_7AMD_8Athlon 64_92.4_#061229_N_Z14F12F20_G10DE0241_OTSSTcorp CD DVDW TS-H652L.MRK
2008-02-18 02:28 --------- d-----w C:\Program Files\Apple Software Update
2008-02-18 02:25 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-18 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-18 02:23 --------- d-----w C:\Documents and Settings\vanOuen\Application Data\AOL
2008-02-18 02:23 --------- d-----w C:\Documents and Settings\Steven\Application Data\AOL
2008-02-18 02:18 --------- d-----w C:\Program Files\QuickTime
2008-02-18 02:17 --------- d-----w C:\Program Files\Acoustica Beatcraft
2008-02-17 22:26 --------- d-----w C:\Program Files\Trillian
2008-02-17 22:10 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-16 22:50 --------- d-----w C:\Documents and Settings\vanouenisawesome\Application Data\LimeWire
2008-02-16 11:44 --------- d-----w C:\Program Files\AIM6
2008-02-16 11:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 08:51 918 ----a-w C:\Documents and Settings\vanouenisawesome\Application Data\wklnhst.dat
2008-01-29 00:40 --------- d-----w C:\Documents and Settings\vanouenisawesome\Application Data\CyberLink
2008-01-23 03:44 --------- d-----w C:\Documents and Settings\The Twins\Application Data\Talkback
2008-01-18 21:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-18 21:02 --------- d-----w C:\Program Files\illiminable
2008-01-18 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo
2008-01-16 03:32 --------- d-----w C:\Documents and Settings\The Twins\Application Data\Netscape
2008-01-16 00:37 --------- d-----w C:\Documents and Settings\Gayy Steven !\Application Data\CyberLink
2008-01-12 03:42 --------- d-----w C:\Program Files\Zune
2008-01-12 03:20 --------- d-----w C:\Program Files\DIFX
2008-01-12 03:20 --------- d-----w C:\Program Files\Common Files\ComponentOne
2008-01-08 23:29 --------- d-----w C:\Documents and Settings\Gayy Steven !\Application Data\Apple Computer
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-06 10:05 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-05 15:35 0 ----a-w C:\Documents and Settings\vanouen`s\Application Data\wklnhst.dat
2007-05-28 20:08 4,240 ----a-w C:\Documents and Settings\vanOuen\Application Data\wklnhst.dat
2007-03-26 23:58 0 ----a-w C:\Documents and Settings\Steven\Application Data\wklnhst.dat
2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2001-09-29 00:00 164,864 ------w C:\Program Files\UNWISE.EXE
.

------- Sigcheck -------

515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\ntkrnlpa.exe
----a-w 2,056,832 2005-03-02 00:36:40 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
----a-w 2,059,392 2006-12-19 16:12:16 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
-c----w 2,056,832 2005-03-02 00:34:40 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
-c----w 2,057,600 2006-12-19 12:55:39 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
------w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\system32\ntkrnlpa.exe

582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\ntoskrnl.exe
----a-w 2,179,456 2005-03-02 01:04:22 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
----a-w 2,182,016 2006-12-19 16:51:12 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
-c----w 2,179,328 2005-03-02 00:59:53 C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
-c----w 2,180,352 2006-12-19 14:17:19 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
------w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7370F91F-6994-4595-9949-601FA2261C8D}]
2008-02-27 14:42 225280 --a------ C:\Program Files\Gamevance\gvtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1123C1A-5D52-4df7-B639-6346165FCD58}]
2007-12-02 06:14 411064 --a------ C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C4069E3A-68F1-403E-B40E-20066696354B}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{0388BA0C-C7F1-4E6A-BD7A-B59623F33363}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}

[HKEY_CLASSES_ROOT\clsid\{0388ba0c-c7f1-4e6a-bd7a-b59623f33363}]
[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{FF3A7D74-C160-42c7-BA49-0B6AB56DEAC3}]
[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0388BA0C-C7F1-4E6A-BD7A-B59623F33363}"= C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixMediaBar.dll [2007-12-02 06:14 480696]

[HKEY_CLASSES_ROOT\clsid\{0388ba0c-c7f1-4e6a-bd7a-b59623f33363}]
[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{FF3A7D74-C160-42c7-BA49-0B6AB56DEAC3}]
[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 20:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 15:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 13:17 50736]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 07:35 68856]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-09-12 17:15 1258744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 18:15 7311360]
"nwiz"="nwiz.exe" [2006-01-24 18:15 1519616 C:\WINDOWS\system32\nwiz.exe]
"Gamevance"="C:\Program Files\Gamevance\gamevance32.exe" [2008-02-27 14:42 77824]

C:\Documents and Settings\Vanouen.YOUR-4DACD0EA75\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 13:32:57 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 13:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--------- 2005-08-02 22:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
C:\Program Files\BearFlix\BearFlix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-22 22:19 52840 c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-09 20:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2006-03-16 01:12 1077248 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2006-03-16 01:11 61440 C:\Program Files\DISC\DiscUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2006-03-20 08:05 90112 c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 20:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-12-15 17:18 49152 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-15 21:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 22:35 49152 c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 15:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 21:14 237568 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 03:54 16010240 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 07:35 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-27 14:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 04:47:51 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
"2008-03-01 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 14:49:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Gamevance\gvwslib.dll
-> C:\Program Files\Gamevance\gvcfglib.dll
-> C:\Program Files\Gamevance\gvhlp.dll
-> C:\Program Files\Gamevance\gvpop.dll
-> C:\Program Files\Gamevance\gvutil.dll
.
Completion time: 2008-03-06 14:50:09
ComboFix-quarantined-files.txt 2008-03-06 22:50:02
ComboFix2.txt 2008-03-06 22:38:10
ComboFix3.txt 2008-03-06 01:34:38
.
2008-03-05 07:08:32 --- E O F ---



HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:13 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: UrlHelper Class - {A1123C1A-5D52-4df7-B639-6346165FCD58} - C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: BearFlix MediaBar - {0388BA0C-C7F1-4E6A-BD7A-B59623F33363} - C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixMediaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx

--
End of file - 6277 bytes



VIRUS TOTAL

ONS.DLL


Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - Trojan.Crypt.XPACK
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Heuristic: Suspicious Self Modifying File
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Virus.Win32.FileInfector.gen


INFO.

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - Suspicious:W32/Malware!Gemini
Ikarus - - Trojan.Crypt.XPACK
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Heuristic: Suspicious Self Modifying EXE
Rising - - -
Sophos - - Sus/UnkPacker
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen


ESTRICTIONS


Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 -
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.06 -
ClamAV None 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 -
eSafe 7.0.15.0 2008.03.06 -
eTrust-Vet 31.3.5593 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 -
F-Secure 6.70.13260.0 2008.03.06 -
Ikarus T3.1.1.20 2008.03.06 -
Kaspersky 7.0.0.125 2008.03.06 -
McAfee 5246 2008.03.06 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2928 2008.03.06 -
Norman 5.80.02 2008.03.06 -
Panda 9.0.0.4 2008.03.06 Trj/Agent.ICA
Prevx1 V2 2008.03.06 Heuristic: Suspicious Self Modifying File
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 Trojan.Crypt.XPACK.Gen


GAMEVANCE32

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 -
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 -
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.06 -
ClamAV 0.92.1 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 -
eSafe 7.0.15.0 2008.03.06 -
eTrust-Vet 31.3.5593 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 -
F-Secure 6.70.13260.0 2008.03.06 -
Ikarus T3.1.1.20 2008.03.06 -
Kaspersky 7.0.0.125 2008.03.06 -
McAfee 5246 2008.03.06 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2928 2008.03.06 -
Norman 5.80.02 2008.03.06 -
Panda 9.0.0.4 2008.03.06 -
Prevx1 V2 2008.03.06 -
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 -


GVTL

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 -
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 -
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.06 -
ClamAV 0.92.1 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 -
eTrust-Vet 31.3.5593 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 -
F-Secure 6.70.13260.0 2008.03.06 -
Ikarus T3.1.1.20 2008.03.06 -
Kaspersky 7.0.0.125 2008.03.06 -
McAfee 5246 2008.03.06 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2928 2008.03.06 -
Norman 5.80.02 2008.03.06 -
Panda 9.0.0.4 2008.03.06 Suspicious file
Prevx1 V2 2008.03.06 -
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 -

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:14 AM

Posted 06 March 2008 - 06:31 PM

Hi xplicit,

I see you have P2P software (i.e. Limewire) installed on your machine.

We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. P2P file sharing is used as a major conduit to spread malware.

Warning: while P2P file sharing technology is completely legal, many of the files traded through P2P are copyrighted. Unless you live in Canada where citizens are shielded from P2P copyright lawsuits, downloading music, movie, and TV files will put you at risk for a civil lawsuit in any other country. These lawsuits usually take the form of class-action suits, filed against groups of users who are logged as blatantly copying and distributing copyrighted materials. Recently, the MPAA and RIAA, along with the governments of England and Australia, took several thousand users to court, demanding that they pay thousands of dollars in copyright infringement penalties. Please keep this lawsuit risk in mind when you install and use any limewire software in the USA, Europe, or Asia


**************************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Sun Java Runtime Environment 6 Update 5.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u5-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
**************************

This item:

O15 - Trusted Zone: http://*.trymedia.com (HKLM)


which is: http://www.trymedia.com/index.shtml you have in your "Trusted Zone", I suggest you allow no one that much access to your computer and would remove it, but this is your call.

If you decide to get rid of it, then select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

Reboot your computer.

**************************

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\ons.dll
C:\info.exe
C:\WINDOWS\estrictions.dll


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log and results of the Virus Total scans.

Edited by SifuMike, 06 March 2008 - 06:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:14 AM

Posted 13 March 2008 - 04:58 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users