Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Wintems


  • Please log in to reply
3 replies to this topic

#1 Eray

Eray

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 22 March 2008 - 10:34 AM

I seem to have picked up some virus that has wintems.exe in it. It won't let me kill it and none of my anti-virus scanners or spybot works. "Not a valid Win32 application error." Anyway, I thought I start down this path of posting the HijackThis log. Thanks for your help.

Ethan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:48 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ray\Desktop\gmer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
d:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = The Ray Family
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] d:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - d:\Program Files\Poker.com\Poker.exe (HKCU)
O15 - Trusted Zone: http://*.nlrb.gov
O16 - DPF: Cab1 - http://host1.uviewit.com/cgi-bin/uViewIt-Web.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} (WSpell ActiveX Spelling Checker V5.15) - http://www.pd9soft.com/megabbs/registered/wspellam.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {32A155BD-68EC-404E-A14F-72A851C0811D} (WebNG-Uploader Control) - http://cp1.webng.com/client/fm/WebNG-Uploader.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/22.18/uploader2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134614281715
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134614434375
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - https://www.gircheckmgt.nationalcity.com/cr...tiveXViewer.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://meijer.lifepics.com/net/Uploader/ImageUploader3.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://comcast.oberon-media.com/online2/di...sh.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.comcast.net/online2/zuma/...aploader_v5.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12071 bytes

BC AdBot (Login to Remove)

 


m

#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:16 PM

Posted 22 March 2008 - 05:45 PM

Please read the following carefully before downloading the program indicated. If this procedure is not done as directed, it does not work!!
Also, in the event you already downloaded ComboFix, this is a new version, so please remove the version you have.


Download ComboFix
Save to the Desktop <<< Important!!
  • During the download, rename Combofix to Combo-Fix as follows:


    Posted Image
    Posted Image
  • Please do not rename ComboFix to any other name, but only to the one indicated: Combo-Fix
  • Close any open browsers, and close/disable your AntiVirus and any AntiSpyware programs so they do not interfere with the running of Combo-Fix.
  • Double click on Combo-Fix.exe and follow the prompts.

  • Combo-Fix disconnects the computer from the Internet as soon as it starts
  • Please do not attempt to re-connect to the Internet until Combo-Fix has completely finished.
  • If there is no Internet connection after running Combo-Fix, then restart the computer to restore the connection.

  • Do not click on the window while the program is running, it may cause the system to stall.
  • When finished, the program produces a report: C:\Combo-Fix.txt
~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the Combo-Fix.txt, and a new HijackThis log in your reply.

Edited by Aaflac, 22 March 2008 - 06:59 PM.

Old duck...


#3 Eray

Eray
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 22 March 2008 - 08:11 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:02 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] d:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] d:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - d:\Program Files\Poker.com\Poker.exe (HKCU)
O15 - Trusted Zone: http://*.nlrb.gov
O16 - DPF: Cab1 - http://host1.uviewit.com/cgi-bin/uViewIt-Web.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} (WSpell ActiveX Spelling Checker V5.15) - http://www.pd9soft.com/megabbs/registered/wspellam.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {32A155BD-68EC-404E-A14F-72A851C0811D} (WebNG-Uploader Control) - http://cp1.webng.com/client/fm/WebNG-Uploader.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/22.18/uploader2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134614281715
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134614434375
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - https://www.gircheckmgt.nationalcity.com/cr...tiveXViewer.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://meijer.lifepics.com/net/Uploader/ImageUploader3.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://comcast.oberon-media.com/online2/di...sh.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.comcast.net/online2/zuma/...aploader_v5.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 13146 bytes

ComboFix 08-03-22.1 - Ray 2008-03-22 20:49:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT -4:00]
Running from: C:\Documents and Settings\Ray\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\Dvbpws.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-22 15:27 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-22 15:27 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-22 15:27 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-22 15:27 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-22 15:27 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-22 15:27 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-22 15:27 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-22 15:27 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-22 10:05 . 2008-03-22 10:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-22 10:05 . 2008-03-22 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-22 09:27 . 2008-03-22 09:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-22 09:20 . 2008-03-22 13:16 250 --a------ C:\WINDOWS\gmer.ini
2008-03-22 09:10 . 2008-03-22 12:41 <DIR> d-------- C:\SDFix
2008-03-22 07:58 . 2008-03-22 07:58 14,852 --------- C:\WINDOWS\system32\wi1.exe
2008-03-21 08:47 . 2008-03-21 08:47 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\LEGO Company
2008-03-19 18:14 . 2008-03-19 18:16 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\AVG7
2008-03-18 22:27 . 2008-03-21 21:58 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\AVG7
2008-03-18 22:27 . 2008-03-18 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-18 22:27 . 2008-03-19 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-18 20:16 . 2008-03-18 20:13 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-18 20:16 . 2008-03-18 20:16 2,539 --a------ C:\WINDOWS\unins000.dat
2008-03-14 13:50 . 2008-03-14 13:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ParentalControl
2008-03-14 11:51 . 1999-09-09 11:28 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-03-14 11:51 . 2008-03-14 12:01 119 --a------ C:\WINDOWS\NNS.INI
2008-03-10 18:42 . 2008-03-10 18:42 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\yoclient
2008-03-09 11:33 . 2008-03-09 11:33 <DIR> d-------- C:\Program Files\Disney
2008-03-09 10:24 . 2008-03-09 10:36 <DIR> d-------- C:\Program Files\Chocolate Castle Demo
2008-03-09 10:24 . 2008-03-09 10:24 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\Chocolate Castle
2008-03-03 21:56 . 2001-08-17 23:36 1,293,824 --a------ C:\WINDOWS\system32\dsound3d.dll
2008-03-02 21:47 . 2008-03-02 21:47 <DIR> d-------- C:\Program Files\Realtek AC97
2008-03-02 19:13 . 2007-10-12 16:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-02-29 19:04 . 2008-03-22 20:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 19:04 . 2008-02-29 19:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 15:09 . 2008-02-29 15:09 <DIR> d-------- C:\Program Files\Replay AV 8
2008-02-27 21:27 . 2008-02-28 20:26 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\PARENTALCONTROL
2008-02-27 19:26 . 2008-02-27 19:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-27 19:11 . 2008-02-27 19:11 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-02-26 22:52 . 2008-02-26 22:52 11,900 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-26 22:48 . 2008-02-26 22:48 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\ScanSoft
2008-02-26 22:01 . 2008-02-29 07:28 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\ParentalControl
2008-02-26 21:54 . 2008-02-26 21:54 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\CopyTransControlCenter
2008-02-26 20:08 . 2008-02-26 20:59 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-02-25 22:55 . 2008-02-25 22:55 <DIR> d-------- C:\Program Files\iPod
2008-02-24 21:27 . 2003-06-25 17:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-02-24 21:27 . 2002-06-21 16:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-24 16:50 . 2008-02-24 16:50 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\Apple Computer
2008-02-24 16:17 . 2008-02-24 16:17 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\Yahoo!
2008-02-24 16:14 . 2008-02-24 16:14 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 20:49 --------- d-----w C:\Program Files\Common Files\Sandlot Shared
2008-03-22 16:09 --------- d-----w C:\Program Files\GamesBar
2008-03-19 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-19 22:55 --------- d-----w C:\Program Files\McAfee.com
2008-03-19 01:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 01:23 --------- d-----w C:\Documents and Settings\Ray\Application Data\Azureus
2008-03-14 16:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-05 23:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-02-29 23:15 --------- d-----w C:\Documents and Settings\Ray\Application Data\Uniblue
2008-02-29 19:09 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-02-28 01:25 --------- d-----w C:\Program Files\Yahoo!
2008-02-27 23:25 --------- d-----w C:\Program Files\Common Files\Real
2008-02-24 19:14 --------- d-----w C:\Program Files\Shockwave.com
2008-02-18 19:10 --------- d-----w C:\Documents and Settings\Ray\Application Data\PlayFirst
2008-02-18 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-18 19:09 --------- d-----w C:\Program Files\Yahoo! Games
2008-02-17 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-02-17 19:10 --------- d-----w C:\Program Files\Chill
2008-02-17 18:41 --------- d-----w C:\Documents and Settings\Ray\Application Data\Yahoo!
2008-02-17 18:04 --------- d-----w C:\Program Files\Nick Arcade
2008-02-15 12:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-14 14:47 --------- d-----w C:\Documents and Settings\Ray\Application Data\ZoomBrowser EX
2008-02-14 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-02-14 14:30 --------- d-----w C:\Program Files\Canon
2008-02-14 13:37 --------- d-----w C:\Program Files\Common Files\Canon
2008-02-14 00:05 --------- d-----w C:\Program Files\QuickTime
2008-02-11 23:01 217,073 --sha-r C:\WINDOWS\meta4.exe
2008-02-11 22:12 92,064 ----a-w C:\Documents and Settings\Ray\mqdmmdm.sys
2008-02-11 22:12 9,232 ----a-w C:\Documents and Settings\Ray\mqdmmdfl.sys
2008-02-11 22:12 79,328 ----a-w C:\Documents and Settings\Ray\mqdmserd.sys
2008-02-11 22:12 66,656 ----a-w C:\Documents and Settings\Ray\mqdmbus.sys
2008-02-11 22:12 6,208 ----a-w C:\Documents and Settings\Ray\mqdmcmnt.sys
2008-02-11 22:12 5,936 ----a-w C:\Documents and Settings\Ray\mqdmwhnt.sys
2008-02-11 22:12 4,048 ----a-w C:\Documents and Settings\Ray\mqdmcr.sys
2008-02-11 22:12 25,600 ----a-w C:\Documents and Settings\Ray\usbsermptxp.sys
2008-02-11 22:12 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2008-02-11 22:12 22,768 ----a-w C:\Documents and Settings\Ray\usbsermpt.sys
2008-02-11 17:02 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-02-11 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-02-11 16:48 --------- d-----w C:\Program Files\LiveUpdate
2008-02-11 16:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-31 23:25 --------- d-----w C:\Documents and Settings\Ray\Application Data\Oberon Games
2008-01-31 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Oberon Games
2008-01-27 12:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 12:58 --------- d-----w C:\Documents and Settings\Ray\Application Data\Lavasoft
2008-01-27 12:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Aventail
2008-01-26 19:53 --------- d-----w C:\Documents and Settings\Ray\Application Data\Aventail
2008-01-24 21:36 4,127,488 ----a-r C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-01-24 00:22 --------- d-----w C:\Program Files\Unity
2007-09-29 01:00 8,159,232 ----a-w C:\Program Files\HTML Guardian 7.msi
2007-01-10 13:30 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-12-27 14:00 87,608 ----a-w C:\Documents and Settings\Ray\Application Data\ezpinst.exe
2006-12-27 14:00 47,360 ----a-w C:\Documents and Settings\Ray\Application Data\pcouffin.sys
2005-12-16 19:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
2005-02-28 18:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_12.25.32.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-23 00:58:01 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-03-18 02:04 696320]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"AVG7_CC"="d:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-22 11:12 579072]
"avast!"="d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="d:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]
"AVG7_Run"="d:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-22 11:10 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aes.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]
C:\WINDOWS\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-05-09 19:16 192512 D:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
--a------ 2006-10-24 11:07 368640 C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
"PhotoShow Deluxe Media Manager"=D:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
"updateMgr"="D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
"tunebite.exe"=D:\Program Files\tunebite\tunebite.exe -hidden
"<NO NAME>"=
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IndexSearch"="D:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"Opware15"="D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
"PaperPort PTD"="D:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
"PDF3 Registry Controller"="D:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe"
"PPScheduler"="D:\Program Files\ScanSoft\PaperPort\PPScheduler.exe"
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
"OneTouch Monitor"=C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"WinFast Schedule"=C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
"<NO NAME>"=
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"tsnp2std"=C:\WINDOWS\tsnp2std.exe
"FixCamera"=C:\WINDOWS\FixCamera.exe
"snp2std"=C:\WINDOWS\vsnp2std.exe
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe"
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"D:\\Program Files\\eMule\\emule.exe"=

R2 HWiNFO32;HWiNFO32 Kernel Driver;d:\Program Files\HWiNFO32\HWiNFO32.SYS [2007-03-05 20:14]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-06-30 03:49]
S2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 04:06]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys []
S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys []
S3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys []
S3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys []
S3 RioS35;RioS35S driver;C:\WINDOWS\system32\Drivers\RioS35.sys []
S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys [2004-02-16 17:51]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-05-13 14:57]
S3 usbser2k;Motorola USB Modem Driver from Win2K SP4;C:\WINDOWS\system32\DRIVERS\usbser2k.sys [2006-07-28 09:18]
S3 WFIOCTL;WFIOCTL;d:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 17:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05ee52a0-8469-11da-a046-00301b3d8134}]
\Shell\AutoRun\command - K:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9017c330-5e25-11dc-a3bb-806d6172696f}]
\Shell\AutoRun\command - J:\Setup.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bad5fc30-6dc1-11da-88ab-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e14cefa7-846f-11da-a048-00301b3d8134}]
\Shell\AutoRun\command - L:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 12:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-22 10:37:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-16 20:54:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- d:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-26 21:53:36 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- d:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 20:59:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
d:\Program Files\Alwil Software\Avast4\setup\avast.setup
.
**************************************************************************
.
Completion time: 2008-03-22 21:05:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-23 01:05:44
ComboFix2.txt 2008-03-22 16:52:39
ComboFix3.txt 2008-03-22 16:25:54
.
2008-03-20 21:24:49 --- E O F ---

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:16 PM

Posted 23 March 2008 - 09:41 PM

Since you stated that your AntiVirus program and Spybot Search and Destroy are not working, you need to re-install these programs. They may have a damaged executable, as a result of the Trojan (Bagel) present in the system. It is famous for disabling/damaging security applications.

…and, it looks as if you now have two AntiVirus programs installed:
Grisoft\AVG7
Avast4

Having more than one of these programs active in memory opens the door to potential conflicts between the programs, uses additional resources, and may result in diminished detection capabilities, or cause false virus alerts.

The best thing to do is uninstall one of the AV programs and let the one you choose to keep do its job.

To uninstall whichever program you do not want to keep.

Go to: Start > Run, type: control
Press OK
Double-click on: Add/Remove Programs

On the list of Currently Installed Programs, look for and uninstall the program you do not want to keep by selecting the entry and clicking on Remove:

Next, search for and delete the folder related to the program. It should be in:
C:\Program Files\

Then, restart the computer.

~~~~
Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/paste the text inside the code box below to Notepad:

File:: 
C:\WINDOWS\system32\wi1.exe
C:\WINDOWS\meta4.exe

Folder::
C:\WINDOWS\.jagex_cache_32

Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop

Posted Image


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

Posted Image

To obtain the report:
Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save

~~~~
Run HijackThis once again, and Scan, to obtain a new log.

~~~~
Please provide the contents of the Kaspersky Online Scanner Report , the new ComboFix log, and the new HijackThis log in your reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users