Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What The Heck His Happening?!?!?!


  • This topic is locked This topic is locked
16 replies to this topic

#1 dw4rfw0lf

dw4rfw0lf

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 29 March 2008 - 01:39 AM

Hey guys,
My comps going mental with advertisements, autoupdates for windows etc. Have had that vituamonde, vundo, and mapedc, but think they are gone. Have run search and destroy bot, reg mechanic, and ad aware.. nothing seems to come up major now... but im still getting the advertisements and ca firewall going off as soon as pc starts up. Any help would be perrfect.
Attached, I hope, is my hijackthis file.
Thanx.


This might make it easier for you to read. Thanx.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:04 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\qoeapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C29C335-7E83-41CB-83DC-815CC3F7D5C2} - (no file)
O2 - BHO: (no name) - {1621FBE8-F70D-4548-9D95-9C3257241B6F} - (no file)
O2 - BHO: (no name) - {255063DA-C549-4892-BB8F-DA5C4AF47E4E} - (no file)
O2 - BHO: (no name) - {296CDE7B-CBA9-4A98-ACAD-E74F880FD0A7} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\ljjjkhi.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {36128b3a-97d6-4fe8-2a04-46b040ae3f65} - {56f3ea04-0b64-40a2-8ef4-6d79a3b82163} - C:\WINDOWS\system32\dkxigxfp.dll
O2 - BHO: (no name) - {5CD9C343-0BA9-4584-BC9B-B31E2127119E} - C:\WINDOWS\system32\jkkjh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {88442f2a-ecf0-44f7-86c2-515651d607b9} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF1266AA-BA2A-45A0-9BAF-89CD83617A7D} - (no file)
O2 - BHO: (no name) - {C565BC80-855F-4D06-8C32-42EA7F239F16} - (no file)
O2 - BHO: (no name) - {FAA62C60-FAF5-4728-B0EB-E58C2B309D00} - (no file)
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194426542953
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: ljjjkhi - C:\WINDOWS\SYSTEM32\ljjjkhi.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 11304 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:47 AM

Posted 29 March 2008 - 03:45 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 dw4rfw0lf

dw4rfw0lf
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 29 March 2008 - 09:59 PM

Thanx Sam,
Ran combofix, it froze for about 10 minutes while rebooting (was stuck on "windows is now shutting down" and there was no activity), so I turned off and on. The spybot search and destroy is going off with value deleted and such.
Here is the log.

ComboFix 08-03-29.1 - w0lfm4n 2008-03-30 13:29:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT 11:00]
Running from: C:\Documents and Settings\w0lfm4n\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\MapEDC
C:\Program Files\MapEDC\IDE.stt
C:\Program Files\MapEDC\MapEDC.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Temp\sanR24
C:\WINDOWS\BM7fcc71fb.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\alyqbnpk.dll
C:\WINDOWS\system32\blflvnne.ini
C:\WINDOWS\system32\dkxigxfp.dll
C:\WINDOWS\system32\ennvlflb.dll
C:\WINDOWS\system32\fbcvnctb.dll
C:\WINDOWS\system32\fxsnpnjj.ini
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini2
C:\WINDOWS\system32\ieosrsyf.dll
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\kdtbupjf.dll
C:\WINDOWS\system32\ljjjkhi.dll
C:\WINDOWS\system32\ljkujdyg.dll
C:\WINDOWS\system32\madklmjn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\onjawavn.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qrwcbjph.dll
C:\WINDOWS\system32\stpgtdhl.dll
C:\WINDOWS\system32\vpdfqegf.dll
C:\WINDOWS\system32\wcphbgoj.dll
C:\WINDOWS\system32\wmeghcam.dll
C:\WINDOWS\system32\wrrmpffx.ini
C:\WINDOWS\system32\ykxuchce.dll
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-29 17:53 . 2008-03-29 17:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-29 17:53 . 2008-03-29 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-29 16:26 . 2008-03-29 16:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 14:05 . 2008-03-23 14:53 40 --a------ C:\SYSTEM.VER
2008-03-23 14:04 . 2008-03-23 14:04 <DIR> d-------- C:\Program Files\Lame MP3 Codec
2008-03-23 14:04 . 2002-12-03 22:13 1,048,576 --a------ C:\WINDOWS\system32\lameACM.acm
2008-03-23 14:04 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2008-03-23 14:04 . 2008-03-23 14:04 65,024 --a------ C:\WINDOWS\IFinst26.exe
2008-03-23 14:04 . 2004-12-10 21:29 401 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-03-23 14:02 . 2008-03-23 14:02 <DIR> d-------- C:\Program Files\Samsung
2008-03-14 20:44 . 2008-03-14 20:44 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-14 10:54 . 2008-03-21 11:08 2,292,261 ---hs---- C:\WINDOWS\system32\qhrsjkov.ini
2008-03-14 09:48 . 2008-03-14 09:49 1,308,041 ---hs---- C:\WINDOWS\system32\dbjceloy.ini
2008-03-10 18:51 . 2008-03-14 09:50 1,346,930 ---hs---- C:\WINDOWS\system32\fcuygdis.ini
2008-03-09 18:49 . 2008-03-10 18:50 1,307,681 ---hs---- C:\WINDOWS\system32\rpsklvud.ini
2008-03-09 17:47 . 2008-03-09 17:49 1,307,561 ---hs---- C:\WINDOWS\system32\osiqunbg.ini
2008-03-09 00:21 . 2008-03-10 02:13 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-03-08 22:18 . 2008-03-08 22:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-08 22:18 . 2008-03-08 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-07 20:02 . 2008-03-07 20:02 82 --a------ C:\WINDOWS\wininit.ini
2008-03-07 18:19 . 2008-03-07 18:15 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-07 18:19 . 2008-03-07 18:19 2,544 --a------ C:\WINDOWS\unins000.dat
2008-03-07 17:41 . 2008-03-08 17:44 2,318,695 ---hs---- C:\WINDOWS\system32\kdjjfmhb.ini
2008-03-06 16:40 . 2008-03-06 17:23 1,302,741 ---hs---- C:\WINDOWS\system32\fwmdxpbm.ini
2008-03-04 22:20 . 2008-03-06 16:35 1,302,672 ---hs---- C:\WINDOWS\system32\vtecvbym.ini
2008-03-03 22:18 . 2008-03-04 22:20 1,302,192 ---hs---- C:\WINDOWS\system32\jtwjibji.ini
2008-03-01 05:22 . 2008-03-24 16:14 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-02-29 21:46 . 2008-02-29 21:47 <DIR> d-------- C:\Program Files\limewire
2008-02-29 15:28 . 2008-03-30 08:21 100,910 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-02-29 15:28 . 2008-03-30 08:21 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-02-29 15:28 . 2008-03-30 08:21 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-02-29 15:28 . 2008-03-30 08:21 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-02-29 15:28 . 2008-03-30 08:21 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-02-29 15:28 . 2008-03-30 08:21 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-02-29 15:28 . 2008-03-30 08:21 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-02-29 15:28 . 2008-03-30 08:21 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-02-29 15:23 . 2008-03-08 22:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 14:11 . 2008-03-30 13:14 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\CallingID
2008-02-29 14:07 . 2008-02-29 15:28 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-02-29 14:07 . 2007-08-01 13:10 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-02-29 14:06 . 2007-07-31 12:50 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-02-29 14:06 . 2007-07-31 12:50 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-02-29 14:06 . 2008-02-29 15:17 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-02-29 14:06 . 2008-02-29 15:17 91,400 --a------ C:\WINDOWS\system32\isafprod.dll
2008-02-29 14:06 . 2008-02-29 15:17 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-02-29 14:06 . 2008-02-29 15:17 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-02-29 14:06 . 2008-02-29 15:17 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-02-29 14:06 . 2008-02-29 15:17 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-02-29 14:06 . 2008-02-29 15:17 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-02-29 14:02 . 2008-02-29 14:07 <DIR> d-------- C:\Program Files\CA
2008-02-29 14:02 . 2008-02-29 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-02-29 12:57 . 2008-02-29 21:22 954 ---hs---- C:\WINDOWS\system32\sapwckcp.ini
2008-02-28 07:35 . 2008-02-29 12:51 414 ---hs---- C:\WINDOWS\system32\wheouqjr.ini
2008-02-27 07:32 . 2008-02-28 07:32 294 ---hs---- C:\WINDOWS\system32\aqpahowl.ini
2008-02-26 19:18 . 2008-02-26 19:18 134 --a------ C:\n.bat
2008-02-26 19:17 . 2008-02-26 19:17 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-26 19:16 . 2008-02-26 19:16 <DIR> d-------- C:\WINDOWS\system32\iDlo18
2008-02-26 19:16 . 2008-03-30 13:29 <DIR> d-------- C:\Temp
2008-02-23 21:41 . 2008-02-23 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-22 19:30 . 2008-02-22 19:30 17 --a------ C:\WINDOWS\Ezoneturkey.prf
2008-02-22 19:26 . 2008-02-22 19:26 17 --a------ C:\WINDOWS\Ezonebugganut.prf
2008-02-19 05:43 . 2005-06-21 16:43 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-02-19 05:29 . 2008-02-19 05:29 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-18 16:29 . 2008-02-18 16:29 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\Lavasoft
2008-02-18 15:49 . 2008-02-18 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-18 14:04 . 2008-02-18 14:04 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\AVSMedia
2008-02-18 14:01 . 2008-02-18 14:01 <DIR> d-------- C:\Program Files\AVSMedia
2008-02-18 13:09 . 2008-02-18 13:09 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-02-18 10:37 . 2008-02-29 13:53 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-02-18 10:36 . 2008-02-18 10:41 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\Symantec
2008-02-18 10:36 . 2008-02-29 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-18 10:35 . 2008-02-18 10:35 6 --a------ C:\ISACER.ID
2008-02-17 22:29 . 2008-03-26 19:01 <DIR> d-------- C:\Converted
2008-02-17 22:20 . 2008-02-17 22:20 <DIR> d-------- C:\Program Files\VSO
2008-02-17 22:20 . 2008-03-26 23:02 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\Vso
2008-02-17 22:20 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-02-17 22:20 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-02-17 22:20 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-02-17 22:20 . 2008-02-17 22:20 87,608 --a------ C:\Documents and Settings\w0lfm4n\Application Data\inst.exe
2008-02-17 22:20 . 2008-02-17 22:20 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-17 22:20 . 2008-02-17 22:20 47,360 --a------ C:\Documents and Settings\w0lfm4n\Application Data\pcouffin.sys
2008-02-17 12:22 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-02-16 17:44 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-16 17:42 . 2008-02-16 17:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-16 17:24 . 2008-02-16 17:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer
2008-02-16 16:55 . 2008-02-16 16:55 <DIR> d-------- C:\Program Files\TeamViewer3
2008-02-16 16:55 . 2008-02-16 17:03 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\TeamViewer
2008-02-16 16:51 . 2008-02-16 16:51 <DIR> d-------- C:\Documents and Settings\w0lfm4n\temp
2008-02-16 15:03 . 2008-02-16 15:14 <DIR> d-------- C:\Program Files\RegCure
2008-02-10 18:27 . 2008-02-10 18:27 <DIR> d-------- C:\Program Files\Freeze.com
2008-02-10 18:27 . 2005-08-11 15:51 1,612,037 --a------ C:\WINDOWS\Pumpkin Patch.imx
2008-02-10 18:27 . 2005-08-11 15:51 438,272 --a------ C:\WINDOWS\Pumpkin Patch.scr
2008-02-10 18:27 . 2005-08-11 15:51 416 --a------ C:\WINDOWS\Pumpkin Patch.ini
2008-02-10 17:36 . 2008-02-10 17:36 <DIR> d-------- C:\Program Files\coolbuddy screensaver vin diesel
2008-02-10 17:22 . 2008-02-10 17:22 2,336,298 --a------ C:\WINDOWS\rihanna.scr
2008-02-10 17:15 . 2008-02-10 17:15 792,298 --a------ C:\WINDOWS\system32\catsplay.scr
2008-02-10 17:14 . 2008-02-10 17:14 1,311,335 --a------ C:\WINDOWS\system32\aquarium.scr
2008-02-01 11:11 . 2008-02-01 11:11 586,240 --a------ C:\WINDOWS\WLXPGSS.SCR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 02:45 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-03-30 02:25 --------- d-----w C:\Documents and Settings\w0lfm4n\Application Data\mIRC
2008-03-26 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-25 21:08 --------- d-----w C:\Documents and Settings\w0lfm4n\Application Data\LimeWire
2008-03-24 07:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 09:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-07 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-07 07:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 01:04 --------- d-----w C:\Program Files\Windows Live
2008-02-23 10:40 --------- d-----w C:\Program Files\Games
2008-02-19 14:48 --------- d-----w C:\Program Files\Multimedia Combo Set
2008-02-18 03:03 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-18 02:54 --------- d-----w C:\Program Files\AVS4YOU
2008-02-17 11:19 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-02-16 06:44 --------- d-----w C:\Program Files\Java
2008-02-16 06:27 634,628 ----a-w C:\WINDOWS\java\Packages\F3NDZ53H.ZIP
2008-02-16 06:14 155,995 ----a-w C:\WINDOWS\java\Packages\7F5FLZJ5.ZIP
2008-02-10 07:27 --------- d-----w C:\Program Files\Yahoo!
2008-02-08 07:22 --------- d-----w C:\Program Files\The Sims
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-14 00:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

------- Sigcheck -------

2006-04-20 23:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 03:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 23:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-08-31 22:01 359808 ba57942c0029b0878afba052a3e33689 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-01-09 20:43 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C29C335-7E83-41CB-83DC-815CC3F7D5C2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1621FBE8-F70D-4548-9D95-9C3257241B6F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{255063DA-C549-4892-BB8F-DA5C4AF47E4E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{296CDE7B-CBA9-4A98-ACAD-E74F880FD0A7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56f3ea04-0b64-40a2-8ef4-6d79a3b82163}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CD9C343-0BA9-4584-BC9B-B31E2127119E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88442f2a-ecf0-44f7-86c2-515651d607b9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF1266AA-BA2A-45A0-9BAF-89CD83617A7D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C565BC80-855F-4D06-8C32-42EA7F239F16}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAA62C60-FAF5-4728-B0EB-E58C2B309D00}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 19:25 1961984]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 22:51 409600]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-08-12 22:28 1465280]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-02-29 15:17 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-02-29 15:17 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-02-29 15:17 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-02-29 15:17 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-02-29 15:17 259336]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe" [2008-02-29 15:17 14088]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 11:58 2483496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkhi]
ljjjkhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 13:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 18:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessKeyboard ]
--a------ 2005-08-02 22:43 217088 C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse ]
--a------ 2004-06-27 14:54 503808 C:\Program Files\Multimedia Combo Set\MouseDrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\mIRC\\mirc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21433:TCP"= 21433:TCP:BitComet 21433 TCP
"21433:UDP"= 21433:UDP:BitComet 21433 UDP

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 09:46]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 13:28]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 09:46]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 03:54]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-04 08:23]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 08:39]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-12 11:02]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-02-29 15:17]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 17:49]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 17:50]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 17:50]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 17:50]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 17:50]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\z530bus.sys [2006-02-17 22:26]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z530mdfl.sys [2006-02-17 22:26]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\z530mdm.sys [2006-02-17 22:26]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\z530mgmt.sys [2006-02-17 22:26]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\z530obex.sys [2006-02-17 22:26]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-29 04:10:04 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as w0lfm4n at 2 10 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-03-30 02:43:56 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-26 17:53:37 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 13:46:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-30 13:52:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-30 02:51:43
Pre-Run: 8,807,325,696 bytes free
Post-Run: 8,720,965,632 bytes free
.
2008-03-29 21:21:12 --- E O F ---

#4 dw4rfw0lf

dw4rfw0lf
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 29 March 2008 - 11:16 PM

Hey Sam (or anyone), I just run my anti spyware prog on my ca antivirus scanner, and I noticed that darksma is there... it says it is a downloader... is there a way to remove that, and not quarantine it thanx.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:47 AM

Posted 30 March 2008 - 05:55 PM

Hey Sam (or anyone), I just run my anti spyware prog on my ca antivirus scanner, and I noticed that darksma is there... it says it is a downloader... is there a way to remove that, and not quarantine it thanx.

I'm sure we can take care of it, but you'll have to give more specific info on exactly what it is finding.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32\iDlo18

File::
C:\WINDOWS\IFinst26.exe
C:\WINDOWS\system32\qhrsjkov.ini
C:\WINDOWS\system32\dbjceloy.ini
C:\WINDOWS\system32\fcuygdis.ini
C:\WINDOWS\system32\rpsklvud.ini
C:\WINDOWS\system32\osiqunbg.ini
C:\WINDOWS\system32\kdjjfmhb.ini
C:\WINDOWS\system32\fwmdxpbm.ini
C:\WINDOWS\system32\vtecvbym.ini
C:\WINDOWS\system32\jtwjibji.ini
C:\WINDOWS\system32\sapwckcp.ini
C:\WINDOWS\system32\wheouqjr.ini
C:\WINDOWS\system32\aqpahowl.ini
C:\n.bat
C:\WINDOWS\system32\vbzip10.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C29C335-7E83-41CB-83DC-815CC3F7D5C2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1621FBE8-F70D-4548-9D95-9C3257241B6F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{255063DA-C549-4892-BB8F-DA5C4AF47E4E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{296CDE7B-CBA9-4A98-ACAD-E74F880FD0A7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56f3ea04-0b64-40a2-8ef4-6d79a3b82163}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CD9C343-0BA9-4584-BC9B-B31E2127119E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88442f2a-ecf0-44f7-86c2-515651d607b9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF1266AA-BA2A-45A0-9BAF-89CD83617A7D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C565BC80-855F-4D06-8C32-42EA7F239F16}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAA62C60-FAF5-4728-B0EB-E58C2B309D00}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkhi]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 dw4rfw0lf

dw4rfw0lf
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 31 March 2008 - 12:50 AM

Hey Sam,
Here is the Combofix log,

ComboFix 08-03-29.1 - w0lfm4n 2008-03-31 16:35:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.146 [GMT 11:00]
Running from: C:\Documents and Settings\w0lfm4n\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\w0lfm4n\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\n.bat
C:\WINDOWS\IFinst26.exe
C:\WINDOWS\system32\aqpahowl.ini
C:\WINDOWS\system32\dbjceloy.ini
C:\WINDOWS\system32\fcuygdis.ini
C:\WINDOWS\system32\fwmdxpbm.ini
C:\WINDOWS\system32\jtwjibji.ini
C:\WINDOWS\system32\kdjjfmhb.ini
C:\WINDOWS\system32\osiqunbg.ini
C:\WINDOWS\system32\qhrsjkov.ini
C:\WINDOWS\system32\rpsklvud.ini
C:\WINDOWS\system32\sapwckcp.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vtecvbym.ini
C:\WINDOWS\system32\wheouqjr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\n.bat
C:\WINDOWS\IFinst26.exe
C:\WINDOWS\system32\aqpahowl.ini
C:\WINDOWS\system32\dbjceloy.ini
C:\WINDOWS\system32\fcuygdis.ini
C:\WINDOWS\system32\fwmdxpbm.ini
C:\WINDOWS\system32\iDlo18
C:\WINDOWS\system32\jtwjibji.ini
C:\WINDOWS\system32\kdjjfmhb.ini
C:\WINDOWS\system32\osiqunbg.ini
C:\WINDOWS\system32\qhrsjkov.ini
C:\WINDOWS\system32\rpsklvud.ini
C:\WINDOWS\system32\sapwckcp.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vtecvbym.ini
C:\WINDOWS\system32\wheouqjr.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-29 17:53 . 2008-03-29 17:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-29 17:53 . 2008-03-29 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-29 16:26 . 2008-03-29 16:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 14:05 . 2008-03-23 14:53 40 --a------ C:\SYSTEM.VER
2008-03-23 14:04 . 2008-03-23 14:04 <DIR> d-------- C:\Program Files\Lame MP3 Codec
2008-03-23 14:04 . 2002-12-03 22:13 1,048,576 --a------ C:\WINDOWS\system32\lameACM.acm
2008-03-23 14:04 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2008-03-23 14:04 . 2004-12-10 21:29 401 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-03-23 14:02 . 2008-03-23 14:02 <DIR> d-------- C:\Program Files\Samsung
2008-03-14 20:44 . 2008-03-14 20:44 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-09 00:21 . 2008-03-10 02:13 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-03-08 22:18 . 2008-03-08 22:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-08 22:18 . 2008-03-08 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-07 20:02 . 2008-03-07 20:02 82 --a------ C:\WINDOWS\wininit.ini
2008-03-07 18:19 . 2008-03-07 18:15 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-07 18:19 . 2008-03-07 18:19 2,544 --a------ C:\WINDOWS\unins000.dat
2008-03-01 05:22 . 2008-03-30 15:55 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-02-29 21:46 . 2008-02-29 21:47 <DIR> d-------- C:\Program Files\limewire
2008-02-29 15:28 . 2008-03-30 19:53 110,870 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-02-29 15:28 . 2008-03-30 19:53 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-02-29 15:28 . 2008-03-30 19:53 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-02-29 15:28 . 2008-03-30 19:53 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-02-29 15:28 . 2008-03-30 19:53 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-02-29 15:28 . 2008-03-30 19:53 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-02-29 15:28 . 2008-03-30 19:53 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-02-29 15:28 . 2008-03-30 19:53 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-02-29 15:23 . 2008-03-08 22:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 14:11 . 2008-03-31 16:26 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\CallingID
2008-02-29 14:07 . 2008-02-29 15:28 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-02-29 14:07 . 2007-08-01 13:10 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-02-29 14:06 . 2007-07-31 12:50 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-02-29 14:06 . 2007-07-31 12:50 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-02-29 14:06 . 2008-02-29 15:17 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-02-29 14:06 . 2008-02-29 15:17 91,400 --a------ C:\WINDOWS\system32\isafprod.dll
2008-02-29 14:06 . 2008-02-29 15:17 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-02-29 14:06 . 2008-02-29 15:17 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-02-29 14:06 . 2008-02-29 15:17 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-02-29 14:06 . 2008-02-29 15:17 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-02-29 14:06 . 2008-02-29 15:17 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-02-29 14:02 . 2008-02-29 14:07 <DIR> d-------- C:\Program Files\CA
2008-02-29 14:02 . 2008-02-29 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-02-26 19:16 . 2008-03-30 13:29 <DIR> d-------- C:\Temp
2008-02-23 21:41 . 2008-02-23 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-22 19:30 . 2008-02-22 19:30 17 --a------ C:\WINDOWS\Ezoneturkey.prf
2008-02-22 19:26 . 2008-02-22 19:26 17 --a------ C:\WINDOWS\Ezonebugganut.prf
2008-02-19 05:43 . 2005-06-21 16:43 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-02-19 05:29 . 2008-02-19 05:29 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-18 16:29 . 2008-02-18 16:29 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\Lavasoft
2008-02-18 15:49 . 2008-02-18 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-18 14:04 . 2008-02-18 14:04 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\AVSMedia
2008-02-18 14:01 . 2008-02-18 14:01 <DIR> d-------- C:\Program Files\AVSMedia
2008-02-18 13:09 . 2008-02-18 13:09 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-02-18 10:37 . 2008-02-29 13:53 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-02-18 10:36 . 2008-02-18 10:41 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\Symantec
2008-02-18 10:36 . 2008-02-29 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-18 10:35 . 2008-02-18 10:35 6 --a------ C:\ISACER.ID
2008-02-17 22:29 . 2008-03-30 19:05 <DIR> d-------- C:\Converted
2008-02-17 22:20 . 2008-02-17 22:20 <DIR> d-------- C:\Program Files\VSO
2008-02-17 22:20 . 2008-03-26 23:02 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\Vso
2008-02-17 22:20 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-02-17 22:20 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-02-17 22:20 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-02-17 22:20 . 2008-02-17 22:20 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-17 22:20 . 2008-02-17 22:20 47,360 --a------ C:\Documents and Settings\w0lfm4n\Application Data\pcouffin.sys
2008-02-17 12:22 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-02-16 17:44 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-16 17:42 . 2008-02-16 17:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-16 17:24 . 2008-02-16 17:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer
2008-02-16 16:55 . 2008-02-16 16:55 <DIR> d-------- C:\Program Files\TeamViewer3
2008-02-16 16:55 . 2008-02-16 17:03 <DIR> d-------- C:\Documents and Settings\w0lfm4n\Application Data\TeamViewer
2008-02-16 16:51 . 2008-02-16 16:51 <DIR> d-------- C:\Documents and Settings\w0lfm4n\temp
2008-02-16 15:03 . 2008-02-16 15:14 <DIR> d-------- C:\Program Files\RegCure
2008-02-10 18:27 . 2008-02-10 18:27 <DIR> d-------- C:\Program Files\Freeze.com
2008-02-10 18:27 . 2005-08-11 15:51 1,612,037 --a------ C:\WINDOWS\Pumpkin Patch.imx
2008-02-10 18:27 . 2005-08-11 15:51 438,272 --a------ C:\WINDOWS\Pumpkin Patch.scr
2008-02-10 18:27 . 2005-08-11 15:51 416 --a------ C:\WINDOWS\Pumpkin Patch.ini
2008-02-10 17:36 . 2008-02-10 17:36 <DIR> d-------- C:\Program Files\coolbuddy screensaver vin diesel
2008-02-10 17:22 . 2008-02-10 17:22 2,336,298 --a------ C:\WINDOWS\rihanna.scr
2008-02-10 17:15 . 2008-02-10 17:15 792,298 --a------ C:\WINDOWS\system32\catsplay.scr
2008-02-10 17:14 . 2008-02-10 17:14 1,311,335 --a------ C:\WINDOWS\system32\aquarium.scr
2008-02-01 11:11 . 2008-02-01 11:11 586,240 --a------ C:\WINDOWS\WLXPGSS.SCR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 09:38 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-03-30 02:25 --------- d-----w C:\Documents and Settings\w0lfm4n\Application Data\mIRC
2008-03-26 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-25 21:08 --------- d-----w C:\Documents and Settings\w0lfm4n\Application Data\LimeWire
2008-03-24 07:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 09:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-07 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-07 07:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 01:04 --------- d-----w C:\Program Files\Windows Live
2008-02-23 10:40 --------- d-----w C:\Program Files\Games
2008-02-19 14:48 --------- d-----w C:\Program Files\Multimedia Combo Set
2008-02-18 03:03 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-18 02:54 --------- d-----w C:\Program Files\AVS4YOU
2008-02-17 11:19 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-02-16 06:44 --------- d-----w C:\Program Files\Java
2008-02-10 07:27 --------- d-----w C:\Program Files\Yahoo!
2008-02-08 07:22 --------- d-----w C:\Program Files\The Sims
.

------- Sigcheck -------

2006-04-20 23:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 03:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 23:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-08-31 22:01 359808 ba57942c0029b0878afba052a3e33689 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-01-09 20:43 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 19:25 1961984]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 22:51 409600]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-08-12 22:28 1465280]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-02-29 15:17 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-02-29 15:17 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-02-29 15:17 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-02-29 15:17 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-02-29 15:17 259336]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe" [2008-02-29 15:17 14088]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 11:58 2483496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 13:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 18:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessKeyboard ]
--a------ 2005-08-02 22:43 217088 C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse ]
--a------ 2004-06-27 14:54 503808 C:\Program Files\Multimedia Combo Set\MouseDrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\mIRC\\mirc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21433:TCP"= 21433:TCP:BitComet 21433 TCP
"21433:UDP"= 21433:UDP:BitComet 21433 UDP

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 09:46]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 13:28]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 09:46]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 03:54]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-04 08:23]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 08:39]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-12 11:02]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-02-29 15:17]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 17:49]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 17:50]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 17:50]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 17:50]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 17:50]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\z530bus.sys [2006-02-17 22:26]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z530mdfl.sys [2006-02-17 22:26]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\z530mdm.sys [2006-02-17 22:26]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\z530mgmt.sys [2006-02-17 22:26]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\z530obex.sys [2006-02-17 22:26]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 04:18:53 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as w0lfm4n at 2 10 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-03-30 09:37:40 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-26 17:53:37 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 16:39:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 16:41:11
ComboFix-quarantined-files.txt 2008-03-31 05:40:59
ComboFix2.txt 2008-03-30 07:48:06
ComboFix3.txt 2008-03-30 02:52:28
Pre-Run: 20,719,845,376 bytes free
Post-Run: 20,694,716,416 bytes free
.
2008-03-31 01:51:01 --- E O F ---

And here is the hijack this file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:38 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194426542953
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: ljjjkhi - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 10149 bytes

Thanx again Sam.

#7 dw4rfw0lf

dw4rfw0lf
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 31 March 2008 - 01:16 AM

Here is a bit more specific info bout some things for you Sam, thanx.
I am getting this info from my quarantine list in CA Anti-Spyware.
Infection Name: Darksma. Infection Name: Downloader. Filename: ms juan. Location: hkey_local_machine \software\microsoft.
Infection Name: PWS. Infection Type: Password Cracker. Filename: bassmod.dll Location: c:\windows\system32
Infection Name: Bifrost. Infection Type: Backdoor. Filename: wget. Location: hkey_users \s-1-5-21-484763-869-1343024091-839522115-1003\software

Kazaa (Which I don't have on this machine, never have, but I do have limewire) and bifrost are in the SAME location
Another thing that happens is my windows auto update is constantly letting me know I have the same update lol
Thanx again

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:47 AM

Posted 31 March 2008 - 06:27 AM

So CA Anti-Spyware has already quarantined those threats?
If that is the case you just have to review the program to locate where you can permanently delete items that are in quarantine. It should be in your settings.

Kazaa (Which I don't have on this machine, never have, but I do have limewire) and bifrost are in the SAME location

I don't condone the use of these programs and don't offer support for them.

Another thing that happens is my windows auto update is constantly letting me know I have the same update lol

Try visiting the windows update site directly and installing the update that way.


How is your computer behaving now? Are you getting any indications of active malware?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 dw4rfw0lf

dw4rfw0lf
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 01 April 2008 - 01:24 AM

Thanks Sam.
Did the windows update from the webpage, was the same thing that has been downloaded and installed 10 times so far.
Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB936181)

There doesn't seem to be anything popup up, or firewall going off every second now. So here is hoping.
I will do one more scan with ad aware, my virus and spyware and searh and destroy, and see what comes up. Will let you know what it shows when done.
Thanx again Sam.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:47 AM

Posted 01 April 2008 - 07:10 AM

I'll check into that particular update and see what I can turn up. In the meantime, let me know what your scans come up with.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 dw4rfw0lf

dw4rfw0lf
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 02 April 2008 - 02:16 AM

All scans came up clean as a whistle !
Thanx Sam.
Did you find anything out about that particular windows update by any chance please?

#12 dw4rfw0lf

dw4rfw0lf
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 02 April 2008 - 03:40 AM

Hey Sam, I just rebooted and am not sure what to make of this, picked up by my firewall.
Program: System.dll
Path: System
Events: 1
Access Was Denied.
Someone is trying to access your computer over the internet. Remote Address 255.255.255.255 (UDP Port 68) from 10.48.0.1 (Port 67)
Remote 58.107.194.215 (UDP Port 28684) From 78.165.32.99 (Port 40721)
Remote Address 58.107.194.215 from 76.172.249.179 (Port 60721)
There was 4-5 others, but didn't seem to think it was relevent to get all.
Could it be womething with the system.dll?

The Windows update info, cos it just happened again.
Size: 5.4 MB

A security issue has been identified in Microsoft XML Core Services (MSXML) that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.


More information for this update can be found at http://go.microsoft.com/fwlink/?LinkId=88350

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:47 AM

Posted 02 April 2008 - 06:45 AM

All scans came up clean as a whistle !
Thanx Sam.
Did you find anything out about that particular windows update by any chance please?


Click Start, click Run, type cmd, and then press ENTER.
At the command prompt, type ren %windir%\System32\msxml4.dll msxml4.old and then press ENTER.

Note: After you press ENTER, you may receive the following error message.
Cannot find the file specified.


Ignore this message and proceed to the next step.

At the command prompt, type exit, and then press ENTER.
Go to this link to manually download and install the update.
http://www.microsoft.com/downloads/details...b8-185639ba2807


Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:47 AM

Posted 02 April 2008 - 06:50 AM

Someone is trying to access your computer over the internet. Remote Address 255.255.255.255 (UDP Port 68) from 10.48.0.1 (Port 67)
Remote 58.107.194.215 (UDP Port 28684) From 78.165.32.99 (Port 40721)
Remote Address 58.107.194.215 from 76.172.249.179 (Port 60721)
There was 4-5 others, but didn't seem to think it was relevent to get all.
Could it be womething with the system.dll?


system.dll is a legit file. And it's very common for someone to try to access your computer over the internet. That's why it's so important to have a firewall. This appears just to be a notification that your firewall is alert and doing it's job. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 dw4rfw0lf

dw4rfw0lf
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 03 April 2008 - 02:28 AM

Hey Sam,
I did the cmd prompt, but it came up with being unable to find the file. Went to the site and d/l'd it directly. I removed it, then I installed from scratch.
Its good to know bout the system.dll, cos 40 hits in 2 mins when I start up... sheesh! lol
Thanx for all your help sam. much appreciated




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users