Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had A Problem. Is It Gone?


  • This topic is locked This topic is locked
5 replies to this topic

#1 mastema

mastema

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 17 April 2008 - 11:41 AM

a few days ago i left my 7th grade cousin unsupervised at my pc while i went around my bussiness. when i came back i noticed that he deactivated my AV and antispyware (he thought it took too much out of my ram... :thumbsup: ) and sure enough the harm was done. i battled for two days with various Vundo (and variants), Virtumonde and some other 3-4 ad/spyware (forgot their names). after looking everywhere on the net and trying to remove with a lot of software i think they're gone. i have installed: Avira AntiVir Premium, Spybot - Search & Destroy, SUPERAntiSpyware, BHODemon 2. Still, each time i reboot a new random BHO starts (different name each time); i always remove them and scan afterwards. i used regcleaner and TuneUp to clean my registry, but i still can't get rid of those BHO's.

I'll post a Hijack report. if anyone could give me any suggestions I would be grateful.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:07, on 17.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\VIPv3\VIPtooltip\VisualToolTip.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avcenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {40B46A31-F568-4671-A502-AF93235A013B} - C:\WINDOWS\system32\LegitDheckControl.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\WINDOWS\VIPv3\VIPtooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Vistadrv] C:\WINDOWS\VIPv3\VIPhd\vsdrv.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: FastStone Capture.lnk = C:\Program Files\FastStone Capture\FSCapture.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6456 bytes



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:44 PM

Posted 17 April 2008 - 12:14 PM

Hi,

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\WINDOWS\system32\LegitDheckControl.dll

Select it and click ok
Then click the Send File button below.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mastema

mastema
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 19 April 2008 - 04:42 AM

okay! i used combofix and here is the log:

ComboFix log:

ComboFix 08-04-18.3 - Mastema 2008-04-19 12:28:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.220 [GMT 3:00]
Running from: C:\Documents and Settings\Mastema\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\ADAPT_Installer.exe
C:\WINDOWS\system32\BLTuvGgh.ini
C:\WINDOWS\system32\BLTuvGgh.ini2
C:\WINDOWS\system32\Dvbpws.dll
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 12:32 . 2008-04-19 12:32 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-19 12:32 . 2008-04-19 12:32 <DIR> d-------- C:\WINDOWS\srchasst
2008-04-19 12:32 . 2008-04-19 12:32 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-19 12:27 . 2008-04-19 12:27 666 --a------ C:\WINDOWS\VisualTooltip.ini
2008-04-18 10:42 . 2008-04-18 12:21 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-18 10:42 . 2008-04-18 10:42 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-17 20:03 . 2008-04-17 20:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-17 20:03 . 2008-04-17 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 20:03 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-04-17 20:03 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-04-17 20:03 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-04-17 18:38 . 2008-04-17 19:05 <DIR> d-------- C:\Program Files\RegCleaner
2008-04-17 18:16 . 2008-04-17 18:16 14,848 --a------ C:\WINDOWS\system32\LegitDheckControl.dll
2008-04-17 17:38 . 2008-04-17 17:53 <DIR> d-------- C:\Program Files\CD Art Display
2008-04-17 17:38 . 2003-01-27 14:27 94,208 --a------ C:\WINDOWS\system32\wmpuice.dll
2008-04-17 17:19 . 2008-04-19 12:32 2,037 --a------ C:\WINDOWS\system32\OODBS.lor
2008-04-17 13:54 . 2008-04-17 13:54 94 --a------ C:\WINDOWS\galaxy.ini
2008-04-17 13:47 . 2008-04-17 13:48 <DIR> d-------- C:\Program Files\Unlocker
2008-04-17 13:47 . 2008-04-17 13:47 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-04-17 13:13 . 2008-04-17 13:13 <DIR> d-------- C:\WINDOWS\Sun
2008-04-16 21:03 . 2008-04-17 19:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-16 21:03 . 2008-04-16 21:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-16 17:42 . 2008-04-16 17:43 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-04-16 17:41 . 2008-04-16 17:41 <DIR> d-------- C:\Program Files\OO Software
2008-04-16 13:46 . 2008-04-16 13:46 <DIR> d-------- C:\Program Files\Xvid
2008-04-16 13:46 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-16 13:46 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-16 13:46 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-04-16 13:29 . 2008-04-19 12:24 36 --a------ C:\WINDOWS\win.ini
2008-04-16 13:23 . 2007-10-26 06:34 8,460,288 --a------ C:\WINDOWS\system32\shell32.backup
2008-04-16 13:20 . 2008-04-16 13:24 <DIR> d-------- C:\WINDOWS\VIPv3
2008-04-16 13:20 . 2008-04-16 13:20 7,761,097 --a------ C:\WINDOWS\system32\VIPv3_EXT.dll
2008-04-16 13:20 . 2003-06-22 12:31 65,536 --a------ C:\WINDOWS\system32\vbalProgBar6.ocx
2008-04-16 13:20 . 2006-08-15 23:19 97 --a------ C:\Documents and Settings\win.ini
2008-04-16 13:20 . 2006-08-15 23:21 96 --a------ C:\WINDOWS\docs.ini
2008-04-16 11:56 . 2008-04-16 11:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-16 11:42 . 2008-04-16 11:42 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-04-16 11:02 . 2008-04-16 11:02 <DIR> d--h----- C:\DpW-Addons
2008-04-16 10:24 . 2008-04-16 10:24 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\Nokia Multimedia Player
2008-04-16 09:48 . 2008-04-16 09:48 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-16 09:48 . 2008-04-16 09:48 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-16 09:43 . 2008-04-16 09:43 <DIR> d--h----- C:\Nokia
2008-04-16 09:42 . 2008-04-16 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-04-16 09:40 . 2008-04-16 09:40 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-16 09:40 . 2008-04-16 09:46 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-16 09:39 . 2008-04-16 09:39 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-16 09:39 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-04-16 09:38 . 2007-11-29 10:33 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-04-16 09:38 . 2007-11-29 10:39 95,744 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-16 09:38 . 2007-11-29 10:39 19,328 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-04-16 09:38 . 2007-11-29 10:39 16,896 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-04-16 09:38 . 2007-11-29 10:39 8,064 --a------ C:\WINDOWS\system32\usbser_lowerfltj.sys
2008-04-16 09:38 . 2007-11-29 10:39 8,064 --a------ C:\WINDOWS\system32\usbser_lowerflt.sys
2008-04-16 09:30 . 2008-04-16 10:27 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\Nokia
2008-04-16 09:30 . 2008-04-16 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-16 09:29 . 2008-04-16 09:46 <DIR> d-------- C:\Program Files\Nokia
2008-04-16 09:29 . 2008-04-16 09:31 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\PC Suite
2008-04-16 09:29 . 2008-02-01 15:17 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-04-16 09:28 . 2008-04-16 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-04-16 09:27 . 2008-04-16 09:27 <DIR> d-------- C:\Program Files\Plasma Pong
2008-04-15 22:40 . 2008-04-15 22:40 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-04-15 21:11 . 2008-04-15 21:11 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\Sports Interactive
2008-04-15 20:19 . 2008-04-15 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-15 20:17 . 2008-04-15 20:17 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-15 18:06 . 2008-04-15 18:06 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-15 18:05 . 2008-04-15 18:05 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\Avira
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\Program Files\Avira
2008-04-15 17:39 . 2007-05-25 04:00 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-04-15 17:01 . 2008-04-15 17:01 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-15 16:56 . 2008-04-15 16:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-15 16:56 . 2008-04-15 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 16:46 . 2008-04-15 16:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-15 16:46 . 2008-04-15 19:41 <DIR> d-------- C:\Program Files\Norton PC Checkup
2008-04-15 16:46 . 2008-04-15 20:35 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-15 15:50 . 2008-04-15 15:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-15 15:50 . 2008-04-17 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-15 15:35 . 2008-04-16 13:29 <DIR> d-------- C:\Program Files\BHODemon 2
2008-04-15 15:07 . 2008-04-15 22:25 38,800 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-15 14:22 . 2008-04-15 14:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 14:01 . 2008-04-15 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-15 14:00 . 2008-04-15 14:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-15 14:00 . 2008-04-15 14:00 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\SUPERAntiSpyware.com
2008-04-15 13:53 . 2008-04-15 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-15 13:45 . 2008-04-17 13:29 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\OpenOffice.org2
2008-04-15 13:35 . 2008-04-15 13:35 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\Apple Computer
2008-04-15 13:34 . 2008-04-15 13:35 <DIR> d-------- C:\Program Files\Safari
2008-04-15 13:20 . 2008-04-15 13:21 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-15 13:12 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2008-04-15 13:11 . 2005-03-25 15:42 363,520 --a------ C:\WINDOWS\system32\PsisDecd.dll
2008-04-15 13:11 . 2004-08-04 00:56 56,832 --a------ C:\WINDOWS\system32\MSDvbNP.ax
2008-04-15 13:11 . 2004-08-04 00:56 33,280 --a------ C:\WINDOWS\system32\PsisRndr.ax
2008-04-15 13:11 . 2004-08-04 00:56 18,432 --a------ C:\WINDOWS\system32\BdaPlgIn.ax
2008-04-15 13:11 . 2004-08-03 23:10 11,776 --a------ C:\WINDOWS\system32\drivers\BdaSup.sys
2008-04-15 13:07 . 2008-04-15 13:07 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-15 13:07 . 2008-04-16 09:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-15 13:03 . 2008-04-15 13:03 <DIR> d-------- C:\Program Files\Stardock
2008-04-15 11:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-15 11:00 . 2008-04-15 11:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-15 10:55 . 2008-04-15 10:57 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-15 10:55 . 2008-04-15 10:55 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\TuneUp Software
2008-04-15 10:55 . 2008-04-15 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-04-15 10:55 . 2008-04-15 10:55 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-04-15 10:55 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-04-15 10:52 . 2008-04-17 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 10:50 . 2008-04-15 10:50 <DIR> d-------- C:\Program Files\Sports Interactive
2008-04-15 10:48 . 2008-04-15 10:48 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-15 10:45 . 2008-04-15 13:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-15 10:45 . 2004-08-03 20:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-15 10:29 . 2001-08-17 13:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-04-15 10:28 . 2008-04-15 10:28 <DIR> d-------- C:\Program Files\AMD
2008-04-15 10:27 . 2008-04-15 10:27 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\InstallShield
2008-04-15 10:24 . 2008-04-17 17:34 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-15 10:22 . 2006-10-05 05:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-15 10:22 . 2006-10-05 05:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-15 10:21 . 2008-04-15 10:22 <DIR> d-------- C:\Program Files\Picasa2
2008-04-15 10:21 . 2008-04-15 10:32 <DIR> d-------- C:\Program Files\Paint.NET
2008-04-15 10:21 . 2008-04-17 15:05 <DIR> d-------- C:\Program Files\Google
2008-04-15 10:20 . 2008-04-15 10:20 <DIR> d-------- C:\WINDOWS\WinRAR
2008-04-15 10:20 . 2008-04-15 10:20 <DIR> d-------- C:\Program Files\FastStone Capture
2008-04-15 10:19 . 2008-04-15 10:19 <DIR> d-------- C:\Program Files\FastStone Image Viewer
2008-04-15 10:19 . 2008-04-15 10:20 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\FastStone
2008-04-15 10:18 . 2008-04-15 10:18 <DIR> d-------- C:\Program Files\MSBuild
2008-04-15 10:18 . 2008-04-15 10:18 <DIR> d-------- C:\Documents and Settings\Mastema\Application Data\DAEMON Tools
2008-04-15 10:18 . 2008-04-15 10:18 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-15 10:17 . 2008-04-15 10:17 <DIR> d-------- C:\Program Files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 17:44 102,400 ----a-w C:\WINDOWS\DUMP7e19.tmp
2008-04-18 07:42 102,400 ----a-w C:\WINDOWS\DUMP83b6.tmp
2008-04-17 14:06 --------- d-----w C:\Documents and Settings\Mastema\Application Data\Winamp
2008-04-17 10:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 08:56 --------- d-----w C:\Program Files\Common Files\Real
2008-04-16 08:09 --------- d-----w C:\Program Files\Winamp
2008-04-15 10:09 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-15 10:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-15 09:59 --------- d-----w C:\Documents and Settings\Mastema\Application Data\Notepad++
2008-04-15 09:58 --------- d-----w C:\Program Files\Notepad++
2008-04-15 09:57 --------- d-----w C:\Documents and Settings\Mastema\Application Data\atitray
2008-04-15 09:56 --------- d-----w C:\Program Files\Ray Adams
2008-04-15 09:37 --------- d-----w C:\Program Files\WinFast
2008-04-15 09:33 --------- d-----w C:\Documents and Settings\Mastema\Application Data\Media Player Classic
2008-04-15 09:32 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-04-15 09:23 --------- d-----w C:\Program Files\QuickTime
2008-04-15 09:21 --------- d-----w C:\Program Files\Real
2008-04-15 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-15 09:18 --------- d-----w C:\Program Files\Flash Movie Player
2008-04-15 09:15 --------- d-----w C:\Program Files\RocketDock
2008-04-15 06:59 --------- d-----w C:\Program Files\VIA
2008-04-15 06:58 --------- d-----w C:\Program Files\UIU
2008-04-15 06:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-15 06:58 --------- d-----w C:\Program Files\A4Tech
2008-04-15 06:57 --------- d-----w C:\Program Files\ATI Technologies
2008-04-15 06:55 --------- d-----w C:\Program Files\Realtek AC97
2008-04-15 06:50 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 10:10 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll
2008-03-06 08:14 831,048 ----a-w C:\WINDOWS\system32\WudfUpdate_01005.dll
2008-03-05 13:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 13:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 13:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 02:54 43,520 ----a-w C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-02-23 02:38 43,872 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

------- Sigcheck -------

2007-05-23 18:12 2339584 cc21ce6922f9c516a62707770ae8c4db C:\WINDOWS\system32\ntoskrnl.exe
2007-05-23 18:12 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\VIPv3\backup\ntoskrnl.exe

2007-06-13 14:26 1403904 eb59c712168d1ea22cb4fe2c6fd52f6b C:\WINDOWS\explorer.exe
2007-05-23 18:09 1033216 42d32722b805d7df42d30487a0bcbd78 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 13:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\SP2GDR\explorer.exe
2007-06-13 14:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\SP2QFE\explorer.exe
2007-06-13 14:26 1032704 3740e90f7e2d035ecac17dd4d9c92b96 C:\WINDOWS\VIPv3\backup\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40B46A31-F568-4671-A502-AF93235A013B}]
2008-04-17 18:16 14848 --a------ C:\WINDOWS\system32\LegitDheckControl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:56 15360]
"AtiTrayTools"="C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe" [2007-05-22 12:04 521128]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 12:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2007-06-25 15:32 65536]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2007-12-19 16:09 2846720]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"VisualTooltip"="C:\WINDOWS\VIPv3\VIPtooltip\VisualToolTip.exe" [2006-01-17 19:15 319488]
"Vistadrv"="C:\WINDOWS\VIPv3\VIPhd\vsdrv.exe" [2006-07-30 02:37 121089]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 20:19 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 20:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 16:06 124928 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Mastema\Start Menu\Programs\Startup\
FastStone Capture.lnk - C:\Program Files\FastStone Capture\FSCapture.exe [2008-02-14 02:38:26 997376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"HideRunAsVerb"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MaxRecentDocs"= 4 (0x4)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mastema^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
path=C:\Documents and Settings\Mastema\Start Menu\Programs\Startup\BHODemon 2.0.lnk
backup=C:\WINDOWS\pss\BHODemon 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-02-12 10:06 262401 C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
--a------ 2007-04-08 19:44 303104 C:\Program Files\Essentials Codec Pack\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-16 11:56 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VIPv3_Auto_Update]
--a------ 2006-09-08 15:54 23723 C:\WINDOWS\VIPv3\CheckForUpdates.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AVEService"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinFastDTV"=C:\Program Files\WinFast\WFDTV\DTVSchdl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Opera 9.5 beta\\opera.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R1 atitray;atitray;C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 12:04]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 20:56]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 16:55]
R3 WFLR6654;WinFast TV2000 XP Global/Global TV (Video);C:\WINDOWS\system32\drivers\wfeaglxt.sys [2007-07-25 04:43]
S2 AntiVirMailService;Avira AntiVir Premium MailGuard;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe" [2008-03-26 15:35]
S2 antivirwebservice;Avira AntiVir Premium WebGuard;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE" [2008-04-09 15:57]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-15 10:55]
S4 AVEService;Avira AntiVir Premium MailGuard helper service;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe" [2008-02-07 10:06]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 09:32:26 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 12:32:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Ray Adams\ATI Tray Tools\raphook.dll
-> C:\Program Files\RocketDock\RocketDock.dll
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\WINDOWS\system32\oodag.exe
.
**************************************************************************
.
Completion time: 2008-04-19 12:34:27 - machine was rebooted [Mastema]
ComboFix-quarantined-files.txt 2008-04-19 09:34:12

Pre-Run: 10,298,261,504 bytes free
Post-Run: 10,444,423,168 bytes free

329 --- E O F --- 2008-04-15 12:27:59


new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:48, on 19.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\VIPv3\VIPtooltip\VisualToolTip.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {40B46A31-F568-4671-A502-AF93235A013B} - C:\WINDOWS\system32\LegitDheckControl.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\WINDOWS\VIPv3\VIPtooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Vistadrv] C:\WINDOWS\VIPv3\VIPhd\vsdrv.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: FastStone Capture.lnk = C:\Program Files\FastStone Capture\FSCapture.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 5902 bytes



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:44 PM

Posted 19 April 2008 - 06:49 AM

Hi,

Close your Internet Explorer... Then open HijackThis, click scan and check next entry in it:

O2 - BHO: (no name) - {40B46A31-F568-4671-A502-AF93235A013B} - C:\WINDOWS\system32\LegitDheckControl.dll

Then click the fix checked button below.

Navigate to and delete C:\WINDOWS\system32\LegitDheckControl.dll if still present.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:44 PM

Posted 28 April 2008 - 05:12 AM

Let me know in your next reply how things are now.

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:44 PM

Posted 03 May 2008 - 12:44 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users