Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
20 replies to this topic

#1 vundohate

vundohate

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 18 April 2008 - 05:11 PM

My computer starts up with a black screen. I open the task manager and open explorer.exe as a new task. After that that the desktop and taskbar periodically vanish and return. Startup takes a long time as well. Other than that I don't seem to have any problems. Spybot S&D didn't work but it showed some startup programs that I didn't recognize. They didn't show up on msconfig.

dss main scan

Deckard's System Scanner v20071014.68
Run by jose on 2008-04-18 17:24:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 10.29 GiB (less than 15%) free.


-- HijackThis (run as jose.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:46 PM, on 4/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\jose\Desktop\dss.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jose.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02BA831E-5426-4AEB-B1DA-D7D7FAC62841} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {124BF132-4011-4077-896F-6424A1EA71F4} - (no file)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\iifdEuTM.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {636093CB-2051-03A9-0A1A-5200BEB3DBB7} - C:\WINDOWS\system32\ooc.dll (disabled by BHODemon)
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O2 - BHO: (no name) - {9D8E3A87-D440-F6B0-479B-AA8F06782EE3} - C:\WINDOWS\System32\bwppgg.dll (disabled by BHODemon)
O2 - BHO: (no name) - {CD8E3AD1-804D-A7E3-409B-AA8F06782CE0} - C:\WINDOWS\System32\hajaazmn.dll (disabled by BHODemon)
O2 - BHO: (no name) - {DB6AD6E9-4A68-4615-968C-BE5435EB6E44} - C:\WINDOWS\System32\cbXPjJbA.dll
O2 - BHO: (no name) - {E2F14F68-F2DD-4035-A25B-2FEF6269868C} - C:\WINDOWS\system32\ssqRLCSI.dll (disabled by BHODemon)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: interceptor.dll c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: khfgdcb - khfgdcb.dll (file missing)
O20 - Winlogon Notify: winlft32 - winlft32.dll (file missing)
O21 - SSODL: KAlBmTjU - {D8770E32-72DD-A498-1312-0904B5D189EB} - C:\WINDOWS\System32\tvvel.dll (file missing)

--
End of file - 5063 bytes

-- Files created between 2008-03-18 and 2008-04-18 -----------------------------

2008-04-18 17:24:39 0 d-------- C:\Program Files\Trend Micro
2008-04-17 18:53:09 1712128 --a------ C:\WINDOWS\System32\GdiPlus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-17 18:52:41 0 d-------- C:\Program Files\GhostSurf Platinum
2008-04-16 18:57:56 0 d-------- C:\VundoFix Backups
2008-04-16 18:16:39 0 d-------- C:\Documents and Settings\jose\Application Data\Uniblue
2008-04-16 18:16:33 0 d-------- C:\Program Files\Uniblue
2008-04-16 18:02:57 385321 --ahs---- C:\WINDOWS\System32\AbJjPXbc.ini2
2008-04-16 18:02:51 273408 --a------ C:\WINDOWS\System32\cbXPjJbA.dll
2008-04-15 16:15:31 0 d-------- C:\WINDOWS\?dobe
2008-04-13 14:29:57 0 d-------- C:\WINDOWS\Prefetch
2008-04-12 22:16:28 0 d-------- C:\WINDOWS\s?curity
2008-04-12 21:47:50 0 d-------- C:\Program Files\Messenger
2008-04-12 10:30:10 399987 --a------ C:\WINDOWS\System32\g44.exe
2008-04-12 09:43:31 49186 --a------ C:\WINDOWS\System32\jpwnw64o.exe <Not Verified; ; Browser Driver>
2008-04-11 21:59:38 262144 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-04-11 21:35:23 270670 --ahs---- C:\WINDOWS\System32\PoVGNqss.ini2
2008-04-11 20:22:51 288094 --ahs---- C:\WINDOWS\System32\XIkmonpo.ini2
2008-04-11 01:08:06 23026 --ahs---- C:\WINDOWS\System32\ehQtBcfe.ini2
2008-04-11 00:14:47 12582912 --a------ C:\Documents and Settings\jose\ntuser.dat
2008-04-11 00:14:44 1343488 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-04-11 00:14:24 285032 --ahs---- C:\WINDOWS\System32\ISCLRqss.ini2
2008-04-11 00:09:11 36864 -----n--- C:\WINDOWS\System32\iifdEuTM.dll
2008-04-05 10:23:25 0 dr-h----- C:\Documents and Settings\jose\Recent
2008-03-21 08:23:23 0 d-------- C:\WINDOWS\Applian FLV Player


-- Find3M Report ---------------------------------------------------------------

2008-04-16 17:59:28 3284 --a------ C:\WINDOWS\System32\ANIWZCS{21C03C8A-E819-464D-9409-380E782396DF}
2008-04-15 17:58:13 0 d-------- C:\Program Files\Common Files
2008-04-13 14:30:07 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-12 21:58:09 0 d-------- C:\Program Files\Movie Maker
2008-04-12 21:47:36 0 d-------- C:\Program Files\Windows NT
2008-04-11 20:23:55 0 d-------- C:\Program Files\DC++
2008-04-11 00:09:39 0 d-------- C:\Program Files\Common Files\?asks
2008-04-03 12:33:41 0 d-------- C:\Program Files\Real
2008-04-02 22:31:30 0 d-------- C:\Program Files\Steam
2008-03-15 14:55:41 0 d-------- C:\Program Files\Lavasoft
2008-03-02 00:43:31 0 d-------- C:\Program Files\eMedia Rock Guitar Method
2008-02-18 12:55:17 0 d-------- C:\Program Files\pkzip


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02BA831E-5426-4AEB-B1DA-D7D7FAC62841}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{124BF132-4011-4077-896F-6424A1EA71F4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
04/11/2008 12:09 AM 36864 --------- C:\WINDOWS\system32\iifdEuTM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636093CB-2051-03A9-0A1A-5200BEB3DBB7}]
C:\WINDOWS\system32\ooc.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D8E3A87-D440-F6B0-479B-AA8F06782EE3}]
C:\WINDOWS\System32\bwppgg.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD8E3AD1-804D-A7E3-409B-AA8F06782CE0}]
C:\WINDOWS\System32\hajaazmn.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB6AD6E9-4A68-4615-968C-BE5435EB6E44}]
04/16/2008 06:02 PM 273408 --a------ C:\WINDOWS\System32\cbXPjJbA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2F14F68-F2DD-4035-A25B-2FEF6269868C}]
C:\WINDOWS\system32\ssqRLCSI.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [03/28/2005 03:25 PM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [12/16/2004 06:49 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINDOWS\system32\iifdEuTM.dll [04/11/2008 12:09 AM 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KAlBmTjU"= {D8770E32-72DD-A498-1312-0904B5D189EB} - C:\WINDOWS\System32\tvvel.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\System32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgdcb]
khfgdcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlft32]
winlft32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=interceptor.dll c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\cbXPjJbA

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpyCatcher Protector.lnk
backup=C:\WINDOWS\pss\SpyCatcher Protector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^GhostSurf proxy.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\GhostSurf proxy.lnk
backup=C:\WINDOWS\pss\GhostSurf proxy.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Scheduler.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\Scheduler.lnk
backup=C:\WINDOWS\pss\Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bepo]
"C:\DOCUME~1\jose\APPLIC~1\SKS~1\mshta.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bmzlgzp]
"C:\Documents and Settings\jose\My Documents\?icrosoft\e?plorer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ciciuskq]
"C:\Documents and Settings\jose\My Documents\s?curity\w?aclt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINDOWS\System32\drvpur.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneIV]
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\pwinslds.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostSurf Reminder]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostSurfDelSatellite]
"C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV\mWhjlnspB]
C:\WINDOWS\system32\rcntqkdn.exe DWram

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Download Accelerator]
C:\Program Files\IDA\ida.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule8]
"C:\Program Files\ISM\ISMModule8.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
"C:\Program Files\ISM2\ISMPack6.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack8]
"C:\Program Files\ISM2\ISMPack8.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kvbp]
C:\WINDOWS\?dobe\s?anregw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGA6P_0001_N122M2210]
"C:\DOCUME~1\jose\LOCALS~1\Temp\install_en.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nttlplj]
"C:\Program Files\?ecurity\?hkntfs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRTCLK]
C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ohon]
"C:\DOCUME~1\jose\MYDOCU~1\YSTEM~1\javaw.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ootr]
"C:\WINDOWS\SCURIT~1\ati2evxx.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMRealtime]
C:\Program Files\PC MightyMax\pcmm.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
C:\WINDOWS\plite731.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prcn]
"C:\DOCUME~1\jose\APPLIC~1\STEM32~1\ati2evxx.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qrqvqrit]
rundll32.exe "C:\Program Files\ghqdwdoh\itctgvon.dll",Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{64a3b6af-20e7-fa63-1101-c1c98d9e069a}.dll" DllInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spyprodetector]
C:\Program Files\Spyware Process Detector\spydetector.exe TRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tytmdqtc]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tytmdqtc.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wemqwdn]
"C:\Program Files\Common Files\?asks\?explore.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wsg32]
wsg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{70-0E-E3-31-DW}]
C:\WINDOWS\system32\rwwnw64d.exe DWram

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{70-0E-E3-31-ZN}]
c:\windows\system32\dwdsrngt.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"PDSched"=2 (0x2)
"PDEngine"=3 (0x3)
"SDhelper"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=3 (0x3)
"McDetect.exe"=2 (0x2)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"NetDDEdsma"=2 (0x2)
"rpcapd"=3 (0x3)
"usnjsvc"=3 (0x3)
"VideoAcceleratorEngine"=3 (0x3)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)
"NVSvc"=2 (0x2)
"cmdService"=2 (0x2)
"ose"=3 (0x3)
"aawservice"=2 (0x2)
"ANIWZCSdService"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0aad8146-c501-11db-8f14-806d6172696f}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"




-- End of Deckard's System Scanner: finished at 2008-04-18 17:25:16 ------------










dss extra scan


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600)
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.26GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 511.48 MiB / 312.14 MiB
Pagefile Memory (total/avail): 1250.48 MiB / 1122.01 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.68 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.68 GiB total, 10.29 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HDS728080PLAT20 - 76.69 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.68 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jose\Application Data
CLASSPATH=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=S-XCPF692N8K8CY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jose
LOGONSERVER=\\S-XCPF692N8K8CY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\PROGRAM FILES\QUICKTIME\QTSYSTEM\;C:\WINDOWS\SYSTEM32\WSG32\;C:\Program Files\Common Files\Roxio Shared\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
PS5ROOT=C:\Program Files\Roxio\Easy CD Creator 6\PhotoSuite\
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jose\LOCALS~1\Temp
TMP=C:\DOCUME~1\jose\LOCALS~1\Temp
USERDOMAIN=S-XCPF692N8K8CY
USERNAME=jose
USERPROFILE=C:\Documents and Settings\jose
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

jose (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AIM 6.0 --> C:\Program Files\AIM6\uninst.exe
AirPlus XtremeG --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{79B92240-9C65-4DD7-B1AD-59910D2C1353} /l1033
America's Army --> MsiExec.exe /I{6C5930D1-E4BC-4A10-AB5A-224C48CBA7E6}
AngelPotion Video Codec V1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\AngelPotion Video Codec V1\Uninst.isu"
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exe
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
BitComet 0.70 --> C:\Program Files\BitComet\uninst.exe
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
Counter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10
dBpowerAMP Music Converter --> "C:\WINDOWS\System32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\System32\SpoonUninstall-dBpowerAMP Music Converter.dat
DC++ 0.705 --> "C:\Program Files\DC++\uninstall.exe"
DigiDrum Classic 1.0 --> C:\Program Files\VSTplugins\Audiosonic.dk\DigiDrum Classic\uninst.exe
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DMIView --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\dmi\Uninst.isu"
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
Easy CD & DVD Creator 6 --> MsiExec.exe /I{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}
EasyTune4 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\Uninst.isu"
eMedia Rock Guitar Method --> "C:\Program Files\eMedia Rock Guitar Method\Uninstall.exe" "C:\Program Files\eMedia Rock Guitar Method\install.log"
Ethereal 0.99.0 --> "C:\Program Files\Ethereal\uninstall.exe"
FL Studio 7 --> C:\Program Files\Image-Line\FL Studio 7\uninstall.exe
Gaim (remove only) --> C:\Program Files\ScatterChat\scatterchat-uninst.exe
GhostSurf Platinum --> "C:\Program Files\GhostSurf Platinum\unins000.exe"
GoldWave v5.20 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.20" "C:\Program Files\GoldWave\unstall.log"
HyperCam 2 --> "C:\Program Files\HyCam2\UnHyCam2.exe"
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
LimeWire 4.9.37 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Making Waves --> C:\Making Waves\Making Waves.exe -uninstall
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0 --> "C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe"
Pocket RAR documentation --> C:\Program Files\PocketRAR\uninstall.exe
Power Tab Editor 1.7 --> MsiExec.exe /I{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> Alcrmv.exe -r -m
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
SanDisk Digital Audio Player --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F37492D-F16F-42B5-B903-0AFD621D43B9}\setup.exe" -l0x9
Songbird 0.2.5 (Win32) --> "C:\Program Files\Songbird\songbird-uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Unreal Tournament 2004 Demo --> C:\UT2004Demo\System\Setup.exe uninstall "UT2004-Demo"
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> C:\Program Files\WinZip\WINZIP32.EXE /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type3257 / Error
Event Submitted/Written: 04/17/2008 06:58:24 PM
Event ID/Source: 11723 / MsiInstaller
Event Description:
Product: Microsoft Visual C++ 2005 Redistributable -- Error 1723.There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor. Action SxsUninstallCA, entry: CustomAction_SxsMsmCleanup, library: C:\WINDOWS\Installer\MSIE.tmp

Event Record #/Type3208 / Error
Event Submitted/Written: 04/17/2008 06:42:23 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type3207 / Error
Event Submitted/Written: 04/17/2008 06:42:23 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type3175 / Error
Event Submitted/Written: 04/17/2008 05:56:04 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type3174 / Error
Event Submitted/Written: 04/17/2008 05:56:04 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20386 / Error
Event Submitted/Written: 04/18/2008 04:00:45 PM
Event ID/Source: 33 / SideBySide
Event Description:
The application failed to launch because of an invalid manifest.

Event Record #/Type20382 / Error
Event Submitted/Written: 04/18/2008 04:00:31 PM
Event ID/Source: 64 / SideBySide
Event Description:
Syntax error in manifest or policy file "1" on line 2.
The root or application manifest contains the noInherit element but the dependent assembly manifest does not
contain the noInheritable element. Application manifests which contain the noInherit element may only
depend on assemblies which are noInheritable.

Event Record #/Type20381 / Error
Event Submitted/Written: 04/18/2008 04:00:30 PM
Event ID/Source: 33 / SideBySide
Event Description:
The application failed to launch because of an invalid manifest.

Event Record #/Type20380 / Error
Event Submitted/Written: 04/18/2008 04:00:30 PM
Event ID/Source: 33 / SideBySide
Event Description:
The application failed to launch because of an invalid manifest.

Event Record #/Type20379 / Error
Event Submitted/Written: 04/18/2008 04:00:30 PM
Event ID/Source: 64 / SideBySide
Event Description:
Syntax error in manifest or policy file "1" on line 2.
The root or application manifest contains the noInherit element but the dependent assembly manifest does not
contain the noInheritable element. Application manifests which contain the noInherit element may only
depend on assemblies which are noInheritable.



-- End of Deckard's System Scanner: finished at 2008-04-18 17:24:16 ------------

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 PM

Posted 19 April 2008 - 07:56 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all... I see your Windows is unpatched and I see you have disabled your Antivirus via msconfig. No wonder you got infected!!!

Any reason why you disabled your Antivirus? Please enable it asap!

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 vundohate

vundohate
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 19 April 2008 - 08:50 AM

I didn't think that it was that severe. I almost removed the virus I believed before. I had restarted in safe mode and disabled the internet ad deleted all files created the day I got infected. The only file that I couldn't delete was c:\windows\system32\iifdeutm.dll because it was being used by another program. I then restarted in normal mode and there were no problems, but as soon as I reenabled the internet all the problems returned. I figure if we can remove that file then all the other virus files, the problem will be solved. I had to disable teatimer because it said for vundofix and virtumundobegone to work, teatimer needed to be disabled. By the way, I just noticed a new suspicious internet explorer icon on the desktop. It just appeared after the combofix scan. I just noticed that the log says I don't have recovery console installed. It would appear that the virus is removing it. I used it a few days ago and when I installed dss it said that it installed the recovery console.

I would like to avoid doing anything risky trying to remove the virus please.

ComboFix 08-04-18.3 - jose 2008-04-19 9:17:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.336 [GMT -4:00]
Running from: C:\Documents and Settings\jose\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jose\Application Data\macromedia\Flash Player\#SharedObjects\4RGB6MTF\www.broadcaster.com
C:\Documents and Settings\jose\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\jose\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\jose\Application Data\STEM32~1
C:\Documents and Settings\jose\Application Data\STEM32~1\??stem32\
C:\Documents and Settings\jose\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\asks~1\?explore.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~1\s?anregw.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\ati2evxx.exe
C:\WINDOWS\scurit~1\s?curity\
C:\WINDOWS\system32\AbJjPXbc.ini
C:\WINDOWS\system32\AbJjPXbc.ini2
C:\WINDOWS\system32\cbXPjJbA.dll
C:\WINDOWS\system32\d3
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\ehQtBcfe.ini2
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\f22
C:\WINDOWS\system32\iifdEuTM.dll
C:\WINDOWS\system32\ISCLRqss.ini
C:\WINDOWS\system32\ISCLRqss.ini2
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\oTt06e
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\p8
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\PoVGNqss.ini2
C:\WINDOWS\system32\s2
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\u2
C:\WINDOWS\system32\u2\atz28fu.exe
C:\WINDOWS\system32\v1
C:\WINDOWS\system32\XIkmonpo.ini2
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 17:24 . 2008-04-18 17:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 17:08 . 2008-04-18 17:08 <DIR> d-------- C:\Deckard
2008-04-17 18:53 . 2007-03-14 01:30 1,712,128 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-04-17 18:53 . 2006-07-26 22:13 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2008-04-17 18:52 . 2008-04-17 18:53 <DIR> d-------- C:\Program Files\GhostSurf Platinum
2008-04-16 18:57 . 2008-04-16 19:34 <DIR> d-------- C:\VundoFix Backups
2008-04-16 18:16 . 2008-04-16 18:16 <DIR> d-------- C:\Program Files\Uniblue
2008-04-16 18:16 . 2008-04-16 18:16 <DIR> d-------- C:\Documents and Settings\jose\Application Data\Uniblue
2008-04-13 14:23 . 2001-08-23 15:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-13 14:22 . 2001-08-23 15:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-13 14:14 . 2008-04-13 14:14 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-13 14:13 . 2001-08-23 15:00 155,648 --a--c--- C:\WINDOWS\system32\dllcache\icwhelp.dll
2008-04-13 14:13 . 2001-08-23 15:00 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll
2008-04-13 14:13 . 2001-08-23 15:00 57,344 --a--c--- C:\WINDOWS\system32\dllcache\icwconn.dll
2008-04-13 14:13 . 2001-08-23 15:00 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icwutil.dll
2008-04-13 14:13 . 2001-08-23 15:00 40,960 --a--c--- C:\WINDOWS\system32\dllcache\trialoc.dll
2008-04-13 14:13 . 2001-08-23 15:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwrmind.exe
2008-04-13 14:13 . 2001-08-23 15:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-04-13 14:12 . 2001-08-23 15:00 209,408 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-04-13 14:12 . 2001-08-23 15:00 77,824 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-04-13 14:12 . 2001-08-23 15:00 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2008-04-13 14:12 . 2001-08-23 15:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-04-13 14:12 . 2001-08-23 15:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-04-12 21:58 . 2001-08-23 15:00 3,346,432 --a--c--- C:\WINDOWS\system32\dllcache\msgr3en.dll
2008-04-12 21:58 . 2001-08-23 15:00 806,978 --a--c--- C:\WINDOWS\system32\dllcache\moviemk.exe
2008-04-12 21:58 . 2001-08-23 15:00 794,686 --a--c--- C:\WINDOWS\system32\dllcache\srchui.dll
2008-04-12 21:58 . 2001-08-23 15:00 179,200 --a------ C:\WINDOWS\system32\qmgr.dll
2008-04-12 21:58 . 2001-08-23 15:00 179,200 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-12 21:58 . 2001-08-23 15:00 106,562 --a--c--- C:\WINDOWS\system32\dllcache\srchctls.dll
2008-04-12 21:58 . 2001-08-23 15:00 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-12 21:58 . 2001-08-23 15:00 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-12 21:56 . 2001-08-23 15:00 532,480 --a--c--- C:\WINDOWS\system32\dllcache\msobmain.dll
2008-04-12 21:56 . 2001-08-23 15:00 107,008 --a--c--- C:\WINDOWS\system32\dllcache\msobcomm.dll
2008-04-12 21:56 . 2001-08-23 15:00 49,664 --a--c--- C:\WINDOWS\system32\dllcache\oobebaln.exe
2008-04-12 21:56 . 2001-08-23 15:00 28,160 --a--c--- C:\WINDOWS\system32\dllcache\msobshel.dll
2008-04-12 21:56 . 2001-08-23 15:00 16,896 --a--c--- C:\WINDOWS\system32\dllcache\msobweb.dll
2008-04-12 21:56 . 2001-08-23 15:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\msobdl.dll
2008-04-12 21:54 . 2001-08-23 15:00 2,479,104 --a--c--- C:\WINDOWS\system32\dllcache\msoeres.dll
2008-04-12 21:52 . 2001-08-23 15:00 557,128 --a--c--- C:\WINDOWS\system32\dllcache\dao360.dll
2008-04-12 21:51 . 2001-08-23 15:00 110,592 --a--c--- C:\WINDOWS\system32\dllcache\msdarem.dll
2008-04-12 21:50 . 2001-08-23 15:00 307,200 --a--c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-04-12 21:47 . 2001-08-23 15:00 534,016 --a------ C:\WINDOWS\system32\spider.exe
2008-04-12 21:46 . 2001-08-23 15:00 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2008-04-12 21:46 . 2001-08-23 15:00 54,784 --a--c--- C:\WINDOWS\system32\dllcache\msdtclog.dll
2008-04-12 21:46 . 2001-08-23 15:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\cfgbkend.dll
2008-04-12 21:46 . 2001-08-23 15:00 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2008-04-12 21:46 . 2001-08-23 15:00 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2008-04-12 21:46 . 2001-08-23 15:00 18,432 --a--c--- C:\WINDOWS\system32\dllcache\qprocess.exe
2008-04-12 21:46 . 2001-08-23 15:00 8,704 --a------ C:\WINDOWS\system32\icaapi.dll
2008-04-12 21:46 . 2001-08-23 15:00 8,704 --a--c--- C:\WINDOWS\system32\dllcache\icaapi.dll
2008-04-12 21:46 . 2001-08-23 15:00 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2008-04-12 21:46 . 2001-08-23 15:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\msdtc.exe
2008-04-12 16:55 . 2001-08-23 15:00 8,192 --a--c--- C:\WINDOWS\system32\dllcache\comrepl.exe
2008-04-12 16:25 . 2001-08-23 15:00 100,864 --a--c--- C:\WINDOWS\system32\dllcache\wmisvc.dll
2008-04-12 16:25 . 2001-08-23 15:00 95,744 --a--c--- C:\WINDOWS\system32\dllcache\wmiutils.dll
2008-04-12 16:25 . 2001-08-23 15:00 85,504 --a--c--- C:\WINDOWS\system32\dllcache\catsrvps.dll
2008-04-12 16:25 . 2001-08-23 15:00 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2008-04-12 16:25 . 2001-08-23 15:00 38,912 --a--c--- C:\WINDOWS\system32\dllcache\wmipsess.dll
2008-04-12 16:23 . 2001-08-23 15:00 226,304 --a--c--- C:\WINDOWS\system32\dllcache\provthrd.dll
2008-04-12 16:23 . 2001-08-23 15:00 203,264 --a--c--- C:\WINDOWS\system32\dllcache\ntevt.dll
2008-04-12 16:23 . 2001-08-23 15:00 137,216 --a--c--- C:\WINDOWS\system32\dllcache\repdrvfs.dll
2008-04-12 16:23 . 2001-08-23 15:00 104,960 --a--c--- C:\WINDOWS\system32\dllcache\mofd.dll
2008-04-12 16:23 . 2001-08-23 15:00 89,600 --a--c--- C:\WINDOWS\system32\dllcache\policman.dll
2008-04-12 16:23 . 2001-08-23 15:00 80,896 --a--c--- C:\WINDOWS\system32\dllcache\stdprov.dll
2008-04-12 16:23 . 2001-08-23 15:00 60,928 --a--c--- C:\WINDOWS\system32\dllcache\ncprov.dll
2008-04-12 16:23 . 2001-08-23 15:00 33,792 --a--c--- C:\WINDOWS\system32\dllcache\scrcons.exe
2008-04-12 16:23 . 2001-08-23 15:00 23,552 --a--c--- C:\WINDOWS\system32\dllcache\krnlprov.dll
2008-04-12 16:23 . 2001-08-23 15:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\mofcomp.exe
2008-04-12 15:33 . 2001-08-23 15:00 174,592 --a--c--- C:\WINDOWS\system32\dllcache\framedyn.dll
2008-04-12 15:10 . 2001-08-23 15:00 235,520 --a--c--- C:\WINDOWS\system32\dllcache\esscli.dll
2008-04-12 13:34 . 2001-08-23 15:00 1,266,688 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-04-12 13:28 . 2001-08-23 15:00 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2008-04-12 13:28 . 2001-08-23 15:00 53,248 --a--c--- C:\WINDOWS\system32\dllcache\servdeps.dll
2008-04-12 13:23 . 2001-08-23 15:00 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2008-04-12 13:23 . 2001-08-23 15:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\mmfutil.dll
2008-04-12 13:14 . 2001-08-23 15:00 57,344 --a------ C:\WINDOWS\system32\licwmi.dll
2008-04-12 13:14 . 2001-08-23 15:00 57,344 --a--c--- C:\WINDOWS\system32\dllcache\licwmi.dll
2008-04-12 13:07 . 2001-08-23 15:00 174,592 --a--c--- C:\WINDOWS\system32\dllcache\cmprops.dll
2008-04-12 13:07 . 2001-08-23 15:00 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2008-04-12 12:05 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-04-12 12:04 . 2001-08-17 13:51 55,808 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-04-12 10:53 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-04-12 10:53 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-04-12 10:52 . 2001-08-17 13:50 181,632 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2008-04-12 10:52 . 2001-08-17 22:38 37,896 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-04-12 10:50 . 2001-08-23 15:00 1,085,913 -ra------ C:\WINDOWS\SET83.tmp
2008-04-12 10:50 . 2001-08-23 15:00 696,320 --a--c--- C:\WINDOWS\system32\dllcache\sapi.dll
2008-04-12 10:50 . 2001-08-23 15:00 147,456 --a--c--- C:\WINDOWS\system32\dllcache\sapi.cpl
2008-04-12 10:50 . 2001-08-23 15:00 131,584 --a------ C:\WINDOWS\system\WINSPOOL.DRV
2008-04-12 10:50 . 2001-08-17 22:36 70,656 --a------ C:\WINDOWS\system32\storprop.dll
2008-04-12 10:50 . 2001-08-23 15:00 13,608 -ra------ C:\WINDOWS\SET8F.tmp
2008-04-12 10:50 . 2001-08-23 15:00 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2008-04-12 10:50 . 2001-08-23 15:00 10,496 --a--c--- C:\WINDOWS\system32\dllcache\irenum.sys
2008-04-12 10:30 . 2008-04-12 10:30 399,987 --a------ C:\WINDOWS\system32\g44.exe
2008-04-12 09:43 . 2008-04-12 09:43 49,186 --a------ C:\WINDOWS\system32\jpwnw64o.exe
2008-04-04 20:36 . 2008-04-10 16:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 20:36 . 2008-04-04 20:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 08:23 . 2008-03-21 08:23 <DIR> d-------- C:\WINDOWS\Applian FLV Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 00:23 --------- d-----w C:\Program Files\DC++
2008-04-03 16:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-03 16:33 --------- d-----w C:\Program Files\Real
2008-04-03 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 02:31 --------- d-----w C:\Program Files\Steam
2008-03-15 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-15 18:55 --------- d-----w C:\Program Files\Lavasoft
2008-03-02 04:43 --------- d-----w C:\Program Files\eMedia Rock Guitar Method
2007-07-21 20:06 24,560 ----a-w C:\Documents and Settings\jose\Application Data\GDIPFONTCACHEV1.DAT
2007-06-24 21:40 2,112 ----a-w C:\Documents and Settings\jose\fet2_settings.dat
2005-07-29 20:24 472 --sha-r C:\WINDOWS\YWFh\sqI1.vbs
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636093CB-2051-03A9-0A1A-5200BEB3DBB7}]
C:\WINDOWS\system32\ooc.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D8E3A87-D440-F6B0-479B-AA8F06782EE3}]
C:\WINDOWS\System32\bwppgg.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD8E3AD1-804D-A7E3-409B-AA8F06782CE0}]
C:\WINDOWS\System32\hajaazmn.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2F14F68-F2DD-4035-A25B-2FEF6269868C}]
C:\WINDOWS\system32\ssqRLCSI.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 15:25 1011712]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KAlBmTjU"= {D8770E32-72DD-A498-1312-0904B5D189EB} - C:\WINDOWS\System32\tvvel.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgdcb]
khfgdcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlft32]
winlft32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpyCatcher Protector.lnk
backup=C:\WINDOWS\pss\SpyCatcher Protector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^GhostSurf proxy.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\GhostSurf proxy.lnk
backup=C:\WINDOWS\pss\GhostSurf proxy.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Scheduler.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\Scheduler.lnk
backup=C:\WINDOWS\pss\Scheduler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 11:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2004-12-16 18:49 49152 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bepo]
C:\DOCUME~1\jose\APPLIC~1\SKS~1\mshta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
--a------ 2006-06-23 13:00 3394048 C:\Program Files\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bmzlgzp]
C:\Documents and Settings\jose\My Documents\?icrosoft\e?plorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ciciuskq]
C:\Documents and Settings\jose\My Documents\s?curity\w?aclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
C:\WINDOWS\System32\drvpur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]
--a------ 2005-03-28 15:25 1011712 C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneIV]
--a------ 2003-11-20 18:44 1560626 C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\pwinslds.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostSurf Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostSurfDelSatellite]
C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV\mWhjlnspB]
C:\WINDOWS\system32\rcntqkdn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Download Accelerator]
C:\Program Files\IDA\ida.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule8]
C:\Program Files\ISM\ISMModule8.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
C:\Program Files\ISM2\ISMPack6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack8]
C:\Program Files\ISM2\ISMPack8.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kvbp]
C:\WINDOWS\?dobe\s?anregw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 16:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-11-07 16:41 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2001-08-02 07:14 1077277 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGA6P_0001_N122M2210]
C:\DOCUME~1\jose\LOCALS~1\Temp\install_en.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nttlplj]
C:\Program Files\?ecurity\?hkntfs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2003-11-16 22:33 3022848 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
-ra------ 2003-11-16 22:33 49152 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRTCLK]
-ra------ 2003-12-30 05:44 24576 C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ohon]
C:\DOCUME~1\jose\MYDOCU~1\YSTEM~1\javaw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ootr]
C:\WINDOWS\SCURIT~1\ati2evxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMRealtime]
C:\Program Files\PC MightyMax\pcmm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
C:\WINDOWS\plite731.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prcn]
C:\DOCUME~1\jose\APPLIC~1\STEM32~1\ati2evxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qrqvqrit]
C:\Program Files\ghqdwdoh\itctgvon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-27 22:33 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-01-09 10:21 253952 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-01-13 11:19 757760 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-01-13 15:05 69632 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
C:\WINDOWS\system32\{64a3b6af-20e7-fa63-1101-c1c98d9e069a}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spyprodetector]
C:\Program Files\Spyware Process Detector\spydetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 18:51 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tytmdqtc]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\tytmdqtc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wemqwdn]
C:\Program Files\Common Files\?asks\?explore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wsg32]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{70-0E-E3-31-DW}]
C:\WINDOWS\system32\rwwnw64d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{70-0E-E3-31-ZN}]
c:\windows\system32\dwdsrngt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"PDSched"=2 (0x2)
"PDEngine"=3 (0x3)
"SDhelper"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=3 (0x3)
"McDetect.exe"=2 (0x2)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"NetDDEdsma"=2 (0x2)
"rpcapd"=3 (0x3)
"usnjsvc"=3 (0x3)
"VideoAcceleratorEngine"=3 (0x3)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)
"NVSvc"=2 (0x2)
"cmdService"=2 (0x2)
"ose"=3 (0x3)
"aawservice"=2 (0x2)
"ANIWZCSdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"<NO NAME>"= :Yahoo! Music Jukebox
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\dursh\\counter-strike\\hl.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\UT2004Demo\\System\\UT2004.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60000:TCP"= 60000:TCP:BitComet 60000 TCP
"60000:UDP"= 60000:UDP:BitComet 60000 UDP

R2 ETDrv;ETDrv;C:\WINDOWS\System32\drivers\ETDrv.sys [2003-11-12 10:46]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\System32\DRIVERS\A3AB.sys [2005-03-22 20:17]
S1 cdr4xxpp;cdr4xxpp;C:\WINDOWS\System32\drivers\cdr4xxpp.sys []
S2 spydetector;spydetector;C:\Program Files\Spyware Process Detector\spydetector.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2005-08-02 17:10]
S4 NetDDEdsma;Network DDE DSMA;"C:\WINDOWS\svchost.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0aad8146-c501-11db-8f14-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 20:13:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
"2007-05-10 20:13:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 09:23:08
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-04-19 9:30:55 - machine was rebooted [jose]
ComboFix-quarantined-files.txt 2008-04-19 13:29:49

Pre-Run: 10,985,512,960 bytes free
Post-Run: 10,919,317,504 bytes free

432 --- E O F --- 2007-11-13 23:49:37

#4 vundohate

vundohate
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 19 April 2008 - 08:52 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:18 AM, on 4/19/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {636093CB-2051-03A9-0A1A-5200BEB3DBB7} - C:\WINDOWS\system32\ooc.dll (disabled by BHODemon)
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O2 - BHO: (no name) - {9D8E3A87-D440-F6B0-479B-AA8F06782EE3} - C:\WINDOWS\System32\bwppgg.dll (disabled by BHODemon)
O2 - BHO: (no name) - {CD8E3AD1-804D-A7E3-409B-AA8F06782CE0} - C:\WINDOWS\System32\hajaazmn.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E2F14F68-F2DD-4035-A25B-2FEF6269868C} - C:\WINDOWS\system32\ssqRLCSI.dll (disabled by BHODemon)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1
O20 - Winlogon Notify: khfgdcb - khfgdcb.dll (file missing)
O20 - Winlogon Notify: winlft32 - winlft32.dll (file missing)
O21 - SSODL: KAlBmTjU - {D8770E32-72DD-A498-1312-0904B5D189EB} - C:\WINDOWS\System32\tvvel.dll (file missing)

--
End of file - 4653 bytes

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 PM

Posted 19 April 2008 - 09:13 AM

Hi,

Have you read this in my previous post?

Any reason why you disabled your Antivirus? Please enable it asap!

This is Really important!!
Also, I see McAfee and AVG here. You can only have 1 Antivirus, so you have to uninstall one


I don't have recovery console installed. It would appear that the virus is removing it.

Have you read the instructions on the Combofix site I gave you previously how to install the Recovery console?

It also appears that you have been doing a repair install as well, so don't forget to install all Windows updates!!!

Anyway, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\SET83.tmp
C:\WINDOWS\SET8F.tmp
C:\WINDOWS\system32\g44.exe
C:\WINDOWS\system32\jpwnw64o.exe
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\pss\TA_Start.lnkStartup
Folder::
C:\WINDOWS\YWFh
C:\VundoFix Backups
Driver::
NetDDEdsma
spydetector
cdr4xxpp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636093CB-2051-03A9-0A1A-5200BEB3DBB7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D8E3A87-D440-F6B0-479B-AA8F06782EE3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD8E3AD1-804D-A7E3-409B-AA8F06782CE0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2F14F68-F2DD-4035-A25B-2FEF6269868C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KAlBmTjU"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgdcb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlft32]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^DW_Start.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bepo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bmzlgzp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ciciuskq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV\mWhjlnspB]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Download Accelerator]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule8]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack8]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kvbp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGA6P_0001_N122M2210]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nttlplj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRTCLK]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ohon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ootr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prcn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qrqvqrit]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spyprodetector]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tytmdqtc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wemqwdn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wsg32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{70-0E-E3-31-DW}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{70-0E-E3-31-ZN}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetDDEdsma"=-
"cmdService"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 vundohate

vundohate
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 19 April 2008 - 09:30 AM

My antivirus is not disabled and I don't have McAfee or AVG. I uninstalled them long ago.

I installed recovery console again from the cd.

The repair install I tried before wouldn't work. It said that several files on the cd weren't there even though they were and I had successfully done a repair install from the same cd before.

I'm going to do the cfscript now.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 PM

Posted 19 April 2008 - 09:33 AM

My antivirus is not disabled and I don't have McAfee or AVG. I uninstalled them long ago.

Ok, can you tell me what Antivirus you are currently running? Because I don't see an active Antivirus present here.

Also, since you already deleted McAfee and AVG previously, then do this as well to remove the references in msconfig

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=-
"Avg7UpdSvc"=-
"MCVSRte"=-
"mcupdmgr.exe"=-
"McTskshd.exe"=-
"McShield"=-
"McDetect.exe"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 vundohate

vundohate
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 19 April 2008 - 09:50 AM

I thought teatimer was enabled.

ComboFix 08-04-18.3 - jose 2008-04-19 10:30:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.306 [GMT -4:00]
Running from: C:\Documents and Settings\jose\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jose\Desktop\cfscript.txt

FILE ::
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\SET83.tmp
C:\WINDOWS\SET8F.tmp
C:\WINDOWS\system32\g44.exe
C:\WINDOWS\system32\jpwnw64o.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\iifdEuTM.dll.bad
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\SET83.tmp
C:\WINDOWS\SET8F.tmp
C:\WINDOWS\system32\g44.exe
C:\WINDOWS\system32\jpwnw64o.exe
C:\WINDOWS\YWFh
C:\WINDOWS\YWFh\sqI1.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDR4XXPP
-------\Legacy_NETDDEDSMA
-------\Legacy_SPYDETECTOR
-------\Service_cdr4xxpp
-------\Service_NetDDEdsma
-------\Service_spydetector


((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 17:24 . 2008-04-18 17:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 17:08 . 2008-04-18 17:08 <DIR> d-------- C:\Deckard
2008-04-17 18:53 . 2007-03-14 01:30 1,712,128 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-04-17 18:53 . 2006-07-26 22:13 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2008-04-17 18:52 . 2008-04-17 18:53 <DIR> d-------- C:\Program Files\GhostSurf Platinum
2008-04-16 18:16 . 2008-04-16 18:16 <DIR> d-------- C:\Program Files\Uniblue
2008-04-16 18:16 . 2008-04-16 18:16 <DIR> d-------- C:\Documents and Settings\jose\Application Data\Uniblue
2008-04-13 14:23 . 2001-08-23 15:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-13 14:22 . 2001-08-23 15:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-04-13 14:14 . 2008-04-13 14:14 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-13 14:14 . 2008-04-13 14:14 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-13 14:13 . 2001-08-23 15:00 155,648 --a--c--- C:\WINDOWS\system32\dllcache\icwhelp.dll
2008-04-13 14:13 . 2001-08-23 15:00 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll
2008-04-13 14:13 . 2001-08-23 15:00 57,344 --a--c--- C:\WINDOWS\system32\dllcache\icwconn.dll
2008-04-13 14:13 . 2001-08-23 15:00 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icwutil.dll
2008-04-13 14:13 . 2001-08-23 15:00 40,960 --a--c--- C:\WINDOWS\system32\dllcache\trialoc.dll
2008-04-13 14:13 . 2001-08-23 15:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwrmind.exe
2008-04-13 14:13 . 2001-08-23 15:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-04-13 14:12 . 2001-08-23 15:00 209,408 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-04-13 14:12 . 2001-08-23 15:00 77,824 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-04-13 14:12 . 2001-08-23 15:00 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2008-04-13 14:12 . 2001-08-23 15:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-04-13 14:12 . 2001-08-23 15:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-04-12 21:58 . 2001-08-23 15:00 3,346,432 --a--c--- C:\WINDOWS\system32\dllcache\msgr3en.dll
2008-04-12 21:58 . 2001-08-23 15:00 806,978 --a--c--- C:\WINDOWS\system32\dllcache\moviemk.exe
2008-04-12 21:58 . 2001-08-23 15:00 794,686 --a--c--- C:\WINDOWS\system32\dllcache\srchui.dll
2008-04-12 21:58 . 2001-08-23 15:00 179,200 --a------ C:\WINDOWS\system32\qmgr.dll
2008-04-12 21:58 . 2001-08-23 15:00 179,200 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-12 21:58 . 2001-08-23 15:00 106,562 --a--c--- C:\WINDOWS\system32\dllcache\srchctls.dll
2008-04-12 21:58 . 2001-08-23 15:00 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-12 21:58 . 2001-08-23 15:00 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-12 21:56 . 2001-08-23 15:00 532,480 --a--c--- C:\WINDOWS\system32\dllcache\msobmain.dll
2008-04-12 21:56 . 2001-08-23 15:00 107,008 --a--c--- C:\WINDOWS\system32\dllcache\msobcomm.dll
2008-04-12 21:56 . 2001-08-23 15:00 49,664 --a--c--- C:\WINDOWS\system32\dllcache\oobebaln.exe
2008-04-12 21:56 . 2001-08-23 15:00 28,160 --a--c--- C:\WINDOWS\system32\dllcache\msobshel.dll
2008-04-12 21:56 . 2001-08-23 15:00 16,896 --a--c--- C:\WINDOWS\system32\dllcache\msobweb.dll
2008-04-12 21:56 . 2001-08-23 15:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\msobdl.dll
2008-04-12 21:54 . 2001-08-23 15:00 2,479,104 --a--c--- C:\WINDOWS\system32\dllcache\msoeres.dll
2008-04-12 21:52 . 2001-08-23 15:00 557,128 --a--c--- C:\WINDOWS\system32\dllcache\dao360.dll
2008-04-12 21:51 . 2001-08-23 15:00 110,592 --a--c--- C:\WINDOWS\system32\dllcache\msdarem.dll
2008-04-12 21:50 . 2001-08-23 15:00 307,200 --a--c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-04-12 21:47 . 2001-08-23 15:00 534,016 --a------ C:\WINDOWS\system32\spider.exe
2008-04-12 21:46 . 2001-08-23 15:00 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2008-04-12 21:46 . 2001-08-23 15:00 54,784 --a--c--- C:\WINDOWS\system32\dllcache\msdtclog.dll
2008-04-12 21:46 . 2001-08-23 15:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\cfgbkend.dll
2008-04-12 21:46 . 2001-08-23 15:00 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2008-04-12 21:46 . 2001-08-23 15:00 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2008-04-12 21:46 . 2001-08-23 15:00 18,432 --a--c--- C:\WINDOWS\system32\dllcache\qprocess.exe
2008-04-12 21:46 . 2001-08-23 15:00 8,704 --a------ C:\WINDOWS\system32\icaapi.dll
2008-04-12 21:46 . 2001-08-23 15:00 8,704 --a--c--- C:\WINDOWS\system32\dllcache\icaapi.dll
2008-04-12 21:46 . 2001-08-23 15:00 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2008-04-12 21:46 . 2001-08-23 15:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\msdtc.exe
2008-04-12 16:55 . 2001-08-23 15:00 8,192 --a--c--- C:\WINDOWS\system32\dllcache\comrepl.exe
2008-04-12 16:25 . 2001-08-23 15:00 100,864 --a--c--- C:\WINDOWS\system32\dllcache\wmisvc.dll
2008-04-12 16:25 . 2001-08-23 15:00 95,744 --a--c--- C:\WINDOWS\system32\dllcache\wmiutils.dll
2008-04-12 16:25 . 2001-08-23 15:00 85,504 --a--c--- C:\WINDOWS\system32\dllcache\catsrvps.dll
2008-04-12 16:25 . 2001-08-23 15:00 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2008-04-12 16:25 . 2001-08-23 15:00 38,912 --a--c--- C:\WINDOWS\system32\dllcache\wmipsess.dll
2008-04-12 16:23 . 2001-08-23 15:00 226,304 --a--c--- C:\WINDOWS\system32\dllcache\provthrd.dll
2008-04-12 16:23 . 2001-08-23 15:00 203,264 --a--c--- C:\WINDOWS\system32\dllcache\ntevt.dll
2008-04-12 16:23 . 2001-08-23 15:00 137,216 --a--c--- C:\WINDOWS\system32\dllcache\repdrvfs.dll
2008-04-12 16:23 . 2001-08-23 15:00 104,960 --a--c--- C:\WINDOWS\system32\dllcache\mofd.dll
2008-04-12 16:23 . 2001-08-23 15:00 89,600 --a--c--- C:\WINDOWS\system32\dllcache\policman.dll
2008-04-12 16:23 . 2001-08-23 15:00 80,896 --a--c--- C:\WINDOWS\system32\dllcache\stdprov.dll
2008-04-12 16:23 . 2001-08-23 15:00 60,928 --a--c--- C:\WINDOWS\system32\dllcache\ncprov.dll
2008-04-12 16:23 . 2001-08-23 15:00 33,792 --a--c--- C:\WINDOWS\system32\dllcache\scrcons.exe
2008-04-12 16:23 . 2001-08-23 15:00 23,552 --a--c--- C:\WINDOWS\system32\dllcache\krnlprov.dll
2008-04-12 16:23 . 2001-08-23 15:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\mofcomp.exe
2008-04-12 15:33 . 2001-08-23 15:00 174,592 --a--c--- C:\WINDOWS\system32\dllcache\framedyn.dll
2008-04-12 15:10 . 2001-08-23 15:00 235,520 --a--c--- C:\WINDOWS\system32\dllcache\esscli.dll
2008-04-12 13:34 . 2001-08-23 15:00 1,266,688 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-04-12 13:28 . 2001-08-23 15:00 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2008-04-12 13:28 . 2001-08-23 15:00 53,248 --a--c--- C:\WINDOWS\system32\dllcache\servdeps.dll
2008-04-12 13:23 . 2001-08-23 15:00 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2008-04-12 13:23 . 2001-08-23 15:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\mmfutil.dll
2008-04-12 13:14 . 2001-08-23 15:00 57,344 --a------ C:\WINDOWS\system32\licwmi.dll
2008-04-12 13:14 . 2001-08-23 15:00 57,344 --a--c--- C:\WINDOWS\system32\dllcache\licwmi.dll
2008-04-12 13:07 . 2001-08-23 15:00 174,592 --a--c--- C:\WINDOWS\system32\dllcache\cmprops.dll
2008-04-12 13:07 . 2001-08-23 15:00 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2008-04-12 12:05 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-04-12 12:04 . 2001-08-17 13:51 55,808 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-04-12 10:53 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-04-12 10:53 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-04-12 10:52 . 2001-08-17 13:50 181,632 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2008-04-12 10:52 . 2001-08-17 22:38 37,896 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-04-12 10:50 . 2001-08-23 15:00 696,320 --a--c--- C:\WINDOWS\system32\dllcache\sapi.dll
2008-04-12 10:50 . 2001-08-23 15:00 147,456 --a--c--- C:\WINDOWS\system32\dllcache\sapi.cpl
2008-04-12 10:50 . 2001-08-23 15:00 131,584 --a------ C:\WINDOWS\system\WINSPOOL.DRV
2008-04-12 10:50 . 2001-08-17 22:36 70,656 --a------ C:\WINDOWS\system32\storprop.dll
2008-04-12 10:50 . 2001-08-23 15:00 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2008-04-12 10:50 . 2001-08-23 15:00 10,496 --a--c--- C:\WINDOWS\system32\dllcache\irenum.sys
2008-04-04 20:36 . 2008-04-10 16:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 20:36 . 2008-04-04 20:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 08:23 . 2008-03-21 08:23 <DIR> d-------- C:\WINDOWS\Applian FLV Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 00:23 --------- d-----w C:\Program Files\DC++
2008-04-03 16:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-03 16:33 --------- d-----w C:\Program Files\Real
2008-04-03 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 02:31 --------- d-----w C:\Program Files\Steam
2008-03-15 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-15 18:55 --------- d-----w C:\Program Files\Lavasoft
2008-03-02 04:43 --------- d-----w C:\Program Files\eMedia Rock Guitar Method
2007-07-21 20:06 24,560 ----a-w C:\Documents and Settings\jose\Application Data\GDIPFONTCACHEV1.DAT
2007-06-24 21:40 2,112 ----a-w C:\Documents and Settings\jose\fet2_settings.dat
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-19_ 9.29.27.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 13:21:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 14:33:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-07-14 21:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2001-09-28 16:37:00 19,200 ----a-w C:\WINDOWS\setupupd\updates\i386\usbuhci.sys
+ 2002-01-23 00:26:56 443,392 ----a-w C:\WINDOWS\setupupd\winnt32\w95upgnt.dll
+ 2002-01-23 00:26:58 831,488 ----a-w C:\WINDOWS\setupupd\winnt32\win9xupg\w95upg.dll
+ 2002-01-30 22:16:16 1,142,784 ----a-w C:\WINDOWS\setupupd\winnt32\winnt32a.dll
+ 2002-01-30 22:16:22 1,246,208 ----a-w C:\WINDOWS\setupupd\winnt32\winnt32u.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02BA831E-5426-4AEB-B1DA-D7D7FAC62841}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{124BF132-4011-4077-896F-6424A1EA71F4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636093CB-2051-03A9-0A1A-5200BEB3DBB7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D8E3A87-D440-F6B0-479B-AA8F06782EE3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD8E3AD1-804D-A7E3-409B-AA8F06782CE0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB6AD6E9-4A68-4615-968C-BE5435EB6E44}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2F14F68-F2DD-4035-A25B-2FEF6269868C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 15:25 1011712]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgdcb]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlft32]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^GhostSurf proxy.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\GhostSurf proxy.lnk
backup=C:\WINDOWS\pss\GhostSurf proxy.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jose^Start Menu^Programs^Startup^Scheduler.lnk]
path=C:\Documents and Settings\jose\Start Menu\Programs\Startup\Scheduler.lnk
backup=C:\WINDOWS\pss\Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 11:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2004-12-16 18:49 49152 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]
--a------ 2005-03-28 15:25 1011712 C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneIV]
--a------ 2003-11-20 18:44 1560626 C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostSurf Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostSurfDelSatellite]
C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 16:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-11-07 16:41 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2001-08-02 07:14 1077277 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2003-11-16 22:33 3022848 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
-ra------ 2003-11-16 22:33 49152 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMRealtime]
C:\Program Files\PC MightyMax\pcmm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-27 22:33 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-01-09 10:21 253952 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-01-13 11:19 757760 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-01-13 15:05 69632 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 18:51 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"PDSched"=2 (0x2)
"PDEngine"=3 (0x3)
"SDhelper"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=3 (0x3)
"McDetect.exe"=2 (0x2)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"rpcapd"=3 (0x3)
"usnjsvc"=3 (0x3)
"VideoAcceleratorEngine"=3 (0x3)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)
"NVSvc"=2 (0x2)
"ose"=3 (0x3)
"aawservice"=2 (0x2)
"ANIWZCSdService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"<NO NAME>"= :Yahoo! Music Jukebox
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\dursh\\counter-strike\\hl.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\UT2004Demo\\System\\UT2004.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60000:TCP"= 60000:TCP:BitComet 60000 TCP
"60000:UDP"= 60000:UDP:BitComet 60000 UDP

R2 ETDrv;ETDrv;C:\WINDOWS\System32\drivers\ETDrv.sys [2003-11-12 10:46]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\System32\DRIVERS\A3AB.sys [2005-03-22 20:17]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2005-08-02 17:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0aad8146-c501-11db-8f14-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 20:13:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
"2007-05-10 20:13:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 10:35:26
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 10:43:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 14:42:04
ComboFix2.txt 2008-04-19 13:30:55

Pre-Run: 10,914,664,448 bytes free
Post-Run: 10,901,868,544 bytes free

331 --- E O F --- 2007-11-13 23:49:37

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 PM

Posted 19 April 2008 - 09:57 AM

Hi,

I thought teatimer was enabled.

Teatimer is no Antivirus!!!

Look in my signature below under Antivirus scanners for an Antivirus.

Can you also post a new HijackThislog please?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 vundohate

vundohate
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 19 April 2008 - 09:58 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:16 AM, on 4/19/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02BA831E-5426-4AEB-B1DA-D7D7FAC62841} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {124BF132-4011-4077-896F-6424A1EA71F4} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O2 - BHO: (no name) - {DB6AD6E9-4A68-4615-968C-BE5435EB6E44} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1

--
End of file - 4638 bytes

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 PM

Posted 19 April 2008 - 10:07 AM

Hi,

It is important that you perform the following instructions in the right order...

First step.. I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,

I strongly recommend to uninstall the Mario Forever Toolbar, this since it is adware supported.
Also, You are using Download Accelerator - DAP Be informed that it delivers popup/popunder ads, and tracks your internet usage. You can find safer alternatives here: http://www.spywareinfo.com/downloads.php?cat=dlman#dlman
I suggest you remove it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove it

Reboot after uninstalling.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {02BA831E-5426-4AEB-B1DA-D7D7FAC62841} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {124BF132-4011-4077-896F-6424A1EA71F4} - (no file)
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O2 - BHO: (no name) - {DB6AD6E9-4A68-4615-968C-BE5435EB6E44} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then,

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, visit Windows update and install all updates! This includes Service Pack 2

Reboot after installing all updates.

Then, install an Antivirus!!!! See in my signature below.

Reboot after uninstalling the Antivirus.

Then, rescan with HijackThis and post a new log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 vundohate

vundohate
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 19 April 2008 - 10:22 AM

Bad news. Add/remove programs menu doesn't load. I double click and nothing happens.

Edited by vundohate, 19 April 2008 - 10:23 AM.


#13 vundohate

vundohate
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 19 April 2008 - 10:27 AM

I tried again and it opened but it is blank.

#14 vundohate

vundohate
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 19 April 2008 - 10:53 AM

I'd like to keep dap, mario forever, and the popcap thing. I've had these for years now. I removed the other things and updated java. Startup is still taking a while.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:58 AM, on 4/19/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Program Files\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21C03C8A-E819-464D-9409-380E782396DF}: NameServer = 192.168.0.1

--
End of file - 3744 bytes

Edited by vundohate, 19 April 2008 - 10:55 AM.


#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 PM

Posted 19 April 2008 - 11:08 AM

Hi,

You did not perform all the steps I asked. I asked to update your Windows (which should also fix add/remove programs) and to install an Antivirus.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users