Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde And Trojan Horse I Think


  • This topic is locked This topic is locked
70 replies to this topic

#1 Arkzadis

Arkzadis

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 02 May 2008 - 06:52 AM

Im not sure if these viruses are dangerous, I think it my PC - Cillin (anti-virus software) is saying that it has a low risk but it cannot delete the virus, what do i do? =S Are you guyz computer geniuses? My friend says he loves your work but this is my first time trying this forum XD

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-02 21:42:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
71: 2008-05-02 11:42:24 UTC - RP183 - Deckard's System Scanner Restore Point
70: 2008-05-01 08:16:58 UTC - RP182 - System Checkpoint
69: 2008-04-29 09:15:50 UTC - RP181 - System Checkpoint
68: 2008-04-28 08:20:02 UTC - RP180 - System Checkpoint
67: 2008-04-27 08:19:07 UTC - RP179 - System Checkpoint


-- First Restore Point --
1: 2008-04-22 10:35:27 UTC - RP113 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-02 21:44:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Trend Micro\Internet Security 2007\PcCtlCom.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2007\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\TmPfw.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security 2007\PcScnSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2007\tmproxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blackle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6582C887-7B35-4A0A-B92C-BE7CA29E5F29} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84F4542E-E7FB-498F-84EB-83FF3A2FCE64} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Volume Shadow Installer] cvisvc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~2.EXE -Update -1030024 -iexplore.exe7.0
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: wgmrktqp - C:\WINDOWS\system32\
O20 - Winlogon Notify: __c00E0496 - C:\WINDOWS\system32\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\PcScnSrv.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\tmproxy.exe
O24 - Desktop Component 0: - http://www.anime-wallpapers.ws/anime/air/thumbs/Air-00.jpg

--
End of file - 10073 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 npkcrypt - c:\program files\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>

S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 dump_wmimmc - c:\program files\nexon\maplestory\gameguard\dump_wmimmc.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 spkrmon - c:\program files\analog devices\soundmax\spkrmon.exe <Not Verified; ; spkrmon Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: SB Live! 24-bit
Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_10071102&REV_00\4&1C660DD6&0&08F0
Manufacturer: Creative Technology Ltd.
Name: SB Live! 24-bit
PNP Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_10071102&REV_00\4&1C660DD6&0&08F0
Service: P17


-- Scheduled Tasks -------------------------------------------------------------

2008-04-24 22:39:34 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-02 and 2008-05-02 -----------------------------

2008-04-25 20:23:11 201307 --ahs---- C:\WINDOWS\system32\xwHgfMoq.ini2
2008-04-24 15:57:07 10000 --a------ C:\WINDOWS\system32\cbXPfFUO.dll
2008-04-22 20:41:13 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-22 20:35:14 198559 --ahs---- C:\WINDOWS\system32\PsYIRqss.ini2
2008-04-15 16:18:31 0 d-------- C:\Program Files\Audacity
2008-04-15 10:36:25 35840 --a------ C:\WINDOWS\system32\hgGARIAr.dll
2008-04-15 10:26:46 225280 --a------ C:\WINDOWS\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-04-15 10:26:46 0 d-------- C:\Program Files\VstPlugins
2008-04-15 10:24:40 0 d-------- C:\Program Files\Image-Line
2008-04-10 17:24:50 0 d-------- C:\Documents and Settings\Owner\DYOSDirName
2008-04-08 08:05:37 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-05-02 21:40:39 0 d-------- C:\Documents and Settings\Owner\Application Data\MegauploadToolbar
2008-04-27 18:44:25 0 d-------- C:\Program Files\DcOo CS1.6 中文版
2008-04-14 22:13:50 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-08 08:15:17 0 d-------- C:\Program Files\iTunes
2008-04-08 07:28:58 0 d-------- C:\Program Files\QuickTime
2008-03-31 17:50:57 0 d-------- C:\Program Files\MSECache
2008-03-30 17:19:00 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-27 16:14:30 0 d-------- C:\Program Files\uTorrent
2008-03-23 19:40:21 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-23 19:40:21 0 d-------- C:\Documents and Settings\Owner\Application Data\InterTrust
2008-03-23 19:39:32 0 d-------- C:\Program Files\EurekaMultimedia
2008-03-20 22:13:03 0 d-------- C:\Program Files\Safari
2008-03-20 15:11:30 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-13 16:06:49 0 d-------- C:\Program Files\Java
2008-03-12 20:38:45 0 d-------- C:\Program Files\Project64 1.6
2008-03-02 19:05:55 0 d-------- C:\Program Files\Tencent
2008-03-02 18:03:55 0 d-------- C:\Program Files\directx
2008-03-02 17:29:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-02 17:29:13 0 d-------- C:\Program Files\Vimicro


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6582C887-7B35-4A0A-B92C-BE7CA29E5F29}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84F4542E-E7FB-498F-84EB-83FF3A2FCE64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [11/04/2004 08:15 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 01:04 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [11/04/2004 11:43 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [23/09/2003 04:01 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [30/09/2006 05:25 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 09:36 AM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [30/12/2006 12:52 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 10:32 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03/08/2004 10:31 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM]
"Volume Shadow Installer"="cvisvc.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Shockwave Updater"=C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~2.EXE -Update -1030024 -iexplore.exe7.0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wgmrktqp]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00E0496]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMfgHwx

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TermService"=3 (0x3)
"Dnscache"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-05-02 21:44:44 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 765.98 MiB / 228.75 MiB
Pagefile Memory (total/avail): 1108.8 MiB / 575.75 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.04 MiB

C: is Fixed (NTFS) - 97.65 GiB total, 82.62 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 135.22 GiB total, 121.8 GiB free.

\\.\PHYSICALDRIVE0 - ST3250620A - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 97.65 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 135.22 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.)
AV: Trend Micro PC-cillin Internet Security 2007 v15.30.1132 (Trend Micro, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Counter-Strike Source\\hl2.exe"="C:\\Program Files\\Counter-Strike Source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\Nexon\\MapleStory\\Patcher.exe"="C:\\Program Files\\Nexon\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Program Files\\Nexon\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\DcOo CS1.6 中文版\\cstrike.exe"="C:\\Program Files\\DcOo CS1.6 中文版\\cstrike.exe:*:Enabled:Half-Life Launcher"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows NetMeeting"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Tencent\\QQGame\\QQGame.exe"="C:\\Program Files\\Tencent\\QQGame\\QQGame.exe:*:Enabled:QQGame"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:礣orrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BILLY-K7SJX02AL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\BILLY-K7SJX02AL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=BILLY-K7SJX02AL
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Program\Ctzapxx.EXE" /X /U /S
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
礣orrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Counter-Strike: Source --> C:\Program Files\Counter-Strike Source\Uninst.exe
Counter Strike 1.6 --> "C:\Program Files\DcOo CS1.6 中文版\unins000.exe"
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DYOS Kitchen Release 0.21 --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://www.smartpackkit.com.au/downloads/sdyos_ogl.jnlp"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hamachi 1.0.2.4 --> C:\Program Files\Hamachi\uninstall.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ICatch (VI) PC Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}\setup.exe"
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
IMVU Tools --> C:\Program Files\ImvuTools2\Uninstall.exe
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lexmark X6100 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBFUN5C.EXE -dLexmark X6100 Series
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Little Fighter 2.5 - v2.0 --> C:\Program Files\Little Fighter 2.5 - v2.0\Uninstal.exe
MapleStory --> MsiExec.exe /I{4D854B04-562A-4F18-A61B-1397DC01D915}
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Multiplication & Division --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EurekaMultimedia\Multiplication & Division\Uninst.isu"
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetMeeting 3.01 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.NT
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Print to Fax --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BF2B19D-9C79-492A-8969-F059F06A627F}\setup.exe" -l0x9 ControlPanel
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Rob Papen Albino 3 --> C:\Program Files\Image-Line\FL Studio 7\Plugins\My VST\Albino\UninstalAlbino3.exe
Safari --> MsiExec.exe /I{0AFC9710-5DD6-4C6A-BA52-91AE992B2C9D}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sound Blaster Live! 24-bit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB481CC-F57C-4397-81A0-DADD22257047}\SETUP.EXE" -l0x9
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Storm Codec --> C:\Program Files\Ringz Studio\Storm Codec\uninst6.10.00.exe
Trend Micro PC-cillin Internet Security 2007 --> C:\PROGRA~1\TRENDM~1\INTERN~1\remove.exe
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}
USB PC Camera 301P --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41E496B5-47F4-11D6-9BBB-00E0987BB2CD}\setup.exe" -l0x9
Windows Installer Clean Up --> MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5719 / Success
Event Submitted/Written: 05/02/2008 07:16:25 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5700 / Success
Event Submitted/Written: 05/01/2008 05:54:52 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5676 / Success
Event Submitted/Written: 04/30/2008 05:16:27 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5657 / Success
Event Submitted/Written: 04/29/2008 04:38:34 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5644 / Success
Event Submitted/Written: 04/28/2008 07:29:24 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13488 / Error
Event Submitted/Written: 05/02/2008 08:50:08 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.2.3 on the
Network Card with network address 0011112B25BB.

Event Record #/Type13487 / Warning
Event Submitted/Written: 05/02/2008 08:50:08 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011112B25BB. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type13484 / Error
Event Submitted/Written: 05/02/2008 08:45:55 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.2.3 on the
Network Card with network address 0011112B25BB.

Event Record #/Type13483 / Warning
Event Submitted/Written: 05/02/2008 08:45:55 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011112B25BB. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type13454 / Error
Event Submitted/Written: 05/02/2008 05:35:03 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Infrared Monitor service depends on the Terminal Services service which failed to start because of the following error:
%%1058



-- End of Deckard's System Scanner: finished at 2008-05-02 21:44:44 ------------

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:34 AM

Posted 02 May 2008 - 08:37 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :blink:
There are a few around here that are probably geniuses. Unfortunately for you, I'm not one of them. :thumbsup:

Just kiddin'
We'll have you fixed up in no time. :wacko:



Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Arkzadis

Arkzadis
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 05 May 2008 - 04:39 AM

Ok this is what the Combofix.exe gave me

ComboFix 08-05-01.3 - Owner 2008-05-05 19:08:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.434 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aovlinvb.ini
C:\WINDOWS\system32\cbmimitc.ini
C:\WINDOWS\system32\cbXPfFUO.dll
C:\WINDOWS\system32\hgGARIAr.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\PsYIRqss.ini
C:\WINDOWS\system32\PsYIRqss.ini2
C:\WINDOWS\system32\xwHgfMoq.ini
C:\WINDOWS\system32\xwHgfMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-04 16:29 . 2008-05-05 19:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-04 16:29 . 2008-05-04 16:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 18:00 . 2008-05-04 18:00 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-05-03 16:39 . 1997-07-07 06:22 756,736 --------- C:\WINDOWS\system32\ir41_32.dll
2008-05-03 16:33 . 2008-05-03 16:33 <DIR> d-------- C:\Program Files\Microsoft Games
2008-05-02 21:41 . 2008-05-02 21:41 <DIR> d-------- C:\Deckard
2008-04-30 17:16 . 2008-04-30 17:16 244 --ah----- C:\sqmnoopt15.sqm
2008-04-30 17:16 . 2008-04-30 17:16 232 --ah----- C:\sqmdata15.sqm
2008-04-22 20:41 . 2008-05-04 08:28 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-22 20:37 . 2008-04-25 20:24 109,669 --a------ C:\WINDOWS\BM7ff4aac3.xml
2008-04-15 16:49 . 2008-04-15 18:29 2,710 --a------ C:\VirtualDJ Local Database v5.xml
2008-04-15 16:18 . 2008-04-15 16:18 <DIR> d-------- C:\Program Files\Audacity
2008-04-15 10:26 . 2008-04-15 21:34 <DIR> d-------- C:\Program Files\VstPlugins
2008-04-15 10:26 . 2002-07-08 08:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-04-15 10:26 . 2006-06-20 18:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-04-15 10:24 . 2008-04-15 21:34 <DIR> d-------- C:\Program Files\Image-Line
2008-04-10 17:24 . 2008-04-10 17:27 <DIR> d-------- C:\Documents and Settings\Owner\DYOSDirName
2008-04-08 08:05 . 2008-04-08 08:05 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 09:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-05 09:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\MegauploadToolbar
2008-05-03 22:33 --------- d-----w C:\Program Files\Project64 1.6
2008-05-03 22:32 --------- d-----w C:\Program Files\Trend Micro
2008-04-27 08:44 --------- d-----w C:\Program Files\DcOo CS1.6 中文版
2008-04-14 12:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-07 22:15 --------- d-----w C:\Program Files\iTunes
2008-04-07 21:28 --------- d-----w C:\Program Files\QuickTime
2008-03-31 07:50 --------- d-----w C:\Program Files\MSECache
2008-03-30 09:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 09:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 08:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-30 07:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-27 06:14 --------- d-----w C:\Program Files\uTorrent
2008-03-23 09:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-23 09:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\InterTrust
2008-03-23 09:39 --------- d-----w C:\Program Files\EurekaMultimedia
2008-03-20 12:13 --------- d-----w C:\Program Files\Safari
2008-03-13 06:06 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 16:01 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-30 17:25 96984]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-30 00:52 3429904]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"Volume Shadow Installer"="cvisvc.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wgmrktqp]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00E0496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-04 02:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TermService"=3 (0x3)
"Dnscache"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Counter-Strike Source\\hl2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 12:39:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-04 09:57:32 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 19:12:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 6

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-05 19:15:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-05 09:15:05

Pre-Run: 88,116,641,792 bytes free
Post-Run: 89,049,444,352 bytes free

161 --- E O F --- 2008-04-11 09:07:35

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:34 AM

Posted 05 May 2008 - 08:50 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\BM7ff4aac3.xml

Dirlook::
C:\Program Files\DcOo CS1.6 中文版

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wgmrktqp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00E0496]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Arkzadis

Arkzadis
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 06 May 2008 - 04:23 AM

the logs are too long so i was thinking of breaking them up if that was alright?

ComboFix 08-05-01.3 - Owner 2008-05-06 18:52:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.434 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM7ff4aac3.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM7ff4aac3.xml

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-04 16:29 . 2008-05-06 15:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-04 16:29 . 2008-05-04 16:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 18:00 . 2008-05-04 18:00 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-05-03 16:39 . 1997-07-07 06:22 756,736 --------- C:\WINDOWS\system32\ir41_32.dll
2008-05-03 16:33 . 2008-05-03 16:33 <DIR> d-------- C:\Program Files\Microsoft Games
2008-05-02 21:41 . 2008-05-02 21:41 <DIR> d-------- C:\Deckard
2008-04-30 17:16 . 2008-04-30 17:16 244 --ah----- C:\sqmnoopt15.sqm
2008-04-30 17:16 . 2008-04-30 17:16 232 --ah----- C:\sqmdata15.sqm
2008-04-22 20:41 . 2008-05-04 08:28 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-15 16:49 . 2008-04-15 18:29 2,710 --a------ C:\VirtualDJ Local Database v5.xml
2008-04-15 16:18 . 2008-04-15 16:18 <DIR> d-------- C:\Program Files\Audacity
2008-04-15 10:26 . 2008-04-15 21:34 <DIR> d-------- C:\Program Files\VstPlugins
2008-04-15 10:26 . 2002-07-08 08:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-04-15 10:26 . 2006-06-20 18:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-04-15 10:24 . 2008-04-15 21:34 <DIR> d-------- C:\Program Files\Image-Line
2008-04-10 17:24 . 2008-04-10 17:27 <DIR> d-------- C:\Documents and Settings\Owner\DYOSDirName
2008-04-08 08:05 . 2008-04-08 08:05 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 08:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\MegauploadToolbar
2008-05-05 09:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 22:33 --------- d-----w C:\Program Files\Project64 1.6
2008-05-03 22:32 --------- d-----w C:\Program Files\Trend Micro
2008-04-27 08:44 --------- d-----w C:\Program Files\DcOo CS1.6 中文版
2008-04-14 12:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-07 22:15 --------- d-----w C:\Program Files\iTunes
2008-04-07 21:28 --------- d-----w C:\Program Files\QuickTime
2008-03-31 07:50 --------- d-----w C:\Program Files\MSECache
2008-03-30 09:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 09:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 08:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-30 07:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-27 06:14 --------- d-----w C:\Program Files\uTorrent
2008-03-23 09:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-23 09:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\InterTrust
2008-03-23 09:39 --------- d-----w C:\Program Files\EurekaMultimedia
2008-03-20 12:13 --------- d-----w C:\Program Files\Safari
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 06:06 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\DcOo CS1.6 中文版 ----

2008-08-08 19:00 178 --a------ C:\Program Files\DcOo CS1.6 中文版\cstrike\gfx\cfg\64k.cfg
2008-08-08 19:00 178 --a------ C:\Program Files\DcOo CS1.6 中文版\cstrike\gfx\cfg\56k.cfg
2008-04-27 18:44 93247 --a------ C:\Program Files\DcOo CS1.6 中文版\Steam__105558__2008_4_27T8_44_25C70937.mdmp
2008-04-27 18:44 45046 --a------ C:\Program Files\DcOo CS1.6 中文版\cstrike\demoheader.dmf
2008-04-27 18:43 434 --a------ C:\Program Files\DcOo CS1.6 中文版\platform\config\CSBotConfig.vdf
2008-04-27 18:43 2810 --a------ C:\Program Files\DcOo CS1.6 中文版\cstrike\settings.scr
2008-04-27 12:15 51 --a------ C:\Program Files\DcOo CS1.6 中文版\platform\config\FriendsData.vdf
2008-04-27 12:15 3882 --a------ C:\Program Files\DcOo CS1.6 中文版\cstrike\config.cfg
2008-04-27 12:15 28124 --a------ C:\Program Files\DcOo CS1.6 中文版\platform\config\ServerBrowser.vdf
2008-04-27 12:15 1757 --a------ C:\Program Files\DcOo CS1.6 中文版\platform\config\InGameDialogConfig.vdf
2008-04-26 16:09 92222 --a------ C:\Program Files\DcOo CS1.6 中文版\Steam__105558__2008_4_26T6_9_50C1927781.mdmp
2008-04-24 14:36 921654 --a------ C:\Program Files\DcOo CS1.6 中文版\cstrike\cs_assault0002.bmp
2008-04-22 13:16 5176 --a------ C:\Program Files\DcOo CS1.6 中文版\cstrike\logos\remapped.bmp

Edited by Buckeye_Sam, 06 May 2008 - 10:00 AM.
excessive log - non malicious content


#6 Arkzadis

Arkzadis
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 06 May 2008 - 04:24 AM

5th and last




((((((((((((((((((((((((((((( snapshot@2008-05-05_19.14.54.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 09:12:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 05:23:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 16:01 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-30 17:25 96984]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-30 00:52 3429904]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"Volume Shadow Installer"="cvisvc.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-04 02:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TermService"=3 (0x3)
"Dnscache"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Counter-Strike Source\\hl2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 12:39:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-04 09:57:32 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 18:53:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-06 18:54:28
ComboFix-quarantined-files.txt 2008-05-06 08:54:21
ComboFix2.txt 2008-05-05 09:15:08

Pre-Run: 88,951,676,928 bytes free
Post-Run: 89,051,152,384 bytes free

3595 --- E O F --- 2008-04-11 09:07:35

Edited by Buckeye_Sam, 06 May 2008 - 10:02 AM.


#7 Arkzadis

Arkzadis
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 06 May 2008 - 04:25 AM

ok finally; erm this next one is from the dss.exe program. and i was just wondering, what the hell do u do with all these words and directory stuff??!! :thumbsup:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-06 18:55:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:34 PM, on 6/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blackle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Volume Shadow Installer] cvisvc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O24 - Desktop Component 0: (no name) - http://www.anime-wallpapers.ws/anime/air/thumbs/Air-00.jpg

--
End of file - 8072 bytes

-- Files created between 2008-04-06 and 2008-05-06 -----------------------------

2008-05-05 19:07:43 68096 --a------ C:\WINDOWS\zip.exe
2008-05-05 19:07:43 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-05 19:07:43 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-05 19:07:43 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-05 19:07:43 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-05 19:07:43 98816 --a------ C:\WINDOWS\sed.exe
2008-05-05 19:07:43 80412 --a------ C:\WINDOWS\grep.exe
2008-05-05 19:07:43 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-03 18:00:06 0 d-------- C:\Program Files\Norton Security Scan
2008-05-03 16:39:22 756736 -----n--- C:\WINDOWS\system32\ir41_32.dll <Not Verified; Intel Corporation; Intel Indeo® Video Interactive 32-bit Driver>
2008-05-03 16:33:40 0 d-------- C:\Program Files\Microsoft Games
2008-04-22 20:41:13 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-15 16:18:31 0 d-------- C:\Program Files\Audacity
2008-04-15 10:26:46 225280 --a------ C:\WINDOWS\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-04-15 10:26:46 0 d-------- C:\Program Files\VstPlugins
2008-04-15 10:24:40 0 d-------- C:\Program Files\Image-Line
2008-04-10 17:24:50 0 d-------- C:\Documents and Settings\Owner\DYOSDirName
2008-04-08 08:05:37 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-05-06 18:50:44 0 d-------- C:\Documents and Settings\Owner\Application Data\MegauploadToolbar
2008-05-05 19:12:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-04 08:33:25 0 d-------- C:\Program Files\Project64 1.6
2008-05-04 08:32:08 0 d-------- C:\Program Files\Trend Micro
2008-04-27 18:44:25 0 d-------- C:\Program Files\DcOo CS1.6 中文版
2008-04-14 22:13:50 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-08 08:15:17 0 d-------- C:\Program Files\iTunes
2008-04-08 07:28:58 0 d-------- C:\Program Files\QuickTime
2008-03-31 17:50:57 0 d-------- C:\Program Files\MSECache
2008-03-30 17:19:00 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-27 16:14:30 0 d-------- C:\Program Files\uTorrent
2008-03-23 19:40:21 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-23 19:40:21 0 d-------- C:\Documents and Settings\Owner\Application Data\InterTrust
2008-03-23 19:39:32 0 d-------- C:\Program Files\EurekaMultimedia
2008-03-20 22:13:03 0 d-------- C:\Program Files\Safari
2008-03-20 15:11:30 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-13 16:06:49 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [11/04/2004 08:15 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 01:04 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [11/04/2004 11:43 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [23/09/2003 04:01 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [30/09/2006 05:25 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 09:36 AM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [30/12/2006 12:52 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 10:32 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03/08/2004 10:31 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM]
"Volume Shadow Installer"="cvisvc.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TermService"=3 (0x3)
"Dnscache"=2 (0x2)

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-05-06 18:55:54 ------------

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:34 AM

Posted 06 May 2008 - 10:05 AM

and i was just wondering, what the hell do u do with all these words and directory stuff??!!

The logs show us what's on your computer and some of the most common places that malware would be located. It's how we can see what's really going on and then advise you on the steps to take to get things running smoothly again. It's a lot of reading and analysis. :thumbsup:


Your logs are looking pretty good to me now.
How are things working on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Arkzadis

Arkzadis
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 07 May 2008 - 04:33 AM

well everytime i turn on my computer, my Trend Micro PC - cillin antivrussoftware doesnt work, a little window comes up that says something like, runtime error, something has caused Trend Micro to terminate in an unusual way blablabla. And then i double click the Trend Micro icon and it says i can either enter the serial number for it or buy it again but my
PC - cillin wasn't supposed to expire til June. And my Pc - cillin stopped working just after i downloaded the ComboFix.exe program. It first told me I had just downloaded a virus, then i closed the pop up warnings and then the next time i opened my computer i noticed it wasnt in the system tray place on the bottom right hand corner of the computer screen

and i was wondering what this warning was about. I think i got it from the log i got after i dragged the notepad onto ConboFix.exe


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! (it was in red letters)

whats the recovery console?

Edited by Arkzadis, 07 May 2008 - 04:35 AM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:34 AM

Posted 07 May 2008 - 04:05 PM

I went back and reviewed your logs to be sure that combofix didn't remove anything it should have and I noticed this.

2008-05-03 18:00 . 2008-05-04 18:00 <DIR> d-------- C:\Program Files\Norton Security Scan


It looks like you installed Norton on 5/3. That is almost certainly causing a conflict with Trendmicro and has probably resulted in your problem. You should never run more than one antivirus at a time.

If you want to keep Trendmicro then uninstall Norton first. You may still have to reinstall Trendmicro in order to restore what Norton messed with.


Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Arkzadis

Arkzadis
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 08 May 2008 - 04:31 AM

Ok sweet thx Sam you've been a big help keep it up XD :thumbsup:

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:34 AM

Posted 08 May 2008 - 10:34 AM

Glad I could help out. :blink:

Just a few last things and you should be good to go!


Let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :wacko:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:34 AM

Posted 05 June 2008 - 07:41 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:34 AM

Posted 26 June 2008 - 07:37 AM

Topic re-opened at user's request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Arkzadis

Arkzadis
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 26 June 2008 - 07:41 AM

Ok thanks Sam, whats my next step




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users