Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijack This Log


  • This topic is locked This topic is locked
13 replies to this topic

#1 bones351

bones351

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 13 May 2008 - 04:01 PM

ok here is all my log files

Kaspersky:



Tuesday, May 13, 2008 11:32:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 771702


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Folders
C:\

Scan Statistics
Total number of scanned objects 71998
Number of viruses found 12
Number of infected objects 19
Number of suspicious objects 0
Duration of the scan process 01:24:27

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Hammy\LOCALS~1\Temp\NERO14399\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Hammy\LOCALS~1\Temp\nwizsrv.exe Infected: Trojan-Downloader.Win32.Agent.ogy skipped

C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe Infected: not-a-virus:FraudTool.Win32.MalWarrior.q skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{22747130-C225-4FC1-8F7B-EAC170E54A43}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped

C:\Documents and Settings\Hammy\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Hammy\Desktop\Signgo\Acoustica-MP3-Audio-Mixer-Installer.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped

C:\Documents and Settings\Hammy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Hammy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Hammy\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Hammy\Local Settings\History\History.IE5\MSHist012008051320080514\index.dat Object is locked skipped

C:\Documents and Settings\Hammy\Local Settings\Temp\~DF8D86.tmp Object is locked skipped

C:\Documents and Settings\Hammy\Local Settings\Temp\~DFC2FE.tmp Object is locked skipped

C:\Documents and Settings\Hammy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86\007spy-5star.exe/data0002 Infected: not-a-virus:Monitor.Win32.007SpySoft.306 skipped

C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86\007spy-5star.exe/data0007 Infected: Trojan-Spy.Win32.SpyAnyTime.a skipped

C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86\007spy-5star.exe Inno: infected - 2 skipped

C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86\crack\svchost.exe Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped

C:\Documents and Settings\Hammy\My Documents\Ripper software\ngen007a.zip/crack/svchost.exe Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped

C:\Documents and Settings\Hammy\My Documents\Ripper software\ngen007a.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Hammy\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Hammy\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{99B49BC3-46FE-4FFB-977F-034752FAE4C0}\RP101\A0022919.dll Infected: Trojan.Win32.Vapsup.fam skipped

C:\System Volume Information\_restore{99B49BC3-46FE-4FFB-977F-034752FAE4C0}\RP102\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\mpfanvqg.dll Infected: Trojan.Win32.Vapsup.fan skipped

C:\WINDOWS\oadkxrts.exe Infected: Trojan.Win32.Vapsup.fao skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\keybhookpro.dll Infected: Trojan-Spy.Win32.SpyAnyTime.a skipped

C:\WINDOWS\system32\rqRKcyAP.dll Infected: Trojan-Downloader.Win32.ConHook.qk skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_i0uMX89cZ2mRJiT Object is locked skipped

C:\WINDOWS\Temp\mcafee_Y0FC6a50jwI2bi1 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_foDgT6XUUCosse9 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_kJpTI3qRsbk16Np Object is locked skipped

C:\WINDOWS\Temp\mcmsc_oLhO0jp25RojSoH Object is locked skipped

C:\WINDOWS\Temp\mcmsc_z56eR69gLAgNfiv Object is locked skipped

C:\WINDOWS\vbksrofa.dll Infected: Trojan.Win32.Vapsup.fap skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Tuesday, May 13, 2008 9:36:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 771702


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Memory


Scan Statistics
Total number of scanned objects 2094
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:01:08

Infected Object Name Virus Name Last Action
[0] [System Process] => C:\WINDOWS\system32\rqRKcyAP.dll Infected: Trojan-Downloader.Win32.ConHook.qk skipped

[728] winlogon.exe => C:\WINDOWS\system32\rqRKcyAP.dll Infected: Trojan-Downloader.Win32.ConHook.qk skipped

[3316] IEXPLORE.EXE => C:\WINDOWS\system32\rqRKcyAP.dll Infected: Trojan-Downloader.Win32.ConHook.qk skipped

Scan process completed.

Tuesday, May 13, 2008 9:34:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 771702


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Hammy\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 13510
Number of viruses found 5
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:09:48

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\mpfanvqg.dll Infected: Trojan.Win32.Vapsup.fan skipped

C:\WINDOWS\oadkxrts.exe Infected: Trojan.Win32.Vapsup.fao skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\keybhookpro.dll Infected: Trojan-Spy.Win32.SpyAnyTime.a skipped

C:\WINDOWS\system32\rqRKcyAP.dll Infected: Trojan-Downloader.Win32.ConHook.qk skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_i0uMX89cZ2mRJiT Object is locked skipped

C:\WINDOWS\Temp\mcafee_Y0FC6a50jwI2bi1 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_foDgT6XUUCosse9 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_kJpTI3qRsbk16Np Object is locked skipped

C:\WINDOWS\Temp\mcmsc_oLhO0jp25RojSoH Object is locked skipped

C:\WINDOWS\Temp\mcmsc_z56eR69gLAgNfiv Object is locked skipped

C:\WINDOWS\vbksrofa.dll Infected: Trojan.Win32.Vapsup.fap skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\Hammy\LOCALS~1\Temp\~DFC491.tmp Object is locked skipped

Scan process completed.

DSS:

Deckard's System Scanner v20071014.68
Run by Hammy on 2008-05-13 18:10:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-05-13 22:13:36 UTC - RP102 - Deckard's System Scanner Restore Point
6: 2008-05-12 22:33:08 UTC - RP101 - System Checkpoint
5: 2008-05-11 21:34:47 UTC - RP100 - System Checkpoint
4: 2008-05-10 21:28:20 UTC - RP99 - Last known good configuration
3: 2008-05-10 21:28:15 UTC - RP98 - Restore Operation


-- First Restore Point --
1: 2008-05-10 21:28:15 UTC - RP96 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 15.15 GiB (less than 15%) free.


-- HijackThis (run as Hammy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:56 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Documents and Settings\Hammy\Desktop\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee\mpf\mc\mpfalert.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hammy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConeal\Anonymity Shield\ProxyNew.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {A1E5D061-1FF5-4759-BAD1-1382316838CA} - C:\WINDOWS\system32\ssqNFYSM.dll
O2 - BHO: (no name) - {B9AB28FA-ED73-4E5E-BA11-0925D85120D1} - C:\WINDOWS\system32\rqRKcyAP.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {EA962993-4A16-45A4-9A55-E19BA3F1FC8F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKLM\..\Run: [WinService32] C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [30caa59c] rundll32.exe "C:\WINDOWS\system32\mvlfuwau.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://myspace.oberon-media.com/gameshell/...pt.1.0.0.21.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.gamehouse.com/realarcade-webgam...outLauncher.cab
O20 - Winlogon Notify: rqRKcyAP - C:\WINDOWS\SYSTEM32\rqRKcyAP.dll
O21 - SSODL: mpfanvqg - {A2E7363F-FF83-4F8F-BBF8-C3C75B00E076} - C:\WINDOWS\mpfanvqg.dll
O21 - SSODL: vbksrofa - {0B0BDBA9-6A49-4677-99EC-616478C1D40F} - C:\WINDOWS\vbksrofa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 10521 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 DgiVecp - c:\windows\system32\drivers\dgivecp.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-01 01:00:58 332 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-04-15 01:42:22 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-28 19:17:11 21008 -----n--- C:\WINDOWS\system32\Ctl3d.dll <Not Verified; Microsoft Corporation; 3d Windows Control>
2008-05-28 19:16:47 0 d-------- C:\Documents and Settings\Hammy\WINDOWS
2008-05-28 19:16:03 0 d-------- C:\My Documents
2008-05-28 16:53:34 0 d-------- C:\My Downloads
2008-05-28 16:51:21 0 d-------- C:\Program Files\BearShare
2008-05-13 18:16:04 0 d-------- C:\WINDOWS\privacy_danger
2008-05-13 17:13:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-13 17:12:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 17:12:56 0 d-------- C:\WINDOWS\LastGood
2008-05-13 16:38:29 0 d-------- C:\Program Files\Trend Micro
2008-05-13 09:56:47 91264 --a------ C:\WINDOWS\system32\mvlfuwau.dll
2008-05-10 17:28:49 0 d-------- C:\Documents and Settings\Hammy\Application Data\TmpRecentIcons
2008-05-10 17:11:39 0 d-------- C:\WINDOWS\privacy_danger(2)
2008-05-10 17:07:50 0 d-------- C:\WINDOWS\system32\NtmsData
2008-05-10 11:24:29 6802 --ahs---- C:\WINDOWS\system32\KkkRCcdd.ini2
2008-05-10 10:22:37 964516 --ahs---- C:\WINDOWS\system32\MSYFNqss.ini2
2008-05-10 10:22:36 320640 --a------ C:\WINDOWS\system32\ssqNFYSM.dll
2008-05-10 10:10:01 29312 --a------ C:\WINDOWS\system32\rqRKcyAP.dll
2008-05-10 10:09:03 258048 --a------ C:\WINDOWS\vbksrofa.dll
2008-05-10 10:09:03 90112 --a------ C:\WINDOWS\oadkxrts.exe
2008-05-10 10:09:03 225280 --a------ C:\WINDOWS\mpfanvqg.dll
2008-05-10 10:08:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
2008-05-01 12:22:24 176235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-05-01 12:22:09 0 d-------- C:\WINDOWS\PrimoPDF4
2008-05-01 12:22:09 0 d-------- C:\Program Files\activePDF
2008-04-27 19:09:57 0 d-------- C:\Documents and Settings\Not Hammy\Application Data\GlarySoft
2008-04-27 12:24:33 0 d-------- C:\Documents and Settings\Hammy\Application Data\GlarySoft
2008-04-27 12:21:22 0 d-------- C:\Documents and Settings\Hammy\Application Data\Serif
2008-04-25 09:32:16 0 d-------- C:\Documents and Settings\Hammy\Application Data\Google
2008-04-23 19:44:03 0 d-------- C:\Documents and Settings\Not Hammy\Application Data\PlayFirst
2008-04-23 19:44:03 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-22 14:43:03 0 d-------- C:\Documents and Settings\Not Hammy\Application Data\Google
2008-04-22 14:41:10 0 d-------- C:\WINDOWS\Sun
2008-04-22 14:41:10 0 d-------- C:\Documents and Settings\Not Hammy\Application Data\Sun
2008-04-22 14:41:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-22 14:40:59 0 d-------- C:\Program Files\Google
2008-04-22 14:40:16 0 d-------- C:\Program Files\Java
2008-04-22 14:39:56 0 d-------- C:\Program Files\Common Files\Java
2008-04-21 07:50:59 0 d--h----- C:\WINDOWS\PIF
2008-04-20 16:29:09 212480 -----n--- C:\WINDOWS\pcdlib32.dll <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2008-04-20 16:29:00 0 d-------- C:\Program Files\Serif


-- Find3M Report ---------------------------------------------------------------

2008-05-28 19:16:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-05 13:04:59 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-01 12:26:36 6117 --a------ C:\Documents and Settings\Hammy\Application Data\PrimoPDFSet.xml
2008-05-01 12:26:19 310 --a------ C:\Documents and Settings\Hammy\Application Data\APUSet.xml
2008-04-27 14:40:18 0 d-------- C:\Program Files\LawOrderVengefulHeart_at
2008-04-22 14:39:56 0 d-------- C:\Program Files\Common Files
2008-04-22 11:17:59 0 d-------- C:\Program Files\McAfee
2008-04-13 18:49:44 0 d-------- C:\Program Files\Shattera_at
2008-04-13 18:43:56 0 d-------- C:\Program Files\AquaBall_at
2008-04-10 19:35:51 0 d-------- C:\Program Files\RageOfMagicII_at
2008-04-10 19:05:28 0 d-------- C:\Program Files\DevastationZoneTroopers_at
2008-04-10 19:00:19 0 d-------- C:\Program Files\RIP_at
2008-04-10 08:08:56 0 d-------- C:\Program Files\fbmgamesetup
2008-04-10 08:08:56 0 d-------- C:\Program Files\Conduit
2008-04-08 18:09:15 0 d-------- C:\Program Files\MagicBall3_at
2008-04-07 20:13:16 0 d-------- C:\Program Files\Nick Arcade
2008-04-07 19:02:28 0 d-------- C:\Program Files\Virtools
2008-04-06 16:28:47 0 d-------- C:\Program Files\Common Files\Real
2008-04-06 14:49:23 774144 --a------ C:\Program Files\RngInterstitial.dll <Not Verified; RealNetworks, Inc.; RealNetworks, Inc. RngInterstitial>
2008-04-06 14:49:17 0 d-------- C:\Program Files\Real
2008-03-29 18:35:11 0 d-------- C:\Program Files\Oxin's Style!
2008-03-29 18:33:39 0 d-------- C:\Program Files\PiratesoftheAtlantic_at
2008-03-28 11:34:32 0 d-------- C:\Program Files\SpiritofWanderingTheLegend_at
2008-03-24 21:23:06 0 d-------- C:\Documents and Settings\Hammy\Application Data\Ahead
2008-03-13 13:33:27 0 d-------- C:\Documents and Settings\Hammy\Application Data\WinRAR
2008-03-11 23:43:32 32 --a------ C:\WINDOWS\go
2008-03-09 15:43:19 268 --a------ C:\WINDOWS\system32\PDPCustomPaper.dat
2008-03-09 15:43:19 3932 --a------ C:\WINDOWS\system32\CTLayout.dat
2008-03-08 15:33:04 594 --a------ C:\WINDOWS\system32\Sysmnt.dat
2008-03-08 15:03:55 71561 --a------ C:\WINDOWS\system32\007unins000.exe <Not Verified; Jordan Russell; >
2008-03-08 15:03:55 2780 --a------ C:\WINDOWS\system32\007unins000.dat
2008-03-05 20:37:41 0 -rahs---- C:\MSDOS.SYS
2008-03-05 20:37:41 0 -rahs---- C:\IO.SYS
2008-03-05 20:37:41 0 --a------ C:\CONFIG.SYS
2008-03-05 20:37:41 0 --a------ C:\AUTOEXEC.BAT
2008-03-05 20:34:33 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-05 11:44:44 62 --ahs---- C:\Documents and Settings\Hammy\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1E5D061-1FF5-4759-BAD1-1382316838CA}]
05/10/2008 10:22 AM 320640 --a------ C:\WINDOWS\system32\ssqNFYSM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}]
05/10/2008 10:10 AM 29312 --a------ C:\WINDOWS\system32\rqRKcyAP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/20/2005 10:07 PM]
"nwiz"="nwiz.exe" [07/20/2005 10:07 PM C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [07/27/2004 05:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [06/10/2004 11:15 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [07/20/2005 10:07 PM]
"CTPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [09/18/2001 12:37 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"WinLiveUpdate"="C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe" []
"WinService32"="C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe" []
"Windows LSASS Service"="C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe" [03/08/2008 03:37 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [04/24/2006 05:28 PM]
"30caa59c"="C:\WINDOWS\system32\mvlfuwau.dll" [05/13/2008 09:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"MalWarrior"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" [05/10/2008 10:09 AM]

C:\Documents and Settings\Hammy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq A3000 Settings Utility.lnk - C:\Program Files\Compaq A3000\CPQA3000.exe [3/5/2008 10:31:06 PM]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}"= C:\WINDOWS\system32\rqRKcyAP.dll [05/10/2008 10:10 AM 29312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {A2E7363F-FF83-4F8F-BBF8-C3C75B00E076} - C:\WINDOWS\mpfanvqg.dll [05/10/2008 09:24 AM 225280]
"vbksrofa"= {0B0BDBA9-6A49-4677-99EC-616478C1D40F} - C:\WINDOWS\vbksrofa.dll [05/10/2008 09:24 AM 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyAP]
rqRKcyAP.dll 05/10/2008 10:10 AM 29312 C:\WINDOWS\system32\rqRKcyAP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqNFYSM

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{254c7bb3-eac4-11dc-8925-806d6172696f}]
AutoRun\command- I:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-05-13 18:17:32 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 2600+
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 511.48 MiB / 231.62 MiB
Pagefile Memory (total/avail): 1246.6 MiB / 906.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.14 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.79 GiB total, 15.15 GiB free.
D: is Fixed (NTFS) - 28.61 GiB total, 1.8 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (FAT)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - Maxtor 33073H3 - 28.62 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 28.61 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD1200JB-00GVA0 - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.79 GiB - C:

\\.\PHYSICALDRIVE2 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE3 - Generic STORAGE DEVICE USB Device - 7.81 MiB - 1 partition
\PARTITION0 (bootable) - 12-bit FAT - 7.8 MiB - G:

\\.\PHYSICALDRIVE4 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE5 - Generic STORAGE DEVICE USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe:*:Enabled:PDP RPC Server"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Hammy\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LIVINGROOM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Hammy
LOGONSERVER=\\LIVINGROOM
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 28 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=1c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Hammy\LOCALS~1\Temp
TMP=C:\DOCUME~1\Hammy\LOCALS~1\Temp
USERDOMAIN=LIVINGROOM
USERNAME=Hammy
USERPROFILE=C:\Documents and Settings\Hammy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Hammy (admin)
Not Hammy (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Groove Playback Engine --> RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Illustrator CS2 --> msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Age of Empires III - The WarChiefs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1C08A24C-B168-407E-A826-68FAF5F20710}
Age of Mythology --> "C:\Program Files\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
BearShare --> C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
Compaq A3000 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88739060-F683-11D3-B761-00105AD153C3}\Setup.exe" UNINSTALL
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
Glarysoft Registry Repair 2.7 --> "C:\Program Files\Registry Repair\unins000.exe"
Hide IP Platinum 2.8 --> "C:\Program Files\Hide IP Platinum\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NetConceal Anonymity Shield --> "C:\Program Files\NetConeal\Anonymity Shield\uninstall.exe"
NetConceal Anonymizer --> "C:\Program Files\NetConceal Anonymizer\uninstall.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PrimoPDF --> "C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Serif 3DPlus 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A36638C0-D8B9-11D3-9801-00A0CC555167}\setup.exe"
Serif DrawPlus 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Serif\dp40.isu"
Serif PagePlus SE 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25BB07FA-D9A0-478E-8A4B-38466A4E8BF2}\Setup.exe" -l0x9
Serif PhotoPlus 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
Ulead VideoStudio 7 SE Basic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\Setup.exe" -l0x9
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VideoLAN VLC media player 0.8.6e --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
WebVideo Support --> C:\WINDOWS\oadkxrts.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1579 / Error
Event Submitted/Written: 05/10/2008 08:06:24 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1578 / Error
Event Submitted/Written: 05/10/2008 08:04:05 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1564 / Error
Event Submitted/Written: 05/10/2008 05:03:34 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1562 / Error
Event Submitted/Written: 05/10/2008 04:51:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application bearshare.exe, version 5.2.2.2, faulting module bearshare.exe, version 5.2.2.2, fault address 0x0000dea8.
Processing media-specific event for [bearshare.exe!ws!]

Event Record #/Type1552 / Error
Event Submitted/Written: 05/10/2008 04:32:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type922 / Error
Event Submitted/Written: 05/13/2008 05:48:53 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type888 / Warning
Event Submitted/Written: 05/13/2008 04:23:01 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type877 / Error
Event Submitted/Written: 05/13/2008 04:05:19 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.

Event Record #/Type876 / Warning
Event Submitted/Written: 05/13/2008 04:05:18 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type872 / Error
Event Submitted/Written: 05/13/2008 04:04:48 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-05-13 18:17:32 ------------



And Hijack this:

Scan saved at 6:09:27 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {EA962993-4A16-45A4-9A55-E19BA3F1FC8F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKLM\..\Run: [WinService32] C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [30caa59c] rundll32.exe "C:\WINDOWS\system32\mvlfuwau.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://myspace.oberon-media.com/gameshell/...pt.1.0.0.21.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.gamehouse.com/realarcade-webgam...outLauncher.cab
O21 - SSODL: mpfanvqg - {A2E7363F-FF83-4F8F-BBF8-C3C75B00E076} - C:\WINDOWS\mpfanvqg.dll
O21 - SSODL: vbksrofa - {0B0BDBA9-6A49-4677-99EC-616478C1D40F} - C:\WINDOWS\vbksrofa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9439 bytes


Please Help

Attached Files


Edited by bones351, 13 May 2008 - 11:17 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:12 AM

Posted 14 May 2008 - 01:18 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bones351

bones351
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 14 May 2008 - 11:55 AM

OK ComboFix Log:

ComboFix 08-05-12.1 - Hammy 2008-05-14 12:39:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.179 [GMT -4:00]
Running from: C:\Documents and Settings\Hammy\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Hammy\Desktop\Error Cleaner.url
C:\Documents and Settings\Hammy\Desktop\Privacy Protector.url
C:\Documents and Settings\Hammy\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Hammy\Favorites\Error Cleaner.url
C:\Documents and Settings\Hammy\Favorites\Online Security Test.url
C:\Documents and Settings\Hammy\Favorites\Privacy Protector.url
C:\Documents and Settings\Hammy\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Not Hammy\Desktop\Error Cleaner.url
C:\Documents and Settings\Not Hammy\Desktop\Privacy Protector.url
C:\Documents and Settings\Not Hammy\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Not Hammy\Favorites\Error Cleaner.url
C:\Documents and Settings\Not Hammy\Favorites\Privacy Protector.url
C:\Documents and Settings\Not Hammy\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\cookies.ini
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\gxxvvfus.ini
C:\WINDOWS\system32\ijl11pro.dll
C:\WINDOWS\system32\KkkRCcdd.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSYFNqss.ini
C:\WINDOWS\system32\MSYFNqss.ini2
C:\WINDOWS\system32\tuhqhvta.ini
C:\WINDOWS\system32\uawuflvm.ini
C:\WINDOWS\system32\ulqnqebw.ini
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-28 19:17 . 1993-11-24 08:38 21,008 --------- C:\WINDOWS\system32\Ctl3d.dll
2008-05-28 19:16 . 2008-05-28 19:16 <DIR> d-------- C:\My Documents
2008-05-28 19:16 . 2008-05-28 19:16 <DIR> d-------- C:\Documents and Settings\Hammy\WINDOWS
2008-05-28 16:53 . 2008-05-01 16:30 <DIR> d-------- C:\My Downloads
2008-05-28 16:51 . 2008-05-28 16:56 <DIR> d-------- C:\Program Files\BearShare
2008-05-14 12:38 . 2008-05-14 12:39 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-14 11:31 . 2008-05-14 11:31 90,240 --a------ C:\WINDOWS\system32\atvhqhut.dll
2008-05-13 18:10 . 2008-05-13 18:10 <DIR> d-------- C:\Deckard
2008-05-13 17:13 . 2008-05-13 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-13 17:12 . 2008-05-13 17:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 17:28 . 2008-05-13 17:05 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\TmpRecentIcons
2008-05-10 17:11 . 2008-05-10 17:25 <DIR> d-------- C:\WINDOWS\privacy_danger(2)
2008-05-10 17:07 . 2008-05-10 17:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-10 10:22 . 2008-05-10 10:22 320,640 --a------ C:\WINDOWS\system32\ssqNFYSM.dll
2008-05-10 10:10 . 2008-05-10 10:10 29,312 --a------ C:\WINDOWS\system32\rqRKcyAP.dll
2008-05-10 10:09 . 2008-05-10 09:24 258,048 --a------ C:\WINDOWS\vbksrofa.dll
2008-05-10 10:09 . 2008-05-10 09:24 225,280 --a------ C:\WINDOWS\mpfanvqg.dll
2008-05-10 10:09 . 2008-05-10 09:24 90,112 --a------ C:\WINDOWS\oadkxrts.exe
2008-05-10 10:08 . 2008-05-10 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
2008-05-09 11:54 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\WINDOWS\PrimoPDF4
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\Program Files\activePDF
2008-05-01 12:22 . 2006-12-11 16:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-04-27 19:09 . 2008-04-27 19:09 <DIR> d-------- C:\Documents and Settings\Not Hammy\Application Data\GlarySoft
2008-04-27 12:24 . 2008-04-27 12:24 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\GlarySoft
2008-04-27 12:21 . 2008-04-27 12:21 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\Serif
2008-04-23 19:44 . 2008-04-23 19:44 <DIR> d-------- C:\Documents and Settings\Not Hammy\Application Data\PlayFirst
2008-04-23 19:44 . 2008-04-23 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-22 14:41 . 2008-04-22 14:41 <DIR> d-------- C:\WINDOWS\Sun
2008-04-22 14:40 . 2008-04-22 14:40 <DIR> d-------- C:\Program Files\Java
2008-04-22 14:40 . 2008-04-27 10:38 <DIR> d-------- C:\Program Files\Google
2008-04-22 14:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-22 14:39 . 2008-04-22 14:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 07:50 . 2008-04-21 07:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-20 16:29 . 2008-05-28 19:17 <DIR> d-------- C:\Program Files\Serif
2008-04-20 16:29 . 1998-12-08 20:53 212,480 --------- C:\WINDOWS\pcdlib32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 23:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameHouse
2008-05-05 17:04 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-27 18:40 --------- d-----w C:\Program Files\LawOrderVengefulHeart_at
2008-04-22 15:17 --------- d-----w C:\Program Files\McAfee
2008-04-13 22:49 --------- d-----w C:\Program Files\Shattera_at
2008-04-13 22:43 --------- d-----w C:\Program Files\AquaBall_at
2008-04-10 23:35 --------- d-----w C:\Program Files\RageOfMagicII_at
2008-04-10 23:05 --------- d-----w C:\Program Files\DevastationZoneTroopers_at
2008-04-10 23:00 --------- d-----w C:\Program Files\RIP_at
2008-04-10 12:08 --------- d-----w C:\Program Files\fbmgamesetup
2008-04-10 12:08 --------- d-----w C:\Program Files\Conduit
2008-04-08 22:09 --------- d-----w C:\Program Files\MagicBall3_at
2008-04-08 00:13 --------- d-----w C:\Program Files\Nick Arcade
2008-04-07 23:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 23:02 --------- d-----w C:\Program Files\Virtools
2008-04-06 20:28 --------- d-----w C:\Program Files\Common Files\Real
2008-04-06 19:00 --------- d-----w C:\Documents and Settings\Not Hammy\Application Data\SprillBermudeEng
2008-04-06 18:49 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-04-06 18:49 --------- d-----w C:\Program Files\Real
2008-03-29 22:35 --------- d-----w C:\Program Files\Oxin's Style!
2008-03-29 22:33 --------- d-----w C:\Program Files\PiratesoftheAtlantic_at
2008-03-28 15:34 --------- d-----w C:\Program Files\SpiritofWanderingTheLegend_at
2008-03-25 01:23 --------- d-----w C:\Documents and Settings\Hammy\Application Data\Ahead
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-08 19:03 71,561 ----a-w C:\WINDOWS\system32\007unins000.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{572EC72C-FF99-4967-807B-F56FEDCAD125}]
2008-05-10 10:22 320640 --a------ C:\WINDOWS\system32\ssqNFYSM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}]
2008-05-10 10:10 29312 --a------ C:\WINDOWS\system32\rqRKcyAP.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"MalWarrior"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" [2008-05-10 10:09 1026560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 22:07 7110656]
"nwiz"="nwiz.exe" [2005-07-20 22:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 05:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-10 23:15 83968]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-20 22:07 86016]
"CTPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [2001-09-18 12:37 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"WinLiveUpdate"="C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe" [ ]
"WinService32"="C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe" [ ]
"Windows LSASS Service"="C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe" [2008-03-08 15:37 149504]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-04-24 17:28 3223552]
"30caa59c"="C:\WINDOWS\system32\atvhqhut.dll" [2008-05-14 11:31 90240]
"combofix"="C:\WINDOWS\system32\CF23019.exe" [2004-08-04 00:56 388608]

C:\Documents and Settings\Hammy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq A3000 Settings Utility.lnk - C:\Program Files\Compaq A3000\CPQA3000.exe [2008-03-05 22:31:06 1142784]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}"= C:\WINDOWS\system32\rqRKcyAP.dll [2008-05-10 10:10 29312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {A2E7363F-FF83-4F8F-BBF8-C3C75B00E076} - C:\WINDOWS\mpfanvqg.dll [2008-05-10 09:24 225280]
"vbksrofa"= {0B0BDBA9-6A49-4677-99EC-616478C1D40F} - C:\WINDOWS\vbksrofa.dll [2008-05-10 09:24 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyAP]
rqRKcyAP.dll 2008-05-10 10:10 29312 C:\WINDOWS\system32\rqRKcyAP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{254c7bb3-eac4-11dc-8925-806d6172696f}]
\Shell\AutoRun\command - I:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 05:42:22 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 05:00:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 12:45:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\tuhqhvta.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rqRKcyAP.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-14 12:49:53 - machine was rebooted [Hammy]
ComboFix-quarantined-files.txt 2008-05-14 16:49:38

Pre-Run: 16,101,654,528 bytes free
Post-Run: 16,567,640,064 bytes free

231 --- E O F --- 2008-05-02 13:53:58


And Hajack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:32 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConeal\Anonymity Shield\ProxyNew.dll
O2 - BHO: (no name) - {572EC72C-FF99-4967-807B-F56FEDCAD125} - C:\WINDOWS\system32\ssqNFYSM.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {B9AB28FA-ED73-4E5E-BA11-0925D85120D1} - C:\WINDOWS\system32\rqRKcyAP.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {EA962993-4A16-45A4-9A55-E19BA3F1FC8F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKLM\..\Run: [WinService32] C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [30caa59c] rundll32.exe "C:\WINDOWS\system32\atvhqhut.dll",b
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://myspace.oberon-media.com/gameshell/...pt.1.0.0.21.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.gamehouse.com/realarcade-webgam...outLauncher.cab
O20 - Winlogon Notify: rqRKcyAP - C:\WINDOWS\SYSTEM32\rqRKcyAP.dll
O21 - SSODL: mpfanvqg - {A2E7363F-FF83-4F8F-BBF8-C3C75B00E076} - C:\WINDOWS\mpfanvqg.dll
O21 - SSODL: vbksrofa - {0B0BDBA9-6A49-4677-99EC-616478C1D40F} - C:\WINDOWS\vbksrofa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 11015 bytes

So far So Good...Running Faster not as many popups.....I do keep getting a warning that a .jpgdll is not found reinstall program

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:12 AM

Posted 14 May 2008 - 12:32 PM

Hi,

we are not finished yet. Your system is still severly infected..
I see you have Bearshare installed. I do not recommend Bearshare in the first place, and the fact that the Bearshare folder was modified with a later date than we are today + two new extra folders were created that same date (2008-05-28) - we are still may 14 though - makes it highly suspicious!
So I strongly recommend you uninstall Bearshare.

Also, I see you downloaded a LOT of illegal software/cracks previously. Unfortunately, you're still not aware of the fact that these cracks are malware. As long as you use cracks, download cracks, visit cracksites....you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :thumbsup:
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Anyway,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\atvhqhut.dll
C:\WINDOWS\system32\ssqNFYSM.dll
C:\WINDOWS\system32\rqRKcyAP.dll
C:\Documents and Settings\Hammy\Desktop\Signgo\Acoustica-MP3-Audio-Mixer-Installer.exe
C:\WINDOWS\system32\keybhookpro.dll
C:\WINDOWS\vbksrofa.dll
C:\WINDOWS\mpfanvqg.dll
C:\WINDOWS\oadkxrts.exe
C:\WINDOWS\system32\rqRKcyAP.dll
C:\WINDOWS\system32\tuhqhvta.ini
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe
C:\Documents and Settings\Hammy\My Documents\Ripper software\ngen007a.zip
Folder::
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008
C:\WINDOWS\privacy_danger(2)
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker
C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86
DirLook::
C:\Documents and Settings\Hammy\WINDOWS
C:\My Documents
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{572EC72C-FF99-4967-807B-F56FEDCAD125}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=-
"MalWarrior"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinLiveUpdate"=-
"WinService32"=-
"Windows LSASS Service"=-
"BearShare"=-
"30caa59c"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"=-
"vbksrofa"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyAP]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 14 May 2008 - 12:34 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bones351

bones351
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 14 May 2008 - 01:37 PM

Not even sure what bearshare is.......Just got this machine back from my son...gave it to the wife and she screwed it all up somehow.....

Well it seems to boot faster now...popup about jpgdll is gone.......




ComboFix 08-05-12.1 - Hammy 2008-05-14 14:15:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.236 [GMT -4:00]
Running from: C:\Documents and Settings\Hammy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hammy\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\Hammy\Desktop\Signgo\Acoustica-MP3-Audio-Mixer-Installer.exe
C:\Documents and Settings\Hammy\My Documents\Ripper software\ngen007a.zip
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe
C:\WINDOWS\mpfanvqg.dll
C:\WINDOWS\oadkxrts.exe
C:\WINDOWS\system32\atvhqhut.dll
C:\WINDOWS\system32\keybhookpro.dll
C:\WINDOWS\system32\rqRKcyAP.dll
C:\WINDOWS\system32\ssqNFYSM.dll
C:\WINDOWS\system32\tuhqhvta.ini
C:\WINDOWS\vbksrofa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080510173057046.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080513154746343.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080513160511765.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080514110840281.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080514122105953.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080514124659531.log
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\embrace.nfo
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\keymaker.exe
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\neri.jpg
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero 8 Ultra Edition 8.2.8.0.txt
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Plugins Serial.txt
C:\Documents and Settings\All Users\Documents\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Read Me First.txt
C:\Documents and Settings\Hammy\Desktop\Signgo\Acoustica-MP3-Audio-Mixer-Installer.exe
C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86
C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86\007spy-5star.exe
C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86\crack\file_id.diz
C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86\crack\ngen.nfo
C:\Documents and Settings\Hammy\My Documents\007.spy.software.v3.86\crack\svchost.exe
C:\Documents and Settings\Hammy\My Documents\Ripper software\ngen007a.zip
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe
C:\WINDOWS\mpfanvqg.dll
C:\WINDOWS\oadkxrts.exe
C:\WINDOWS\privacy_danger(2)
C:\WINDOWS\privacy_danger(2)\images(2)\capt.gif
C:\WINDOWS\privacy_danger(2)\images(2)\danger.jpg
C:\WINDOWS\privacy_danger(2)\images(2)\down.gif
C:\WINDOWS\privacy_danger(2)\images(2)\spacer.gif
C:\WINDOWS\privacy_danger(2)\images(2)\Thumbs.db
C:\WINDOWS\privacy_danger(2)\index.htm
C:\WINDOWS\system32\atvhqhut.dll
C:\WINDOWS\system32\keybhookpro.dll
C:\WINDOWS\system32\QXyyxyay.ini
C:\WINDOWS\system32\QXyyxyay.ini2
C:\WINDOWS\system32\rqRKcyAP.dll
C:\WINDOWS\system32\ssqNFYSM.dll
C:\WINDOWS\system32\tuhqhvta.ini
C:\WINDOWS\vbksrofa.dll
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-28 19:17 . 1993-11-24 08:38 21,008 --a------ C:\WINDOWS\system32\Ctl3d.dll
2008-05-28 19:16 . 2008-05-28 19:16 <DIR> d-------- C:\My Documents
2008-05-28 19:16 . 2008-05-28 19:16 <DIR> d-------- C:\Documents and Settings\Hammy\WINDOWS
2008-05-28 16:53 . 2008-05-01 16:30 <DIR> d-------- C:\My Downloads
2008-05-28 16:51 . 2008-05-28 16:56 <DIR> d-------- C:\Program Files\BearShare
2008-05-14 12:58 . 2008-05-14 12:58 90,304 --a------ C:\WINDOWS\system32\hwnwyjcp.dll
2008-05-14 12:58 . 2008-05-14 12:58 414 --ahs---- C:\WINDOWS\system32\pcjywnwh.ini
2008-05-14 12:56 . 2008-05-14 12:56 318,080 --a------ C:\WINDOWS\system32\yayxyyXQ.dll
2008-05-14 12:38 . 2008-05-14 12:39 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 18:10 . 2008-05-13 18:10 <DIR> d-------- C:\Deckard
2008-05-13 17:13 . 2008-05-13 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-13 17:12 . 2008-05-13 17:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 17:28 . 2008-05-13 17:05 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\TmpRecentIcons
2008-05-10 17:07 . 2008-05-10 17:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-10 10:08 . 2008-05-14 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
2008-05-09 11:54 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\WINDOWS\PrimoPDF4
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\Program Files\activePDF
2008-05-01 12:22 . 2006-12-11 16:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-04-27 19:09 . 2008-04-27 19:09 <DIR> d-------- C:\Documents and Settings\Not Hammy\Application Data\GlarySoft
2008-04-27 12:24 . 2008-04-27 12:24 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\GlarySoft
2008-04-27 12:21 . 2008-04-27 12:21 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\Serif
2008-04-23 19:44 . 2008-04-23 19:44 <DIR> d-------- C:\Documents and Settings\Not Hammy\Application Data\PlayFirst
2008-04-23 19:44 . 2008-04-23 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-22 14:41 . 2008-04-22 14:41 <DIR> d-------- C:\WINDOWS\Sun
2008-04-22 14:40 . 2008-04-22 14:40 <DIR> d-------- C:\Program Files\Java
2008-04-22 14:40 . 2008-04-27 10:38 <DIR> d-------- C:\Program Files\Google
2008-04-22 14:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-22 14:39 . 2008-04-22 14:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 07:50 . 2008-04-21 07:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-20 16:29 . 2008-05-28 19:17 <DIR> d-------- C:\Program Files\Serif
2008-04-20 16:29 . 1998-12-08 20:53 212,480 --------- C:\WINDOWS\pcdlib32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 23:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameHouse
2008-05-05 17:04 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-27 18:40 --------- d-----w C:\Program Files\LawOrderVengefulHeart_at
2008-04-22 15:17 --------- d-----w C:\Program Files\McAfee
2008-04-13 22:49 --------- d-----w C:\Program Files\Shattera_at
2008-04-13 22:43 --------- d-----w C:\Program Files\AquaBall_at
2008-04-10 23:35 --------- d-----w C:\Program Files\RageOfMagicII_at
2008-04-10 23:05 --------- d-----w C:\Program Files\DevastationZoneTroopers_at
2008-04-10 23:00 --------- d-----w C:\Program Files\RIP_at
2008-04-10 12:08 --------- d-----w C:\Program Files\fbmgamesetup
2008-04-10 12:08 --------- d-----w C:\Program Files\Conduit
2008-04-08 22:09 --------- d-----w C:\Program Files\MagicBall3_at
2008-04-08 00:13 --------- d-----w C:\Program Files\Nick Arcade
2008-04-07 23:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 23:02 --------- d-----w C:\Program Files\Virtools
2008-04-06 20:28 --------- d-----w C:\Program Files\Common Files\Real
2008-04-06 19:00 --------- d-----w C:\Documents and Settings\Not Hammy\Application Data\SprillBermudeEng
2008-04-06 18:49 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-04-06 18:49 --------- d-----w C:\Program Files\Real
2008-03-29 22:35 --------- d-----w C:\Program Files\Oxin's Style!
2008-03-29 22:33 --------- d-----w C:\Program Files\PiratesoftheAtlantic_at
2008-03-28 15:34 --------- d-----w C:\Program Files\SpiritofWanderingTheLegend_at
2008-03-25 01:23 --------- d-----w C:\Documents and Settings\Hammy\Application Data\Ahead
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Hammy\WINDOWS ----


---- Directory of C:\My Documents ----



((((((((((((((((((((((((((((( snapshot@2008-05-14_12.49.18.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 16:44:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 18:20:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32F7ABF0-0DE0-44FD-8C79-0DE8B15243EF}]
2008-05-14 12:56 318080 --a------ C:\WINDOWS\system32\yayxyyXQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{572EC72C-FF99-4967-807B-F56FEDCAD125}]
C:\WINDOWS\system32\ssqNFYSM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"MalWarrior"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 22:07 7110656]
"nwiz"="nwiz.exe" [2005-07-20 22:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 05:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-10 23:15 83968]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-20 22:07 86016]
"CTPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [2001-09-18 12:37 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"WinLiveUpdate"="C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe" [ ]
"WinService32"="C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-04-24 17:28 3223552]
"Windows LSASS Service"="C:\Program Files\Common Files\Microsoft Shared\DAO\System32\spywaresweeper.exe" [ ]
"30caa59c"="C:\WINDOWS\system32\hwnwyjcp.dll" [2008-05-14 12:58 90304]
"combofix"="C:\WINDOWS\system32\CF9081.exe" [2004-08-04 00:56 388608]

C:\Documents and Settings\Hammy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq A3000 Settings Utility.lnk - C:\Program Files\Compaq A3000\CPQA3000.exe [2008-03-05 22:31:06 1142784]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {A2E7363F-FF83-4F8F-BBF8-C3C75B00E076} - C:\WINDOWS\mpfanvqg.dll [ ]
"vbksrofa"= {0B0BDBA9-6A49-4677-99EC-616478C1D40F} - C:\WINDOWS\vbksrofa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyAP]
rqRKcyAP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{254c7bb3-eac4-11dc-8925-806d6172696f}]
\Shell\AutoRun\command - I:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 05:42:22 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 05:00:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 14:21:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-05-14 14:25:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 18:25:26
ComboFix2.txt 2008-05-14 16:49:54

Pre-Run: 16,641,818,624 bytes free
Post-Run: 16,630,730,752 bytes free

248 --- E O F --- 2008-05-02 13:53:58

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:14 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConeal\Anonymity Shield\ProxyNew.dll
O2 - BHO: (no name) - {32F7ABF0-0DE0-44FD-8C79-0DE8B15243EF} - C:\WINDOWS\system32\yayxyyXQ.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {EA962993-4A16-45A4-9A55-E19BA3F1FC8F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [30caa59c] rundll32.exe "C:\WINDOWS\system32\hwnwyjcp.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://myspace.oberon-media.com/gameshell/...pt.1.0.0.21.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.gamehouse.com/realarcade-webgam...outLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9784 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:12 AM

Posted 14 May 2008 - 01:48 PM

Hi,

It appears that you missed a part of the CFScript, or something was interfering with the registry deletion part in it.

Also, I see Bearshare is still up and running, so please also uninstall it as I asked previously... this since it's a security risk.

Also, It's already the 4th thread where I see that McAfee is someway interfering with Combofix.
Disabling McAfee won't make a difference since McAfee interferes here after reboot

That's why I want you to temporary uninstall McAfee first, this to properly troubleshoot as well.

So, as a first step, please uninstall McAfee.
Reboot after uninstalling.

Then, after reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\hwnwyjcp.dll
C:\WINDOWS\system32\pcjywnwh.ini
C:\WINDOWS\system32\yayxyyXQ.dll
Folder::
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32F7ABF0-0DE0-44FD-8C79-0DE8B15243EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{572EC72C-FF99-4967-807B-F56FEDCAD125}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MalWarrior"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinLiveUpdate"=-
"WinService32"=-
"BearShare"=-
"Windows LSASS Service"=-
"30caa59c"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"=-
"vbksrofa"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyAP]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Extra question...

Do you have another clean computer where you can work from? Instead of using this one to post the logs?

Edited by miekiemoes, 14 May 2008 - 02:01 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 bones351

bones351
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 14 May 2008 - 02:31 PM

Ok Took out that Bearshare Program...and unistalled my Virus Program



ComboFix 08-05-12.1 - Hammy 2008-05-14 15:20:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.265 [GMT -4:00]
Running from: C:\Documents and Settings\Hammy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hammy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\hwnwyjcp.dll
C:\WINDOWS\system32\pcjywnwh.ini
C:\WINDOWS\system32\yayxyyXQ.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
C:\WINDOWS\system32\pcjywnwh.ini
C:\WINDOWS\system32\QXyyxyay.ini
C:\WINDOWS\system32\QXyyxyay.ini2
C:\WINDOWS\system32\yayxyyXQ.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-28 19:17 . 1993-11-24 08:38 21,008 --a------ C:\WINDOWS\system32\Ctl3d.dll
2008-05-28 19:16 . 2008-05-28 19:16 <DIR> d-------- C:\My Documents
2008-05-28 19:16 . 2008-05-28 19:16 <DIR> d-------- C:\Documents and Settings\Hammy\WINDOWS
2008-05-28 16:53 . 2008-05-01 16:30 <DIR> d-------- C:\My Downloads
2008-05-28 16:51 . 2008-05-14 15:12 <DIR> d-------- C:\Program Files\BearShare
2008-05-14 14:42 . 2008-05-14 14:42 90,304 --a------ C:\WINDOWS\system32\ymeowjpx.dll
2008-05-14 14:42 . 2008-05-14 15:14 654 ---hs---- C:\WINDOWS\system32\xpjwoemy.ini
2008-05-14 12:38 . 2008-05-14 12:39 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 18:10 . 2008-05-13 18:10 <DIR> d-------- C:\Deckard
2008-05-13 17:13 . 2008-05-13 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-13 17:12 . 2008-05-13 17:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 17:28 . 2008-05-13 17:05 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\TmpRecentIcons
2008-05-10 17:07 . 2008-05-10 17:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-09 11:54 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\WINDOWS\PrimoPDF4
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\Program Files\activePDF
2008-05-01 12:22 . 2006-12-11 16:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-04-27 19:09 . 2008-04-27 19:09 <DIR> d-------- C:\Documents and Settings\Not Hammy\Application Data\GlarySoft
2008-04-27 12:24 . 2008-04-27 12:24 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\GlarySoft
2008-04-27 12:21 . 2008-04-27 12:21 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\Serif
2008-04-23 19:44 . 2008-04-23 19:44 <DIR> d-------- C:\Documents and Settings\Not Hammy\Application Data\PlayFirst
2008-04-23 19:44 . 2008-04-23 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-22 14:41 . 2008-04-22 14:41 <DIR> d-------- C:\WINDOWS\Sun
2008-04-22 14:40 . 2008-04-22 14:40 <DIR> d-------- C:\Program Files\Java
2008-04-22 14:40 . 2008-04-27 10:38 <DIR> d-------- C:\Program Files\Google
2008-04-22 14:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-22 14:39 . 2008-04-22 14:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 07:50 . 2008-04-21 07:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-20 16:29 . 2008-05-28 19:17 <DIR> d-------- C:\Program Files\Serif
2008-04-20 16:29 . 1998-12-08 20:53 212,480 --------- C:\WINDOWS\pcdlib32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 23:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-10 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameHouse
2008-05-05 17:04 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-27 18:40 --------- d-----w C:\Program Files\LawOrderVengefulHeart_at
2008-04-13 22:49 --------- d-----w C:\Program Files\Shattera_at
2008-04-13 22:43 --------- d-----w C:\Program Files\AquaBall_at
2008-04-10 23:35 --------- d-----w C:\Program Files\RageOfMagicII_at
2008-04-10 23:05 --------- d-----w C:\Program Files\DevastationZoneTroopers_at
2008-04-10 23:00 --------- d-----w C:\Program Files\RIP_at
2008-04-10 12:08 --------- d-----w C:\Program Files\fbmgamesetup
2008-04-10 12:08 --------- d-----w C:\Program Files\Conduit
2008-04-08 22:09 --------- d-----w C:\Program Files\MagicBall3_at
2008-04-08 00:13 --------- d-----w C:\Program Files\Nick Arcade
2008-04-07 23:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 23:02 --------- d-----w C:\Program Files\Virtools
2008-04-06 20:28 --------- d-----w C:\Program Files\Common Files\Real
2008-04-06 19:00 --------- d-----w C:\Documents and Settings\Not Hammy\Application Data\SprillBermudeEng
2008-04-06 18:49 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-04-06 18:49 --------- d-----w C:\Program Files\Real
2008-03-29 22:35 --------- d-----w C:\Program Files\Oxin's Style!
2008-03-29 22:33 --------- d-----w C:\Program Files\PiratesoftheAtlantic_at
2008-03-28 15:34 --------- d-----w C:\Program Files\SpiritofWanderingTheLegend_at
2008-03-25 01:23 --------- d-----w C:\Documents and Settings\Hammy\Application Data\Ahead
.

((((((((((((((((((((((((((((( snapshot@2008-05-14_12.49.18.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 16:44:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 19:24:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 22:07 7110656]
"nwiz"="nwiz.exe" [2005-07-20 22:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 05:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-10 23:15 83968]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-20 22:07 86016]
"CTPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [2001-09-18 12:37 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\Hammy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq A3000 Settings Utility.lnk - C:\Program Files\Compaq A3000\CPQA3000.exe [2008-03-05 22:31:06 1142784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{254c7bb3-eac4-11dc-8925-806d6172696f}]
\Shell\AutoRun\command - I:\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 15:24:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-14 15:28:14 - machine was rebooted [Hammy]
ComboFix-quarantined-files.txt 2008-05-14 19:28:02
ComboFix2.txt 2008-05-14 18:25:45
ComboFix3.txt 2008-05-14 16:49:54

Pre-Run: 16,673,681,408 bytes free
Post-Run: 16,677,728,256 bytes free

150 --- E O F --- 2008-05-02 13:53:58


HIJACK This Log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:40 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConeal\Anonymity Shield\ProxyNew.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {EA962993-4A16-45A4-9A55-E19BA3F1FC8F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://myspace.oberon-media.com/gameshell/...pt.1.0.0.21.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.gamehouse.com/realarcade-webgam...outLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7166 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:12 AM

Posted 14 May 2008 - 02:41 PM

Well well, it is McAfee after all interfering.

It's already the fourth thread I'm dealing with where the files didn't want to go, and I couldn't figure out what was causing it. Funny thing is, they all had McAfee installed... that's why I started to think that McAfee was interfering.
This can be a coincidence as well though..

Anyway, some leftovers are still present, but loading points are gone, so lets see if it will reload again.

So, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\xpjwoemy.ini
C:\WINDOWS\system32\ymeowjpx.dll
Folder::
C:\Program Files\BearShare


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:12 AM

Posted 14 May 2008 - 02:47 PM

By the way.. I hope you didn't mind, but in the previous CFScript I gave you, I've changed your startpage to google, because a malicious site was set there previously. So I had to enter in a site to replace it with. :thumbsup:
You can still change your Internet explorer startpage again :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 bones351

bones351
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 14 May 2008 - 02:47 PM

ComboFix 08-05-12.1 - Hammy 2008-05-14 15:44:40.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.257 [GMT -4:00]
Running from: C:\Documents and Settings\Hammy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hammy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\xpjwoemy.ini
C:\WINDOWS\system32\ymeowjpx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BearShare
C:\Program Files\BearShare\BearShare.dat
C:\Program Files\BearShare\db\config.bin
C:\Program Files\BearShare\db\gwebcache.dat
C:\Program Files\BearShare\db\Hostiles-Chat.txt
C:\Program Files\BearShare\db\Hostiles.txt
C:\Program Files\BearShare\db\library.2.db-journal.bak
C:\Program Files\BearShare\db\library.2.db
C:\Program Files\BearShare\db\library.2.db.lastgoodload.bak
C:\Program Files\BearShare\db\library.db-journal.bak
C:\Program Files\BearShare\db\library.db
C:\Program Files\BearShare\db\library.db.lastgoodload.bak
C:\Program Files\BearShare\db\library.db.sync
C:\Program Files\BearShare\db\searches.ini
C:\Program Files\BearShare\FreePeers.ini
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe
C:\Program Files\BearShare\Logs\hosts-state.txt
C:\Program Files\BearShare\Logs\memory.txt
C:\Program Files\BearShare\Logs\ordinal.txt
C:\Program Files\BearShare\Logs\streams.txt
C:\WINDOWS\system32\xpjwoemy.ini
C:\WINDOWS\system32\ymeowjpx.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-28 19:17 . 1993-11-24 08:38 21,008 --a------ C:\WINDOWS\system32\Ctl3d.dll
2008-05-28 19:16 . 2008-05-28 19:16 <DIR> d-------- C:\My Documents
2008-05-28 19:16 . 2008-05-28 19:16 <DIR> d-------- C:\Documents and Settings\Hammy\WINDOWS
2008-05-28 16:53 . 2008-05-01 16:30 <DIR> d-------- C:\My Downloads
2008-05-14 12:38 . 2008-05-14 12:39 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 18:10 . 2008-05-13 18:10 <DIR> d-------- C:\Deckard
2008-05-13 17:13 . 2008-05-13 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-13 17:12 . 2008-05-13 17:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 16:38 . 2008-05-13 16:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 17:28 . 2008-05-13 17:05 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\TmpRecentIcons
2008-05-10 17:07 . 2008-05-10 17:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-09 11:54 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\WINDOWS\PrimoPDF4
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\Program Files\activePDF
2008-05-01 12:22 . 2006-12-11 16:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-04-27 19:09 . 2008-04-27 19:09 <DIR> d-------- C:\Documents and Settings\Not Hammy\Application Data\GlarySoft
2008-04-27 12:24 . 2008-04-27 12:24 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\GlarySoft
2008-04-27 12:21 . 2008-04-27 12:21 <DIR> d-------- C:\Documents and Settings\Hammy\Application Data\Serif
2008-04-23 19:44 . 2008-04-23 19:44 <DIR> d-------- C:\Documents and Settings\Not Hammy\Application Data\PlayFirst
2008-04-23 19:44 . 2008-04-23 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-04-22 14:41 . 2008-04-22 14:41 <DIR> d-------- C:\WINDOWS\Sun
2008-04-22 14:40 . 2008-04-22 14:40 <DIR> d-------- C:\Program Files\Java
2008-04-22 14:40 . 2008-04-27 10:38 <DIR> d-------- C:\Program Files\Google
2008-04-22 14:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-22 14:39 . 2008-04-22 14:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 07:50 . 2008-04-21 07:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-20 16:29 . 2008-05-28 19:17 <DIR> d-------- C:\Program Files\Serif
2008-04-20 16:29 . 1998-12-08 20:53 212,480 --------- C:\WINDOWS\pcdlib32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 23:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-10 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameHouse
2008-05-05 17:04 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-27 18:40 --------- d-----w C:\Program Files\LawOrderVengefulHeart_at
2008-04-13 22:49 --------- d-----w C:\Program Files\Shattera_at
2008-04-13 22:43 --------- d-----w C:\Program Files\AquaBall_at
2008-04-10 23:35 --------- d-----w C:\Program Files\RageOfMagicII_at
2008-04-10 23:05 --------- d-----w C:\Program Files\DevastationZoneTroopers_at
2008-04-10 23:00 --------- d-----w C:\Program Files\RIP_at
2008-04-10 12:08 --------- d-----w C:\Program Files\fbmgamesetup
2008-04-10 12:08 --------- d-----w C:\Program Files\Conduit
2008-04-08 22:09 --------- d-----w C:\Program Files\MagicBall3_at
2008-04-08 00:13 --------- d-----w C:\Program Files\Nick Arcade
2008-04-07 23:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 23:02 --------- d-----w C:\Program Files\Virtools
2008-04-06 20:28 --------- d-----w C:\Program Files\Common Files\Real
2008-04-06 19:00 --------- d-----w C:\Documents and Settings\Not Hammy\Application Data\SprillBermudeEng
2008-04-06 18:49 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-04-06 18:49 --------- d-----w C:\Program Files\Real
2008-03-29 22:35 --------- d-----w C:\Program Files\Oxin's Style!
2008-03-29 22:33 --------- d-----w C:\Program Files\PiratesoftheAtlantic_at
2008-03-28 15:34 --------- d-----w C:\Program Files\SpiritofWanderingTheLegend_at
2008-03-25 01:23 --------- d-----w C:\Documents and Settings\Hammy\Application Data\Ahead
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-08 19:03 71,561 ----a-w C:\WINDOWS\system32\007unins000.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-14_12.49.18.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 16:44:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 19:24:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 22:07 7110656]
"nwiz"="nwiz.exe" [2005-07-20 22:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 05:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-10 23:15 83968]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-20 22:07 86016]
"CTPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [2001-09-18 12:37 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\Hammy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq A3000 Settings Utility.lnk - C:\Program Files\Compaq A3000\CPQA3000.exe [2008-03-05 22:31:06 1142784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{254c7bb3-eac4-11dc-8925-806d6172696f}]
\Shell\AutoRun\command - I:\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 15:45:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-14 15:46:32
ComboFix-quarantined-files.txt 2008-05-14 19:46:23
ComboFix2.txt 2008-05-14 19:28:14
ComboFix3.txt 2008-05-14 18:25:45
ComboFix4.txt 2008-05-14 16:49:54

Pre-Run: 16,640,061,440 bytes free
Post-Run: 16,654,532,608 bytes free

156 --- E O F --- 2008-05-02 13:53:58


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:28 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConeal\Anonymity Shield\ProxyNew.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {EA962993-4A16-45A4-9A55-E19BA3F1FC8F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://myspace.oberon-media.com/gameshell/...pt.1.0.0.21.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.gamehouse.com/realarcade-webgam...outLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7055 bytes

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:12 AM

Posted 14 May 2008 - 03:14 PM

Hi,

This looks OK again. Infections are gone.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Also, please reinstall McAfee again, or install another Antivirus instead. look in my signature below.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 bones351

bones351
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 14 May 2008 - 04:01 PM

AWESOME.........Everything seems to be back to normal........Actually better than it was when I first got it from my son. Thanks a bunch. You have done the impossible on multiple levels, you have fixed my computer and made my wife happy....Neither of which I thought would EVER happen.

Edited by bones351, 14 May 2008 - 04:02 PM.


#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:12 AM

Posted 14 May 2008 - 04:15 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:12 AM

Posted 16 May 2008 - 07:57 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users