Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Get Rid Of Adware.vundo Variant/rel


  • This topic is locked This topic is locked
18 replies to this topic

#1 vrijes

vrijes

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 15 June 2008 - 08:55 PM

I need help!!!
I infected my computer (running Windows XP Professional SP2) with Trojan Monder.gen (Virtumonde). It caused that i got some popup windows when I ran Internet Explorer, and I could not search the internet with Google (it simply blocked the Google...) from Internet Explorer and Firefox. From Netscape Navigator I managed to search with Google without any problem. I scaned and cleaned the computer with SUPERAntispyware progam, and with ATF-Cleaner program, and for some short time, I managed to unblock searching Google with Firefox and IE...but after that time it blocked again. I scaned my computer with SUPERAntispyware again and it found viruses again. I cleaned and quarantined them again, but I could not get rid of Adware.Vundo Variant/Rel, registered as registry threat. I scaned and cleaned again, and again and it always appears, and I can't get rid of it... Please help me!!!
Here are two logs from SUPERAntispyware:

Log1:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2008 at 08:13 PM

Application Version : 4.15.1000

Core Rules Database Version : 3482
Trace Rules Database Version: 1473

Scan type : Complete Scan
Total Scan Time : 01:57:00

Memory items scanned : 319
Memory threats detected : 0
Registry items scanned : 7918
Registry threats detected : 19
File items scanned : 179067
File threats detected : 14

Trojan.FakeAlert-Pinch/AJ
HKLM\Software\Classes\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43D65102-A7BE-4C88-9737-44D2AD81394A}
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}#AppID
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}#LocalizedString
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\Elevation
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\Elevation#Enabled
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\Implemented Categories
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\InprocServer32
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\InprocServer32#ThreadingModel
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\ProgID
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\TypeLib
HKCR\CLSID\{43D65102-A7BE-4C88-9737-44D2AD81394A}\Version

Adware.Zango/ShoppingReport
HKU\S-1-5-21-515967899-2000478354-839522115-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE}
HKU\S-1-5-21-515967899-2000478354-839522115-1003\Software\ShoppingReport
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\db
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\dwld
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\report
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs\res1
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport\cs
C:\Documents and Settings\Žarko Kasum\Application Data\ShoppingReport

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKU\S-1-5-21-515967899-2000478354-839522115-1003\Software\Microsoft\rdfa
C:\WINDOWS\SYSTEM32\MCRH.TMP


Log2:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2008 at 08:33 PM

Application Version : 4.15.1000

Core Rules Database Version : 3482
Trace Rules Database Version: 1473

Scan type : Quick Scan
Total Scan Time : 00:06:57

Memory items scanned : 314
Memory threats detected : 0
Registry items scanned : 408
Registry threats detected : 2
File items scanned : 10594
File threats detected : 0

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKU\S-1-5-21-515967899-2000478354-839522115-1003\Software\Microsoft\rdfa


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:41 AM

Posted 15 June 2008 - 09:32 PM

Hello Vrijes :thumbsup:

Click here to download HijackThis.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
After the final dialogue box it will launch HijackThis.

Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post me it in your next reply. :)


I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.


Please post your HijackThis log here :thumbup2:
Posted Image

#3 vrijes

vrijes
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 15 June 2008 - 10:03 PM

Thanks for help!

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:51, on 16.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Dora\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\VSTASCAN\vsaccess.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {C3E3DDD5-BAD5-4717-AA77-14E141548B83} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Helper.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA60057-9277-49C0-8D64-280DBAD9C3E1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Dora\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [4891d899] rundll32.exe "C:\WINDOWS\system32\lcwkdugo.dll",b
O4 - HKLM\..\Run: [BM4ba2eb05] Rundll32.exe "C:\WINDOWS\system32\rwpkxobl.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Žarko Kasum\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Photobucket Publisher - http://s244.photobucket.com/csve/ie_plugin.php
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtTnOHY - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8555 bytes

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:41 AM

Posted 16 June 2008 - 12:10 PM

Hello :thumbsup:

Step #1
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Step #2
You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Step #3
Please post Combofix log and a fresh HijackThis log back here.
Have you uninstalled Symantec?
Posted Image

#5 vrijes

vrijes
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 17 June 2008 - 05:17 AM

Hi Baabiouz! :)

I ran ComboFix and it seems that I got rid of Adware.Vundo Variant/rel registry problem, because SUPERAntispyware program doesn't detect it any more! I scaned my computer with BitDefender antivirus (free version) and cleaned some remained viruses. Now my computer seems to be clean! Yes I had Symantec Norton antivirus installed, but I have removed it to not interact with other cleaning tools that I used to get rid of this. Today, I will buy full version of Bit Defender 2008 antivirus, and install it on my computer! Please tell me if I have to do something more with my computer.

Thank you VERY, VERY much! :thumbsup:

Here is new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:20, on 17.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Dora\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {C3E3DDD5-BAD5-4717-AA77-14E141548B83} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Helper.dll (file missing)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Dora\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Žarko Kasum\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Photobucket Publisher - http://s244.photobucket.com/csve/ie_plugin.php
O20 - Winlogon Notify: awtTnOHY - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9333 bytes

And here is the ComboFix log:

ComboFix 08-06-16.2 - Žarko Kasum 2008-06-17 5:06:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.133 [GMT 2:00]
Running from: C:\Documents and Settings\Žarko Kasum\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\setup.exe
C:\smp.bat
C:\WINDOWS\BM4ba2eb05.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\install.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\jfvboocd.ini
C:\WINDOWS\system32\JSsYIkkj.ini
C:\WINDOWS\system32\JSsYIkkj.ini2
C:\WINDOWS\system32\lcwkdugo.dll
C:\WINDOWS\system32\ogudkwcl.ini
C:\WINDOWS\system32\qqvwcqeh.ini
C:\WINDOWS\system32\rwpkxobl.dll
C:\WINDOWS\system32\ubjfegrp.ini
C:\WINDOWS\system32\wljtqnjj.dll
C:\WINDOWS\system32\xdgfmbwv.ini
C:\WINDOWS\system32\xmjywsaq.ini
C:\WINDOWS\system32\xotettds.dll
C:\WINDOWS\system32\yrjbvynj.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 04:59 . 2008-06-16 04:59 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-15 15:09 . 2008-06-15 15:09 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-15 15:01 . 2008-06-14 00:29 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-15 15:01 . 2008-06-15 15:01 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-06-15 14:53 . 2008-06-15 14:53 <DIR> d----c--- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-06-15 14:23 . 2008-06-15 14:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-15 14:22 . 2008-06-15 14:22 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-06-14 00:19 . 2008-06-14 00:19 49,152 --a--c--- C:\WINDOWS\system32\Turkish PayPal Hack.exe
2008-06-12 23:33 . 2007-02-20 16:04 2,463,976 --a--c--- C:\WINDOWS\system32\NPSWF32.dll
2008-06-12 23:33 . 2007-02-20 16:04 190,696 --a--c--- C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-06-12 15:35 . 2008-06-12 15:35 717 --a--c--- C:\WINDOWS\ST6UNST.001
2008-06-12 15:31 . 2008-06-12 15:31 717 --a--c--- C:\WINDOWS\ST6UNST.000
2008-06-12 15:31 . 2008-06-12 15:35 0 --a--c--- C:\WINDOWS\SETUP.LST
2008-06-12 15:00 . 2008-06-15 14:56 <DIR> d----c--- C:\Program Files\Norton AntiVirus
2008-06-12 14:57 . 2008-06-15 14:53 <DIR> d----c--- C:\Program Files\Symantec
2008-06-12 14:57 . 2008-06-15 14:53 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 03:16 . 2008-03-03 14:25 5,702 --ah-c--- C:\WINDOWS\nod32restoretemdono.reg
2008-06-11 03:12 . 2008-06-11 03:12 <DIR> d----c--- C:\Program Files\ESET
2008-06-11 02:19 . 2008-06-11 02:19 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-11 01:07 . 2008-06-15 14:22 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 23:53 . 2008-06-10 23:53 <DIR> d--hsc--- C:\Diskeeper
2008-06-10 20:12 . 2008-06-10 20:12 <DIR> d----c--- C:\Program Files\Diskeeper Corporation
2008-06-10 20:12 . 2008-06-10 20:12 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-06-10 16:28 . 2008-06-10 18:30 12 --a--c--- C:\Documents and Settings\Zarko Kasum\winmsd.exe
2008-06-07 17:15 . 2008-06-07 17:15 <DIR> d----c--- C:\Program Files\Mypops
2008-06-04 20:24 . 2008-06-04 21:07 <DIR> d----c--- C:\InstallShield 2008 Projects
2008-06-04 11:53 . 2008-06-04 11:53 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-04 11:44 . 2008-06-04 11:44 <DIR> d----c--- C:\Program Files\Macrovision
2008-06-03 15:57 . 2008-06-03 15:57 <DIR> d----c--- C:\Program Files\MSDN
2008-06-03 14:37 . 2008-06-03 14:37 212 --a--c--- C:\WINDOWS\ildasmfnt.bin
2008-06-02 18:33 . 2008-06-17 05:21 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-06-02 18:33 . 2008-06-02 18:33 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-06-02 18:14 . 2008-06-02 18:15 <DIR> d----c--- C:\WINDOWS\system32\js
2008-06-02 18:14 . 2008-06-02 18:14 <DIR> d----c--- C:\WINDOWS\system32\images
2008-06-02 18:14 . 2008-06-02 18:15 <DIR> d----c--- C:\WINDOWS\system32\html
2008-06-02 18:14 . 2008-06-02 18:15 <DIR> d----c--- C:\WINDOWS\system32\css
2008-06-02 18:14 . 2008-06-02 18:14 <DIR> d----c--- C:\Program Files\Business Objects
2008-06-02 18:08 . 2008-06-02 18:11 <DIR> d----c--- C:\Program Files\Microsoft SQL Server
2008-06-02 18:07 . 2008-06-02 18:07 <DIR> d----c--- C:\Program Files\Microsoft Device Emulator
2008-06-02 18:04 . 2008-06-02 18:06 <DIR> d----c--- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-06-02 17:51 . 2008-06-02 17:51 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-06-02 17:41 . 2008-06-02 17:41 <DIR> d----c--- C:\WINDOWS\symbols
2008-06-02 17:38 . 2008-06-02 17:43 <DIR> d----c--- C:\Program Files\HTML Help Workshop
2008-06-02 17:38 . 2008-06-02 17:38 <DIR> d----c--- C:\Program Files\CE Remote Tools
2008-06-02 17:35 . 2008-06-02 17:35 <DIR> d----c--- C:\Program Files\Microsoft Web Designer Tools
2008-05-31 21:48 . 2008-05-31 21:48 <DIR> d----c--- C:\Program Files\Microsoft Visual Studio .NET
2008-05-31 21:48 . 2008-05-31 21:48 <DIR> d----c--- C:\Program Files\GNU
2008-05-20 02:08 . 2007-07-30 19:19 271,224 --a--c--- C:\WINDOWS\system32\mucltui.dll
2008-05-20 02:08 . 2007-07-30 19:19 207,736 --a--c--- C:\WINDOWS\system32\muweb.dll
2008-05-20 02:08 . 2007-07-30 19:19 30,072 --a--c--- C:\WINDOWS\system32\mucltui.dll.mui
2008-05-19 16:36 . 2008-05-19 16:39 <DIR> d----c--- C:\Program Files\Multimedia Builder498

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 03:19 46,640,416 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-17 03:19 457,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-15 12:56 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2008-06-14 00:23 3,940,864 -c--a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-06-13 23:16 6,549,505 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-13 16:00 --------- dc----w C:\Program Files\Norton Security Scan
2008-06-11 12:13 --------- dc----w C:\Program Files\Common Files\Adobe
2008-06-11 10:36 3,880,448 -c--a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-06-10 23:16 3,973,120 -c--a-w C:\WINDOWS\Internet Logs\xDB1C9.tmp
2008-06-10 23:16 2,352,128 -c--a-w C:\WINDOWS\Internet Logs\xDB1CA.tmp
2008-06-10 23:07 --------- dc----w C:\Program Files\Lavasoft
2008-06-10 23:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 15:10 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-06-04 09:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-04 09:50 --------- dc----w C:\Program Files\Common Files\Merge Modules
2008-06-04 09:50 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-06-04 09:46 --------- dc----w C:\Program Files\MSBuild
2008-06-03 14:28 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-02 16:37 24,911,696 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_06_02_14_15_42_full.dmp.zip
2008-06-02 16:14 --------- dc----w C:\Program Files\Microsoft Visual Studio 9.0
2008-06-02 16:12 --------- dc----w C:\Program Files\Microsoft.NET
2008-06-02 13:59 --------- dc----w C:\Program Files\MSECache
2008-06-01 12:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-01 08:53 --------- dc----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware
2008-06-01 08:53 --------- dc----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-12 10:42 --------- dc----w C:\Documents and Settings\All Users\Application Data\IM
2008-05-12 10:40 --------- dc----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-05-10 09:04 --------- dc----w C:\Program Files\Bonjour
2008-04-29 09:20 15,648 -c--a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 -c--a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 -c--a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-24 06:05 --------- dc----w C:\Program Files\Microsoft Synchronization Services
2008-04-24 06:05 --------- dc----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-23 19:32 3,005,440 -c--a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-04-23 19:32 2,018,816 -c--a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-04-22 20:26 2,017,792 -c--a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-04-22 09:44 3,136,512 -c--a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-04-22 09:20 --------- dc----w C:\Program Files\Common Files\Nero
2008-04-22 09:15 --------- dc----w C:\Program Files\Nero
2008-04-22 09:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-17 18:47 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 22:19 3,219,968 -c--a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-04-14 22:19 1,953,280 -c--a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-04-14 18:05 356,352 -c--a-w C:\WINDOWS\eSellerateEngine.dll
2008-04-06 21:59 4,177,408 -c--a-w C:\WINDOWS\Internet Logs\xDBA.tmp
.
<pre>
-c--a-w		 1,249,552 2007-12-08 18:44:58  C:\Documents and Settings\Žarko Kasum\My Documents\Filip\Programi\PowerISO\PowerISO v3.7  by FFF torrent\PowerISO v3.7 .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 17:28 790528]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-01-10 13:08 32768]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 02:05 200704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 20:53 2209224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Dora\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"ypops"="C:\Program Files\Mypops\ypops.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtTnOHY]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Dora\\iTunes.exe"=

S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 14:53]
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;"C:\Program Files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 11:31]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 09:21:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 05:21:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\VSTASCAN\VsAccess.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonNT.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-17 5:35:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 03:35:06

Pre-Run: 17,591,005,184 bytes free
Post-Run: 18,456,735,744 bytes free

242 --- E O F --- 2008-02-25 22:34:53


#6 vrijes

vrijes
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 17 June 2008 - 08:54 AM

Hi again Baabiouz!
I have just bought and installed BitDefender Internet Security on my system, so I am sending you a new HijackThis log if it makes a difference!

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49:02, on 17.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Dora\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\VSTASCAN\vsaccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {C3E3DDD5-BAD5-4717-AA77-14E141548B83} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Helper.dll (file missing)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Dora\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Žarko Kasum\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Photobucket Publisher - http://s244.photobucket.com/csve/ie_plugin.php
O20 - Winlogon Notify: awtTnOHY - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8826 bytes

#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:41 AM

Posted 17 June 2008 - 10:15 AM

Hello :thumbsup:

Step #1

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {C3E3DDD5-BAD5-4717-AA77-14E141548B83} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Helper.dll (file missing)
O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
O20 - Winlogon Notify: awtTnOHY - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Step #2
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
C:\WINDOWS\nod32restoretemdono.reg
C:\Documents and Settings\Zarko Kasum\winmsd.exe

Folder::
C:\Program Files\Norton AntiVirus
C:\Program Files\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Program Files\ESET
C:\Documents and Settings\All Users\Application Data\ESET
C:\Documents and Settings\Žarko Kasum\My Documents\Filip\Programi\PowerISO\PowerISO v3.7  by FFF torrent

Service::
LiveUpdate
Automatic LiveUpdate Scheduler


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


Step #3
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step #4
Please visit Virustotal
* Click the Browse... button
* Navigate to the file C:\WINDOWS\system32\Turkish PayPal Hack.exe
* Click the Open button
* Click the Send button
* Copy and paste the results back here

Step #5
Please post Combofix log, Virustotal results and a fresh hijackthis log back here :)
Posted Image

#8 vrijes

vrijes
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 17 June 2008 - 01:40 PM

Hi!

Here is the combofix log:

ComboFix 08-06-16.2 - Žarko Kasum 2008-06-17 19:33:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.193 [GMT 2:00]
Running from: C:\Documents and Settings\Žarko Kasum\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Žarko Kasum\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Zarko Kasum\winmsd.exe
C:\WINDOWS\nod32restoretemdono.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ESET
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\FND15.NFI
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\EpfwUser.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\httpblk.dat
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\1.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\1.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\10.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\10.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-06-15_Log.ALUSchedulerSvc.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-06-16_Log.ALUSchedulerSvc.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-06-17_Log.ALUSchedulerSvc.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\3.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\3.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\4.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\4.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\5.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\5.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\6.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\6.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\7.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\7.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\8.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\8.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\9.Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\9.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\minitri.flg
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\History.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Failed\ISIDSGroupDelete.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\CIDS.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\Pif.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\PifLoc.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SRTSP.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580054819218750.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580055206875000.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580076016718750.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580076318750000.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580076323906250.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580076324062500.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580076324062501.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580076324218750.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580076324218751.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SyKnAppS_128580076324375000.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SymEvent.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Processed\SymNetDrv.lrm
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LastGood.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LastGood.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
C:\Documents and Settings\Zarko Kasum\winmsd.exe
C:\Program Files\ESET
C:\Program Files\Norton AntiVirus
C:\Program Files\Symantec\LiveUpdate\1.Settings.Default.LiveUpdate
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\EULA.txt
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\ALUNOTIFYRES.loc
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\AluSchedulerSvcRes.loc
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\AUPDATERES.loc
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\EULA.txt
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\LUALLRES.loc
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\LuCfgRes.loc
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\README.TXT
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\ResLuComServer_3_4.loc
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\S32LUCP1RES.loc
C:\Program Files\Symantec\LiveUpdate\Lang\09\01\SymantecRootInstallerRes.loc
C:\Program Files\Symantec\LiveUpdate\Lang\fallback.dat
C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuccMUI.dll
C:\Program Files\Symantec\LiveUpdate\LUCheck.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\LuConfig.EXE
C:\Program Files\Symantec\LiveUpdate\ludirloc.dat
C:\Program Files\Symantec\LiveUpdate\LUINFO.INF
C:\Program Files\Symantec\LiveUpdate\LUinsDll.dll
C:\Program Files\Symantec\LiveUpdate\LuPreCon.DLL
C:\Program Files\Symantec\LiveUpdate\NetDetectController_3_4.DLL
C:\Program Files\Symantec\LiveUpdate\NotifyHA.exe
C:\Program Files\Symantec\LiveUpdate\ProductRegCom_3_4.DLL
C:\Program Files\Symantec\LiveUpdate\PSProductRegCom_3_4.DLL
C:\Program Files\Symantec\LiveUpdate\README.TXT
C:\Program Files\Symantec\LiveUpdate\S32LIVE1.DLL
C:\Program Files\Symantec\LiveUpdate\S32LUCP1.CPL
C:\Program Files\Symantec\LiveUpdate\S32LUIS1.DLL
C:\Program Files\Symantec\LiveUpdate\S32LUWI1.DLL
C:\Program Files\Symantec\LiveUpdate\Settings.Default.LiveUpdate
C:\Program Files\Symantec\LiveUpdate\UNRAR.DLL
C:\WINDOWS\nod32restoretemdono.reg

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 15:07 . 2008-06-17 19:32 121 --a--c--- C:\WINDOWS\bdagent.INI
2008-06-17 14:57 . 2008-06-17 14:57 <DIR> d----c--- C:\Program Files\BitDefender
2008-06-17 14:56 . 2008-06-17 14:58 <DIR> d----c--- C:\Program Files\Common Files\BitDefender
2008-06-17 06:08 . 2008-06-17 14:16 81,984 --a--c--- C:\WINDOWS\system32\bdod.bin
2008-06-17 06:07 . 2008-06-17 14:58 <DIR> d----c--- C:\Documents and Settings\Žarko Kasum\Application Data\Bitdefender
2008-06-17 06:04 . 2008-06-17 06:04 <DIR> d----c--- C:\Program Files\Softwin
2008-06-17 06:04 . 2008-06-17 14:59 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-17 06:03 . 2008-06-17 14:17 <DIR> d----c--- C:\Program Files\Common Files\Softwin
2008-06-17 05:35 . 2008-06-17 05:35 <DIR> d----c--- C:\Documents and Settings\Äarko Kasum
2008-06-16 04:59 . 2008-06-16 04:59 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-15 15:09 . 2008-06-15 15:09 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-15 15:01 . 2008-06-14 00:29 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-15 15:01 . 2008-06-15 15:01 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-06-15 14:53 . 2008-06-15 14:53 <DIR> d----c--- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-06-15 14:23 . 2008-06-15 14:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-15 14:22 . 2008-06-17 14:53 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-06-15 14:22 . 2008-06-17 14:54 <DIR> d----c--- C:\Documents and Settings\Žarko Kasum\Application Data\SUPERAntiSpyware.com
2008-06-14 00:19 . 2008-06-14 00:19 49,152 --a--c--- C:\WINDOWS\system32\Turkish PayPal Hack.exe
2008-06-12 23:33 . 2007-02-20 16:04 2,463,976 --a--c--- C:\WINDOWS\system32\NPSWF32.dll
2008-06-12 23:33 . 2007-02-20 16:04 190,696 --a--c--- C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-06-12 15:35 . 2008-06-12 15:35 717 --a--c--- C:\WINDOWS\ST6UNST.001
2008-06-12 15:31 . 2008-06-12 15:31 717 --a--c--- C:\WINDOWS\ST6UNST.000
2008-06-12 15:31 . 2008-06-12 15:35 0 --a--c--- C:\WINDOWS\SETUP.LST
2008-06-11 01:07 . 2008-06-17 14:53 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 23:53 . 2008-06-10 23:53 <DIR> d--hsc--- C:\Diskeeper
2008-06-10 20:12 . 2008-06-10 20:12 <DIR> d----c--- C:\Program Files\Diskeeper Corporation
2008-06-10 20:12 . 2008-06-10 20:12 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-06-07 17:15 . 2008-06-07 17:15 <DIR> d----c--- C:\Program Files\Mypops
2008-06-04 20:24 . 2008-06-04 21:07 <DIR> d----c--- C:\InstallShield 2008 Projects
2008-06-04 11:53 . 2008-06-04 11:53 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-04 11:44 . 2008-06-04 11:44 <DIR> d----c--- C:\Program Files\Macrovision
2008-06-03 15:57 . 2008-06-03 15:57 <DIR> d----c--- C:\Program Files\MSDN
2008-06-03 14:37 . 2008-06-03 14:37 212 --a--c--- C:\WINDOWS\ildasmfnt.bin
2008-06-02 18:33 . 2008-06-17 19:23 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-06-02 18:33 . 2008-06-02 18:33 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-06-02 18:14 . 2008-06-02 18:15 <DIR> d----c--- C:\WINDOWS\system32\js
2008-06-02 18:14 . 2008-06-02 18:14 <DIR> d----c--- C:\WINDOWS\system32\images
2008-06-02 18:14 . 2008-06-02 18:15 <DIR> d----c--- C:\WINDOWS\system32\html
2008-06-02 18:14 . 2008-06-02 18:15 <DIR> d----c--- C:\WINDOWS\system32\css
2008-06-02 18:14 . 2008-06-02 18:14 <DIR> d----c--- C:\Program Files\Business Objects
2008-06-02 18:08 . 2008-06-02 18:11 <DIR> d----c--- C:\Program Files\Microsoft SQL Server
2008-06-02 18:07 . 2008-06-02 18:07 <DIR> d----c--- C:\Program Files\Microsoft Device Emulator
2008-06-02 18:04 . 2008-06-02 18:06 <DIR> d----c--- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-06-02 17:51 . 2008-06-02 17:51 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-06-02 17:41 . 2008-06-02 17:41 <DIR> d----c--- C:\WINDOWS\symbols
2008-06-02 17:38 . 2008-06-02 17:43 <DIR> d----c--- C:\Program Files\HTML Help Workshop
2008-06-02 17:38 . 2008-06-02 17:38 <DIR> d----c--- C:\Program Files\CE Remote Tools
2008-06-02 17:35 . 2008-06-02 17:35 <DIR> d----c--- C:\Program Files\Microsoft Web Designer Tools
2008-05-31 21:48 . 2008-05-31 21:48 <DIR> d----c--- C:\Program Files\Microsoft Visual Studio .NET
2008-05-31 21:48 . 2008-05-31 21:48 <DIR> d----c--- C:\Program Files\GNU
2008-05-20 02:08 . 2007-07-30 19:19 271,224 --a--c--- C:\WINDOWS\system32\mucltui.dll
2008-05-20 02:08 . 2007-07-30 19:19 207,736 --a--c--- C:\WINDOWS\system32\muweb.dll
2008-05-20 02:08 . 2007-07-30 19:19 30,072 --a--c--- C:\WINDOWS\system32\mucltui.dll.mui
2008-05-19 16:36 . 2008-05-19 16:39 <DIR> d----c--- C:\Program Files\Multimedia Builder498

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 07:10 --------- dc----w C:\Program Files\ICQToolbar
2008-06-15 12:56 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2008-06-14 01:20 --------- dc----w C:\Documents and Settings\Žarko Kasum\Application Data\BitTorrent
2008-06-13 16:00 --------- dc----w C:\Program Files\Norton Security Scan
2008-06-12 12:38 --------- dc----w C:\Documents and Settings\Žarko Kasum\Application Data\UseNeXT
2008-06-11 12:13 --------- dc----w C:\Program Files\Common Files\Adobe
2008-06-10 23:07 --------- dc----w C:\Program Files\Lavasoft
2008-06-10 23:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 15:10 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-06-04 09:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-04 09:50 --------- dc----w C:\Program Files\Common Files\Merge Modules
2008-06-04 09:50 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-06-04 09:46 --------- dc----w C:\Program Files\MSBuild
2008-06-03 14:28 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-02 16:37 24,911,696 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_06_02_14_15_42_full.dmp.zip
2008-06-02 16:14 --------- dc----w C:\Program Files\Microsoft Visual Studio 9.0
2008-06-02 16:12 --------- dc----w C:\Program Files\Microsoft.NET
2008-06-02 13:59 --------- dc----w C:\Program Files\MSECache
2008-06-01 12:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-01 08:53 --------- dc----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware
2008-06-01 08:53 --------- dc----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-20 17:54 --------- dc----w C:\Documents and Settings\Žarko Kasum\Application Data\IMVU
2008-05-16 09:58 12,632 -c--a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 15:05 --------- dc----w C:\Documents and Settings\Žarko Kasum\Application Data\Dev-Cpp
2008-05-12 10:42 --------- dc----w C:\Documents and Settings\All Users\Application Data\IM
2008-05-12 10:40 --------- dc----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-05-10 09:04 --------- dc----w C:\Program Files\Bonjour
2008-05-01 01:03 --------- dc----w C:\Documents and Settings\Žarko Kasum\Application Data\Sites
2008-05-01 01:03 --------- dc----w C:\Documents and Settings\Žarko Kasum\Application Data\SiteClasses
2008-04-29 13:29 --------- dc----w C:\Documents and Settings\Žarko Kasum\Application Data\Pegasys Inc
2008-04-29 09:20 15,648 -c--a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 -c--a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 -c--a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-24 06:05 --------- dc----w C:\Program Files\Microsoft Synchronization Services
2008-04-24 06:05 --------- dc----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-22 09:23 --------- dc----w C:\Documents and Settings\Žarko Kasum\Application Data\Nero
2008-04-22 09:20 --------- dc----w C:\Program Files\Common Files\Nero
2008-04-22 09:15 --------- dc----w C:\Program Files\Nero
2008-04-22 09:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-17 18:47 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 18:05 356,352 -c--a-w C:\WINDOWS\eSellerateEngine.dll
2008-03-31 21:25 831,488 -c--a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 -c--a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.
<pre>
-c--a-w		 1,249,552 2007-12-08 18:44:58  C:\Documents and Settings\Žarko Kasum\My Documents\Filip\Programi\PowerISO\PowerISO v3.7  by FFF torrent\PowerISO v3.7 .EXE
</pre>


((((((((((((((((((((((((((((( snapshot@2008-06-17_ 5.34.34.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 03:20:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 17:22:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 12:59:40 61,440 -c--a-r C:\WINDOWS\Installer\{BF7D87C5-CFC3-40C5-A367-24586EEBB8CA}\helpicon.exe
+ 2008-06-17 12:59:40 32,768 -c--a-r C:\WINDOWS\Installer\{BF7D87C5-CFC3-40C5-A367-24586EEBB8CA}\maintenance_icon.exe
+ 2008-06-17 12:59:40 22,486 -c--a-r C:\WINDOWS\Installer\{BF7D87C5-CFC3-40C5-A367-24586EEBB8CA}\register_icon.exe
+ 2008-06-17 12:59:40 57,344 -c--a-r C:\WINDOWS\Installer\{BF7D87C5-CFC3-40C5-A367-24586EEBB8CA}\texticon.exe
+ 2008-06-17 04:04:56 22,486 -c--a-r C:\WINDOWS\Installer\{CEFC581D-BEAE-4F75-989E-BD931970D8AD}\register_icon.exe
+ 2008-01-25 13:40:32 85,520 -c--a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
+ 2008-01-07 15:41:34 196,368 -c--a-w C:\WINDOWS\system32\drivers\bdfsfltr.sys
- 2001-08-23 10:00:00 112,128 ----a-w C:\WINDOWS\system32\mapi32.dll
+ 2004-03-31 10:28:00 131,072 -c--a-w C:\WINDOWS\system32\mapi32.dll
+ 2002-01-05 00:48:16 974,848 -c--a-w C:\WINDOWS\system32\mfc70.dll
+ 2002-01-05 00:36:38 964,608 -c--a-w C:\WINDOWS\system32\mfc70u.dll
- 2003-03-18 21:20:00 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
+ 2003-03-18 18:20:00 1,060,864 -c--a-w C:\WINDOWS\system32\mfc71.dll
+ 2003-03-18 18:12:12 1,047,552 -c--a-w C:\WINDOWS\system32\mfc71u.dll
+ 2002-01-05 00:38:38 54,784 -c--a-w C:\WINDOWS\system32\msvci70.dll
- 2002-01-05 01:40:20 487,424 -c--a-w C:\WINDOWS\system32\msvcp70.dll
+ 2002-01-05 00:40:20 487,424 -c--a-w C:\WINDOWS\system32\msvcp70.dll
- 2003-03-18 20:14:52 499,712 ----a-w C:\WINDOWS\system32\MSVCP71.dll
+ 2003-03-18 17:14:52 499,712 -c--a-w C:\WINDOWS\system32\msvcp71.dll
- 2002-01-05 01:37:28 344,064 -c--a-w C:\WINDOWS\system32\msvcr70.dll
+ 2002-01-04 23:37:28 344,064 -c--a-w C:\WINDOWS\system32\msvcr70.dll
- 2003-02-21 04:42:22 348,160 ----a-w C:\WINDOWS\system32\MSVCR71.dll
+ 2003-02-21 01:42:22 348,160 -c--a-w C:\WINDOWS\system32\msvcr71.dll
+ 2007-11-27 14:46:24 77,824 -c--a-w C:\WINDOWS\system32\xcomm.dll
+ 2007-01-31 11:50:32 913,408 -c--a-w C:\WINDOWS\system32\xreglib.dll
+ 2008-06-17 17:23:19 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_588.dat
- 2006-12-01 20:54:32 479,232 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 19:54:32 479,232 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
- 2006-12-01 20:54:34 548,864 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 19:54:34 548,864 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
- 2006-12-01 20:54:32 626,688 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 19:54:32 626,688 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-01 22:25:52 1,101,824 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 21:25:52 1,101,824 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
- 2006-12-01 22:25:56 1,093,120 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 21:25:56 1,093,120 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
- 2006-12-01 22:25:58 69,632 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 21:25:58 69,632 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
- 2006-12-01 22:26:00 57,856 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 21:26:00 57,856 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
- 2006-12-01 22:08:00 40,960 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 21:08:00 40,960 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
- 2006-12-01 22:08:00 45,056 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 21:08:00 45,056 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
- 2006-12-01 22:08:00 65,536 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 21:08:00 65,536 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
- 2006-12-01 22:08:00 57,344 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 21:08:00 57,344 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
- 2006-12-01 22:08:00 61,440 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 21:08:00 61,440 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
- 2006-12-01 22:08:00 61,440 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 21:08:00 61,440 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
- 2006-12-01 22:08:00 61,440 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 21:08:00 61,440 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
- 2006-12-01 22:08:00 49,152 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 21:08:00 49,152 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-01 22:08:00 49,152 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 21:08:00 49,152 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 17:28 790528]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-01-10 13:08 32768]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 02:05 200704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 20:53 2209224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Dora\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"ypops"="C:\Program Files\Mypops\ypops.exe" [ ]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-17 15:03 360448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\Zarko Kasum\Start Menu\Programs\Startup\
UMAX VistaAccess.lnk - C:\VSTASCAN\vsaccess.exe [2007-12-18 12:09:43 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Dora\\iTunes.exe"=

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 14:53]
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;"C:\Program Files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 11:31]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 09:21:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 19:39:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-17 19:48:28
ComboFix-quarantined-files.txt 2008-06-17 17:47:58
ComboFix2.txt 2008-06-17 03:35:16

Pre-Run: 19,015,593,984 bytes free
Post-Run: 19,051,495,424 bytes free

382 --- E O F --- 2008-02-25 22:34:53




Here is the fresh HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23, on 2008-06-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Dora\iTunesHelper.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CF25466.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Dora\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Žarko Kasum\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Photobucket Publisher - http://s244.photobucket.com/csve/ie_plugin.php
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8073 bytes




Here is the mbam log:

Malwarebytes' Anti-Malware 1.17
Database version: 864

20:09:21 2008-06-17
mbam-log-6-17-2008 (20-09-21).txt

Scan type: Quick Scan
Objects scanned: 41357
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{16c65d96-ef19-4439-a6ea-f73a8bec4df0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6549e485-c533-4e58-ba92-9fbcd2f6e839} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ie.ieplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{43d65102-a7be-4c88-9737-44d2ad81394a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Here is the link of Virustotal, because I couldn't copy/paste it ( it says that there is 0 of 32 result):
Virustotal result of Turkish Pay Pal Hack.exe

P.S Can you tell me what am I doing actually?

Thank you!

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:41 AM

Posted 18 June 2008 - 12:10 PM

Hello :thumbsup:

P.S Can you tell me what am I doing actually?


- We just removed your old Symantec folders and illegal Nod32. This your illegal PowerIso.exe is infected C:\Documents and Settings\Žarko Kasum\My Documents\Filip\Programi\PowerISO\PowerISO v3.7 by FFF torrent\PowerISO v3.7 .EXE so we need also remove it. You need to reinstall that program again if you use it.

Step #1
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Step #2
Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\Žarko Kasum\My Documents\Filip\Programi\PowerISO\PowerISO v3.7 by FFF torrent

Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Reboot your computer.

Step #3
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

Step #4
Please post a fresh HijackThis log back here.
Posted Image

#10 vrijes

vrijes
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 18 June 2008 - 03:07 PM

Hello Baabiouz!

Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03, on 18.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Dora\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Dora\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Žarko Kasum\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Photobucket Publisher - http://s244.photobucket.com/csve/ie_plugin.php
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8026 bytes

#11 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:41 AM

Posted 19 June 2008 - 11:28 AM

Hello

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Reboot your computer normally and post a fresh hijackthis log back here.
Posted Image

#12 vrijes

vrijes
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 19 June 2008 - 01:19 PM

Hi Babiouz!

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)


I booted into Safe mode and ran Hijack this, but there was nowhere the entry that you told me to check!

Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:12, on 19.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Dora\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Dora\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Žarko Kasum\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Photobucket Publisher - http://s244.photobucket.com/csve/ie_plugin.php
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8024 bytes

#13 vrijes

vrijes
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 19 June 2008 - 01:24 PM

Did you mean on this entry:

O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} - C:\Documents and Settings\Žarko Kasum\Desktop\gaia\Gaia Online Toolbar\Toolbar.dll (file missing)
?

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:41 AM

Posted 20 June 2008 - 01:15 AM

Yes, that's it. Please try fix that entry :thumbsup:

Edited by Baabiouz, 20 June 2008 - 01:16 AM.

Posted Image

#15 vrijes

vrijes
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 20 June 2008 - 03:21 AM

I think that I solved it!

Here is new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19, on 20.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Dora\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Dora\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ypops] C:\Program Files\Mypops\ypops.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Žarko Kasum\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Photobucket Publisher - http://s244.photobucket.com/csve/ie_plugin.php
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7915 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users