Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Know I Have Smitfraud


  • Please log in to reply
15 replies to this topic

#1 Barnabaskirk

Barnabaskirk

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 16 June 2008 - 12:28 PM

Following are the notepads from DSS and Hijack this.
Deckard's System Scanner v20071014.68
Run by B-K on 2008-06-16 10:17:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
38: 2008-06-16 17:17:19 UTC - RP735 - Deckard's System Scanner Restore Point
37: 2008-06-16 01:47:42 UTC - RP734 - System Checkpoint
36: 2008-06-14 01:48:42 UTC - RP733 - System Checkpoint
35: 2008-06-13 01:17:48 UTC - RP732 - System Checkpoint
34: 2008-06-11 13:01:10 UTC - RP731 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-20 13:38:23 UTC - RP698 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as B-K.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:54 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\B-K\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\B-K.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FB6C933D-CAE5-4F52-AFC9-381F9673EA09} - C:\WINDOWS\system32\mstysgnc.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\B-K\Local Settings\Temporary Internet Files\Content.IE5\0FPJYUZT\WinFixer2005ScannerInstall[1].exe"
O4 - HKLM\..\Run: [dvD0b] C:\WINDOWS\aqrcufs.exe
O4 - HKLM\..\Run: [dv/fNb9C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\aqrcufs.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\mpdsregm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.cityofheroes.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113626695546
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/180solutio.../bridge-c24.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8743 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 core - c:\windows\system32\drivers\core.sys (file missing)
S1 NPPTNT2 - c:\windows\system32\npptnt2.sys (file missing)
S3 AC2003 - c:\windows\system32\drivers\ac2003.sys <Not Verified; ABIT Computer Corp.; AC2003 Device Driver>
S3 npkcrypt - c:\program files\lineage ii\system\npkcrypt.sys (file missing)
S3 npkcusb - c:\program files\lineage ii\system\npkcusb.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Diskeeper - "c:\program files\executive software\diskeeperserver\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper ™ Disk Defragmenter>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-11 21:32:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 10:21:34 0 d-------- C:\Program Files\Trend Micro
2008-06-10 07:47:02 0 d--h----- C:\$AVG8.VAULT$
2008-06-09 21:54:58 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 21:54:58 0 d-------- C:\Documents and Settings\B-K\Application Data\AVGTOOLBAR
2008-06-09 21:54:48 0 d-------- C:\Program Files\AVG
2008-06-09 21:54:48 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-01 08:41:03 0 d-------- C:\Program Files\EQ2MAP Updater


-- Find3M Report ---------------------------------------------------------------

2008-06-15 15:55:07 0 d-------- C:\Program Files\City of Heroes
2008-06-15 10:37:40 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-04 16:35:33 7168 --ahs--c- C:\Program Files\Thumbs.db
2008-05-24 14:20:41 0 d-------- C:\Program Files\Sony
2008-05-24 14:09:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-28 16:50:59 0 d-------- C:\Program Files\iTunes
2008-04-28 16:50:47 0 d-------- C:\Program Files\iPod
2008-04-28 16:49:56 0 d-------- C:\Program Files\QuickTime
2008-04-28 16:46:31 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/09/2008 09:54 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB6C933D-CAE5-4F52-AFC9-381F9673EA09}]
C:\WINDOWS\system32\mstysgnc.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/09/2008 09:54 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/23/2005 12:19 PM]
"SoundMan"="SOUNDMAN.EXE" [08/30/2004 01:48 PM C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM]
"NI.UWFX5"="C:\Documents and Settings\B-K\Local Settings\Temporary Internet Files\Content.IE5\0FPJYUZT\WinFixer2005ScannerInstall[1].exe" []
"dvD0b"="C:\WINDOWS\aqrcufs.exe" []
"dv/fNb9C:\Program Files\ISTsvc\istsvc.exe"="C:\WINDOWS\aqrcufs.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 01:35 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/09/2008 09:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [11/30/2006 10:49 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2007 06:06 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\aqrcufs.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.comDeckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1023.48 MiB / 558.52 MiB
Pagefile Memory (total/avail): 3998.07 MiB / 3583.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.88 MiB

C: is Fixed (NTFS) - 128 GiB total, 48.83 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160023A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 128 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\World of Warcraft\\WoW-1.4.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.4.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\SecondLife\\SecondLife.exe"="C:\\Program Files\\SecondLife\\SecondLife.exe:*:Enabled:Second Life"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\GameHouse\\BounceOut\\BounceOut.exe"="C:\\Program Files\\GameHouse\\BounceOut\\BounceOut.exe:*:Disabled:Super Bounce Out!"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\City of Heroes\\CityOfHeroes.exe"="C:\\Program Files\\City of Heroes\\CityOfHeroes.exe:*:Enabled:City of Heroes"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Documents and Settings\\B-K\\Desktop\\dss.exe"="C:\\Documents and Settings\\B-K\\Desktop\\dss.exe:*:Enabled:dss.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\B-K\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GAMER
ComSpec=C:\WINDOWS\system32\cmd.exe
DiskeeperIcon=C:\Program Files\Executive Software\DiskeeperServer\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\B-K
LOGONSERVER=\\GAMER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Executive Software\DiskeeperServer\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\B-K\LOCALS~1\Temp
TMP=C:\DOCUME~1\B-K\LOCALS~1\Temp
USERDOMAIN=GAMER
USERNAME=B-K
USERPROFILE=C:\Documents and Settings\B-K
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

B-K (admin)
B-K-2
M-P (admin)
Other
Dana (new local)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{0E6AB9FC-76C2-431B-9C06-6C1CFFFEA8EB}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Photoshop Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Amazon MP3 Downloader 1.0.3 --> C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CDisplay 1.8 --> "C:\Program Files\CDisplay\unins000.exe"
City Game Tracker --> MsiExec.exe /I{CE35A157-3228-441A-A7E0-7304606BDE49}
City of Heroes (remove only) --> "C:\Program Files\City of Heroes\uninstall.exe"
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Dell AIO Printer A940 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBAUN5C.EXE -dDell AIO Printer A940
DiscWizard 2003 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}\Setup.exe"
DiskeeperServer --> MsiExec.exe /I{19FC8A4E-2916-4348-A54A-37A105FE0870}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
EQ2MAP Updater 1.0.17 --> C:\Program Files\EQ2MAP Updater\uninst.exe
EverQuest II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2ED6DAA-31AA-49E4-BFA1-AF3388D90F7D}\Setup.exe" -l0x9 -removeonly
Free Games Offer, Desktop Shortcut --> MsiExec.exe /X{31DABA20-10A1-4746-9D9F-57955B8DFF66}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
Hero Builder Setup --> MsiExec.exe /I{1CE181E0-DB37-43C8-97B1-AA50356E7ACE}
Hero Builder Setup --> MsiExec.exe /I{701F1A77-2448-4C4D-B751-F2CF823C70C0}
HeroStats --> C:\Program Files\HeroStats\Uninstall.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Map Patch --> C:\Program Files\City of Heroes\map_patch_uninstall.exe
MapPack --> C:\Program Files\InstallShield Installation Information\{55D1E12B-7812-40E5-A3D8-B7B8572A4501}\setup.exe -runfromtemp -l0x0009
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft PowerPoint Viewer 97 --> C:\Program Files\PowerPoint Viewer\setup\setup.exe
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mids' Hero Designer --> MsiExec.exe /I{86968042-3BE1-4CA2-8D56-599F686AF6A8}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
PhotoFiltre --> "C:\Program Files\PhotoFiltre\Uninst.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8F7C1E5-0150-11D6-A96C-00D05908F85D}\Setup.exe" -l0x9
USB MassStorage CardReader --> C:\Program Files\Kodak\040a_5005\Remove.exe
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VidiotMaps Map Overlay --> C:\Program Files\InstallShield Installation Information\{8C4BD0CB-B8A5-44C0-94E7-89395C047CE6}\setup.exe -runfromtemp -l0x0009
VidiotMaps Map Overlay --> C:\Program Files\InstallShield Installation Information\{A9450CCE-C039-4C57-B877-6BDDEBEEF017}\setup.exe -runfromtemp -l0x0009
VuePrint --> c:\windows\vuepro32.exe /Remove
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XviD MPEG-4 Video Codec --> "C:\Program Files\XviD\unins000.exe"
Yahoo! extras --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI~2.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type4603 / Error
Event Submitted/Written: 06/16/2008 10:22:18 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type4602 / Error
Event Submitted/Written: 06/16/2008 10:22:18 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type4601 / Error
Event Submitted/Written: 06/16/2008 10:22:18 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type4557 / Error
Event Submitted/Written: 06/11/2008 06:00:36 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module unknown, version 0.0.0.0, fault address 0x049e64b1.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type4554 / Error
Event Submitted/Written: 06/10/2008 05:54:06 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application avgui.exe, version 8.0.0.100, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6356 / Error
Event Submitted/Written: 06/16/2008 09:41:01 AM / 06/16/2008 09:41:31 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type6353 / Error
Event Submitted/Written: 06/16/2008 09:41:31 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
NPPTNT2

Event Record #/Type6344 / Error
Event Submitted/Written: 06/15/2008 08:31:58 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type6343 / Error
Event Submitted/Written: 06/15/2008 06:52:45 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type6342 / Error
Event Submitted/Written: 06/15/2008 06:42:44 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type



-- End of Deckard's System Scanner: finished at 2008-06-16 10:22:46 ------------


127.0.0.1 www.032439.com
127.0.0.1 032439.com

7899 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-16 10:22:46 ------------

Please Help! :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 16 June 2008 - 04:08 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Barnabaskirk

Barnabaskirk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 19 June 2008 - 12:13 AM

Thanks So Much Here are the Logs...

ComboFix 08-06-16.5 - B-K 2008-06-18 22:01:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1472 [GMT -7:00]
Running from: C:\Documents and Settings\B-K\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\B-K\Start Menu\Programs\Startup\ta_start.lnk
C:\temp\tn3
C:\WINDOWS\system32\bdgpdahp.ini
C:\WINDOWS\system32\gddvoefb.ini
C:\WINDOWS\system32\gddvoefb.ini2
C:\WINDOWS\system32\gddvoefb.tmp
C:\WINDOWS\system32\gfkitfts.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mejatcgx.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\okpbpobg.ini
C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\rgiuofsr.ini
C:\WINDOWS\system32\tpcyuuhd.ini
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\yhsyrhbf.ini
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Service_core


((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-18 21:12 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-06-18 21:12 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-06-18 21:12 . 2004-08-04 00:56 516,768 --a--c--- C:\WINDOWS\system32\dllcache\ativvaxx.dll
2008-06-18 21:12 . 2004-08-04 00:56 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2008-06-17 14:03 . 2008-06-17 14:03 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-17 14:03 . 2008-06-17 14:05 <DIR> d-------- C:\WINDOWS\NV32883292.TMP
2008-06-17 11:08 . 2008-06-17 20:02 <DIR> d-------- C:\WINDOWS\system32\Color
2008-06-17 11:08 . 2008-06-17 11:14 <DIR> d-------- C:\Program Files\E-Color
2008-06-17 11:08 . 2001-05-07 16:43 61,440 --a------ C:\WINDOWS\system32\3Deep.dll
2008-06-17 11:06 . 2008-06-17 11:06 <DIR> d-------- C:\Program Files\MSI
2008-06-17 11:01 . 2008-06-17 11:04 <DIR> d-------- C:\WINDOWS\NV36283896.TMP
2008-06-17 11:01 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-17 11:00 . 2008-06-17 11:00 <DIR> d-------- C:\NVIDIA
2008-06-17 10:23 . 2008-06-17 10:23 <DIR> d-------- C:\WINDOWS\RaidTool
2008-06-17 10:19 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-06-17 10:19 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoi.dll
2008-06-17 10:19 . 2007-08-08 20:11 102,400 -ra------ C:\WINDOWS\system32\drivers\nvgts.sys
2008-06-17 10:18 . 2007-09-26 01:07 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-06-17 10:18 . 2007-10-12 01:14 194,048 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-06-17 10:18 . 2007-10-12 01:14 194,048 --a------ C:\WINDOWS\system32\fdco1.dll
2008-06-17 10:18 . 2007-10-12 01:15 54,144 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-06-17 10:18 . 2007-09-26 01:05 5,847 -ra------ C:\WINDOWS\system32\nvnrm.nvu
2008-06-17 10:18 . 2007-10-12 01:01 3,276 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-06-17 10:17 . 2007-10-12 01:15 942,080 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2008-06-17 10:17 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-17 10:17 . 2007-09-28 11:32 356,352 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-06-17 10:17 . 2007-09-26 01:07 37,376 -ra------ C:\WINDOWS\system32\nvconrm.dll
2008-06-17 10:17 . 2007-10-12 01:15 22,016 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2008-06-17 10:17 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-06-17 10:17 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1.dll
2008-06-17 10:17 . 2006-10-18 19:36 1,864 -ra------ C:\WINDOWS\system32\nvsmb.nvu
2008-06-17 10:01 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-06-17 10:01 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-06-16 10:21 . 2008-06-16 10:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 10:16 . 2008-06-16 10:16 <DIR> d-------- C:\Deckard
2008-06-10 07:47 . 2008-06-13 23:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-09 21:55 . 2008-06-09 21:55 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-09 21:55 . 2008-06-09 21:55 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-09 21:55 . 2008-06-09 21:55 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-09 21:54 . 2008-06-18 19:02 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 21:54 . 2008-06-09 21:54 <DIR> d-------- C:\Program Files\AVG
2008-06-09 21:54 . 2008-06-09 21:57 <DIR> d-------- C:\Documents and Settings\B-K\Application Data\AVGTOOLBAR
2008-06-09 21:54 . 2008-06-09 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-01 08:41 . 2008-06-15 10:38 <DIR> d-------- C:\Program Files\EQ2MAP Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 04:11 --------- d-----w C:\Program Files\Lavasoft
2008-06-19 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 02:10 --------- d-----w C:\Program Files\City of Heroes
2008-06-17 17:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 17:08 7,168 -csha-w C:\Program Files\Thumbs.db
2008-06-15 17:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-10 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-29 23:32 --------- d-----w C:\Documents and Settings\B-K-2\Application Data\ATI
2008-05-24 21:20 --------- d-----w C:\Program Files\Sony
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 05:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-04-28 23:50 --------- d-----w C:\Program Files\iTunes
2008-04-28 23:50 --------- d-----w C:\Program Files\iPod
2008-04-28 23:49 --------- d-----w C:\Program Files\QuickTime
2008-04-28 23:46 --------- d-----w C:\Program Files\Apple Software Update
2006-04-22 03:31 10,865 ----a-w C:\Documents and Settings\B-K\ChatMessageRegExs.dat
2005-04-16 09:12 4,827,008 -c--a-w C:\Program Files\Firefox Setup 1.0.3.exe
2004-09-08 21:12 18,147 -c--a-w C:\Program Files\README.TXT
2004-09-02 03:11 2,196 -c--a-w C:\Program Files\Setup.ini
2004-09-02 03:07 863,483 -c--a-w C:\Program Files\DATA1.CAB
2004-09-02 03:07 512 -c--a-w C:\Program Files\DATA2.CAB
2004-09-02 03:07 422 -c--a-w C:\Program Files\LAYOUT.BIN
2004-09-02 03:07 29,654 -c--a-w C:\Program Files\DATA1.HDR
2004-09-02 03:07 172,077 -c--a-w C:\Program Files\SETUP.INX
2004-09-02 03:04 139,264 -c--a-w C:\Program Files\ALCRMV.EXE
2004-09-02 02:58 208,896 -c--a-w C:\Program Files\ALCUPD.EXE
2004-03-11 20:27 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe
2003-11-21 23:57 126,976 -c--a-w C:\Program Files\ALCRMV9X.EXE
2003-11-21 22:48 110,592 -c--a-w C:\Program Files\ALCCHKID.EXE
2003-11-04 19:55 31,388 -c--a-w C:\Program Files\ALCXDEV.EXE
2003-08-08 22:41 40,448 -c--a-w C:\Program Files\GETDXVER.EXE
2002-12-03 20:33 538 -c--a-w C:\Program Files\SETUP.ISS
2002-09-05 00:39 1,078 -c--a-w C:\Program Files\SOUNDMAN.ICO
2001-12-03 08:27 23,552 -c--a-w C:\Program Files\SetCDfmt.exe
2001-09-05 11:24 344,923 -c--a-w C:\Program Files\IKERNEL.EX_
2000-01-10 21:52 139,264 -c--a-w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB6C933D-CAE5-4F52-AFC9-381F9673EA09}]
C:\WINDOWS\system32\mstysgnc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 18:06 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-23 12:19 180269]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 13:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"NI.UWFX5"="C:\Documents and Settings\B-K\Local Settings\Temporary Internet Files\Content.IE5\0FPJYUZT\WinFixer2005ScannerInstall[1].exe" [ ]
"dvD0b"="C:\WINDOWS\aqrcufs.exe" [ ]
"dv/fNb9C:\Program Files\ISTsvc\istsvc.exe"="C:\WINDOWS\aqrcufs.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-09 21:54 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
E-Color.lnk - C:\Program Files\E-Color\Common\IconMgr.exe [2008-06-17 11:08:05 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\aqrcufs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\City of Heroes\\CityOfHeroes.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Documents and Settings\\B-K\\Desktop\\dss.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-08 20:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-09 21:55]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-09 21:54]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-09 21:54]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-09 21:55]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 00:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 04:32:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 22:05:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\4b94f354-2295-47b0-b6a7-7bfbf3525424.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"dv/fNb9C:\\Program Files\\ISTsvc\\istsvc.exe"="C:\\WINDOWS\\aqrcufs.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-18 22:08:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 05:08:37

Pre-Run: 51,494,879,232 bytes free
Post-Run: 51,739,250,688 bytes free

207 --- E O F --- 2008-06-11 13:03:20



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:52 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FB6C933D-CAE5-4F52-AFC9-381F9673EA09} - C:\WINDOWS\system32\mstysgnc.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\B-K\Local Settings\Temporary Internet Files\Content.IE5\0FPJYUZT\WinFixer2005ScannerInstall[1].exe"
O4 - HKLM\..\Run: [dvD0b] C:\WINDOWS\aqrcufs.exe
O4 - HKLM\..\Run: [dv/fNb9C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\aqrcufs.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.cityofheroes.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113626695546
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/180solutio.../bridge-c24.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8518 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 19 June 2008 - 04:40 PM

Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Barnabaskirk

Barnabaskirk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 19 June 2008 - 06:49 PM

Here you go. Hope this is right.


ComboFix 08-06-16.5 - B-K 2008-06-19 16:43:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1640 [GMT -7:00]
Running from: C:\Documents and Settings\B-K\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\B-K\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-18 21:12 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-06-18 21:12 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-06-18 21:12 . 2004-08-04 00:56 516,768 --a--c--- C:\WINDOWS\system32\dllcache\ativvaxx.dll
2008-06-18 21:12 . 2004-08-04 00:56 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2008-06-17 14:03 . 2008-06-17 14:03 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-17 14:03 . 2008-06-17 14:05 <DIR> d-------- C:\WINDOWS\NV32883292.TMP
2008-06-17 11:08 . 2008-06-17 20:02 <DIR> d-------- C:\WINDOWS\system32\Color
2008-06-17 11:08 . 2008-06-17 11:14 <DIR> d-------- C:\Program Files\E-Color
2008-06-17 11:08 . 2001-05-07 16:43 61,440 --a------ C:\WINDOWS\system32\3Deep.dll
2008-06-17 11:06 . 2008-06-17 11:06 <DIR> d-------- C:\Program Files\MSI
2008-06-17 11:01 . 2008-06-17 11:04 <DIR> d-------- C:\WINDOWS\NV36283896.TMP
2008-06-17 11:01 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-17 11:00 . 2008-06-17 11:00 <DIR> d-------- C:\NVIDIA
2008-06-17 10:23 . 2008-06-17 10:23 <DIR> d-------- C:\WINDOWS\RaidTool
2008-06-17 10:19 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-06-17 10:19 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoi.dll
2008-06-17 10:19 . 2007-08-08 20:11 102,400 -ra------ C:\WINDOWS\system32\drivers\nvgts.sys
2008-06-17 10:18 . 2007-09-26 01:07 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-06-17 10:18 . 2007-10-12 01:14 194,048 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-06-17 10:18 . 2007-10-12 01:14 194,048 --a------ C:\WINDOWS\system32\fdco1.dll
2008-06-17 10:18 . 2007-10-12 01:15 54,144 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-06-17 10:18 . 2007-09-26 01:05 5,847 -ra------ C:\WINDOWS\system32\nvnrm.nvu
2008-06-17 10:18 . 2007-10-12 01:01 3,276 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-06-17 10:17 . 2007-10-12 01:15 942,080 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2008-06-17 10:17 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-17 10:17 . 2007-09-28 11:32 356,352 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-06-17 10:17 . 2007-09-26 01:07 37,376 -ra------ C:\WINDOWS\system32\nvconrm.dll
2008-06-17 10:17 . 2007-10-12 01:15 22,016 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2008-06-17 10:17 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-06-17 10:17 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1.dll
2008-06-17 10:17 . 2006-10-18 19:36 1,864 -ra------ C:\WINDOWS\system32\nvsmb.nvu
2008-06-17 10:01 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-06-17 10:01 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-06-16 10:21 . 2008-06-16 10:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 10:16 . 2008-06-16 10:16 <DIR> d-------- C:\Deckard
2008-06-10 07:47 . 2008-06-13 23:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-09 21:55 . 2008-06-09 21:55 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-09 21:55 . 2008-06-09 21:55 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-09 21:55 . 2008-06-09 21:55 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-09 21:54 . 2008-06-19 16:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 21:54 . 2008-06-09 21:54 <DIR> d-------- C:\Program Files\AVG
2008-06-09 21:54 . 2008-06-09 21:57 <DIR> d-------- C:\Documents and Settings\B-K\Application Data\AVGTOOLBAR
2008-06-09 21:54 . 2008-06-09 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-01 08:41 . 2008-06-15 10:38 <DIR> d-------- C:\Program Files\EQ2MAP Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 04:11 --------- d-----w C:\Program Files\Lavasoft
2008-06-19 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 02:10 --------- d-----w C:\Program Files\City of Heroes
2008-06-17 17:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 17:08 7,168 -csha-w C:\Program Files\Thumbs.db
2008-06-15 17:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-10 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-29 23:32 --------- d-----w C:\Documents and Settings\B-K-2\Application Data\ATI
2008-05-24 21:20 --------- d-----w C:\Program Files\Sony
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-28 23:50 --------- d-----w C:\Program Files\iTunes
2008-04-28 23:50 --------- d-----w C:\Program Files\iPod
2008-04-28 23:49 --------- d-----w C:\Program Files\QuickTime
2008-04-28 23:46 --------- d-----w C:\Program Files\Apple Software Update
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-04-22 03:31 10,865 ----a-w C:\Documents and Settings\B-K\ChatMessageRegExs.dat
2005-04-16 09:12 4,827,008 -c--a-w C:\Program Files\Firefox Setup 1.0.3.exe
2004-09-08 21:12 18,147 -c--a-w C:\Program Files\README.TXT
2004-09-02 03:11 2,196 -c--a-w C:\Program Files\Setup.ini
2004-09-02 03:07 863,483 -c--a-w C:\Program Files\DATA1.CAB
2004-09-02 03:07 512 -c--a-w C:\Program Files\DATA2.CAB
2004-09-02 03:07 422 -c--a-w C:\Program Files\LAYOUT.BIN
2004-09-02 03:07 29,654 -c--a-w C:\Program Files\DATA1.HDR
2004-09-02 03:07 172,077 -c--a-w C:\Program Files\SETUP.INX
2004-09-02 03:04 139,264 -c--a-w C:\Program Files\ALCRMV.EXE
2004-09-02 02:58 208,896 -c--a-w C:\Program Files\ALCUPD.EXE
2004-03-11 20:27 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe
2003-11-21 23:57 126,976 -c--a-w C:\Program Files\ALCRMV9X.EXE
2003-11-21 22:48 110,592 -c--a-w C:\Program Files\ALCCHKID.EXE
2003-11-04 19:55 31,388 -c--a-w C:\Program Files\ALCXDEV.EXE
2003-08-08 22:41 40,448 -c--a-w C:\Program Files\GETDXVER.EXE
2002-12-03 20:33 538 -c--a-w C:\Program Files\SETUP.ISS
2002-09-05 00:39 1,078 -c--a-w C:\Program Files\SOUNDMAN.ICO
2001-12-03 08:27 23,552 -c--a-w C:\Program Files\SetCDfmt.exe
2001-09-05 11:24 344,923 -c--a-w C:\Program Files\IKERNEL.EX_
2000-01-10 21:52 139,264 -c--a-w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_22.08.29.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 05:05:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 12:39:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB6C933D-CAE5-4F52-AFC9-381F9673EA09}]
C:\WINDOWS\system32\mstysgnc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 18:06 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-23 12:19 180269]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 13:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"NI.UWFX5"="C:\Documents and Settings\B-K\Local Settings\Temporary Internet Files\Content.IE5\0FPJYUZT\WinFixer2005ScannerInstall[1].exe" [ ]
"dvD0b"="C:\WINDOWS\aqrcufs.exe" [ ]
"dv/fNb9C:\Program Files\ISTsvc\istsvc.exe"="C:\WINDOWS\aqrcufs.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-09 21:54 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\aqrcufs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\City of Heroes\\CityOfHeroes.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Documents and Settings\\B-K\\Desktop\\dss.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-08 20:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-09 21:55]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-09 21:54]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-09 21:54]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-09 21:55]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 00:21]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 04:32:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 16:44:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"dv/fNb9C:\\Program Files\\ISTsvc\\istsvc.exe"="C:\\WINDOWS\\aqrcufs.exe"
.
Completion time: 2008-06-19 16:45:26
ComboFix-quarantined-files.txt 2008-06-19 23:45:10
ComboFix2.txt 2008-06-19 05:08:40

Pre-Run: 51,756,359,680 bytes free
Post-Run: 51,724,165,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

184 --- E O F --- 2008-06-11 13:03:20


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:23 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FB6C933D-CAE5-4F52-AFC9-381F9673EA09} - C:\WINDOWS\system32\mstysgnc.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\B-K\Local Settings\Temporary Internet Files\Content.IE5\0FPJYUZT\WinFixer2005ScannerInstall[1].exe"
O4 - HKLM\..\Run: [dvD0b] C:\WINDOWS\aqrcufs.exe
O4 - HKLM\..\Run: [dv/fNb9C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\aqrcufs.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.cityofheroes.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113626695546
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/180solutio.../bridge-c24.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8382 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 20 June 2008 - 02:46 PM

Please print off a copy of these instructions, and also save them to a Notepad file on your Desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {FB6C933D-CAE5-4F52-AFC9-381F9673EA09} - C:\WINDOWS\system32\mstysgnc.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\B-K\Local Settings\Temporary Internet Files\Content.IE5\0FPJYUZT\WinFixer2005ScannerInstall[1].exe"
O4 - HKLM\..\Run: [dvD0b] C:\WINDOWS\aqrcufs.exe
O4 - HKLM\..\Run: [dvš/‚‘fNb‰9C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\aqrcufs.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/180solutio.../bridge-c24.cab


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Go to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Find and delete the following file and folder (if present):

C:\WINDOWS\aqrcufs.exe
C:\Program Files\ISTsvc

Reboot into Normal Mode again.

Then please scan once more with HijackThis and Combofix, posting the logs in your reply.
Thanks,
Charles

Edited by rookie147, 20 June 2008 - 02:47 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Barnabaskirk

Barnabaskirk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 20 June 2008 - 07:09 PM

OK... Not sure what is happening now. Before I could do any thing above.

I had logged in then the computer turned off abrubtly. And when I reboot it had said to insert boot disk and hit a key. or reboot. I rebooted now it just shuts down while windows is startingup.

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 21 June 2008 - 12:09 PM

Can you log on in Safe Mode?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Barnabaskirk

Barnabaskirk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 01 July 2008 - 09:21 PM

Finally got comp back.. had overheating issues.

Dont know if this is Important but after running combofix got an error message stating "Cannot export C:\Qoobox\Quarintine\registery_backups\MSConfigStartups..." then gobledygook...

ComboFix 08-06-30.2 - B-K 2008-07-01 19:11:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2608 [GMT -7:00]
Running from: C:\Documents and Settings\B-K\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 18:52 . 2008-07-01 18:52 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-30 14:12 . 2008-06-30 14:12 <DIR> d-------- C:\Documents and Settings\B-K-2\Application Data\AVGTOOLBAR
2008-06-18 21:12 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-06-18 21:12 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-06-18 21:12 . 2004-08-04 00:56 516,768 --a--c--- C:\WINDOWS\system32\dllcache\ativvaxx.dll
2008-06-18 21:12 . 2004-08-04 00:56 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2008-06-17 14:03 . 2008-06-17 14:03 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-17 14:03 . 2008-06-17 14:05 <DIR> d-------- C:\WINDOWS\NV32883292.TMP
2008-06-17 11:08 . 2008-06-17 20:02 <DIR> d-------- C:\WINDOWS\system32\Color
2008-06-17 11:08 . 2008-06-17 11:14 <DIR> d-------- C:\Program Files\E-Color
2008-06-17 11:08 . 2001-05-07 16:43 61,440 --a------ C:\WINDOWS\system32\3Deep.dll
2008-06-17 11:06 . 2008-06-17 11:06 <DIR> d-------- C:\Program Files\MSI
2008-06-17 11:01 . 2008-06-17 11:04 <DIR> d-------- C:\WINDOWS\NV36283896.TMP
2008-06-17 11:01 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-17 11:00 . 2008-06-17 11:00 <DIR> d-------- C:\NVIDIA
2008-06-17 10:23 . 2008-06-17 10:23 <DIR> d-------- C:\WINDOWS\RaidTool
2008-06-17 10:19 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-06-17 10:19 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoi.dll
2008-06-17 10:19 . 2007-08-08 20:11 102,400 -ra------ C:\WINDOWS\system32\drivers\nvgts.sys
2008-06-17 10:18 . 2007-09-26 01:07 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-06-17 10:18 . 2007-10-12 01:14 194,048 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-06-17 10:18 . 2007-10-12 01:14 194,048 --a------ C:\WINDOWS\system32\fdco1.dll
2008-06-17 10:18 . 2007-10-12 01:15 54,144 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-06-17 10:18 . 2007-09-26 01:05 5,847 -ra------ C:\WINDOWS\system32\nvnrm.nvu
2008-06-17 10:18 . 2007-10-12 01:01 3,276 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-06-17 10:17 . 2007-10-12 01:15 942,080 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2008-06-17 10:17 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-17 10:17 . 2007-09-28 11:32 356,352 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-06-17 10:17 . 2007-09-26 01:07 37,376 -ra------ C:\WINDOWS\system32\nvconrm.dll
2008-06-17 10:17 . 2007-10-12 01:15 22,016 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2008-06-17 10:17 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-06-17 10:17 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1.dll
2008-06-17 10:17 . 2006-10-18 19:36 1,864 -ra------ C:\WINDOWS\system32\nvsmb.nvu
2008-06-17 10:01 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-06-17 10:01 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-06-16 10:21 . 2008-06-16 10:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 10:16 . 2008-06-16 10:16 <DIR> d-------- C:\Deckard
2008-06-10 07:47 . 2008-06-13 23:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-09 21:55 . 2008-06-09 21:55 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-09 21:55 . 2008-06-09 21:55 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-09 21:55 . 2008-06-09 21:55 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-09 21:54 . 2008-07-01 17:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 21:54 . 2008-06-09 21:54 <DIR> d-------- C:\Program Files\AVG
2008-06-09 21:54 . 2008-06-09 21:57 <DIR> d-------- C:\Documents and Settings\B-K\Application Data\AVGTOOLBAR
2008-06-09 21:54 . 2008-06-09 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 01:18 --------- d-----w C:\Program Files\City of Heroes
2008-06-19 04:11 --------- d-----w C:\Program Files\Lavasoft
2008-06-19 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 17:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 17:08 7,168 -csha-w C:\Program Files\Thumbs.db
2008-06-15 17:38 --------- d-----w C:\Program Files\EQ2MAP Updater
2008-06-15 17:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-29 23:32 --------- d-----w C:\Documents and Settings\B-K-2\Application Data\ATI
2008-05-24 21:20 --------- d-----w C:\Program Files\Sony
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2006-04-22 03:31 10,865 ----a-w C:\Documents and Settings\B-K\ChatMessageRegExs.dat
2005-04-16 09:12 4,827,008 -c--a-w C:\Program Files\Firefox Setup 1.0.3.exe
2004-09-08 21:12 18,147 -c--a-w C:\Program Files\README.TXT
2004-09-02 03:11 2,196 -c--a-w C:\Program Files\Setup.ini
2004-09-02 03:07 863,483 -c--a-w C:\Program Files\DATA1.CAB
2004-09-02 03:07 512 -c--a-w C:\Program Files\DATA2.CAB
2004-09-02 03:07 422 -c--a-w C:\Program Files\LAYOUT.BIN
2004-09-02 03:07 29,654 -c--a-w C:\Program Files\DATA1.HDR
2004-09-02 03:07 172,077 -c--a-w C:\Program Files\SETUP.INX
2004-09-02 03:04 139,264 -c--a-w C:\Program Files\ALCRMV.EXE
2004-09-02 02:58 208,896 -c--a-w C:\Program Files\ALCUPD.EXE
2004-03-11 20:27 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe
2003-11-21 23:57 126,976 -c--a-w C:\Program Files\ALCRMV9X.EXE
2003-11-21 22:48 110,592 -c--a-w C:\Program Files\ALCCHKID.EXE
2003-11-04 19:55 31,388 -c--a-w C:\Program Files\ALCXDEV.EXE
2003-08-08 22:41 40,448 -c--a-w C:\Program Files\GETDXVER.EXE
2002-12-03 20:33 538 -c--a-w C:\Program Files\SETUP.ISS
2002-09-05 00:39 1,078 -c--a-w C:\Program Files\SOUNDMAN.ICO
2001-12-03 08:27 23,552 -c--a-w C:\Program Files\SetCDfmt.exe
2001-09-05 11:24 344,923 -c--a-w C:\Program Files\IKERNEL.EX_
2000-01-10 21:52 139,264 -c--a-w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_22.08.29.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 05:05:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 02:04:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 15:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-04-14 11:01:02 272,128 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
+ 2008-06-13 13:10:50 272,128 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 18:06 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-23 12:19 180269]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-09 21:54 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 13:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files\ISTsvc]
[BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\City of Heroes\\CityOfHeroes.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Documents and Settings\\B-K\\Desktop\\dss.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-08 20:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-09 21:55]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-09 21:54]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-09 21:54]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-09 21:55]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 00:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 04:32:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
MSConfigStartUp-istsvc - C:\WINDOWS\aqrcufs.exe
MSConfigStartUp-= - (no file)
MSConfigStartUp-fNb9C: - (no file)
MSConfigStartUp-Program Files - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 19:12:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-01 19:14:27
ComboFix-quarantined-files.txt 2008-07-02 02:14:25
ComboFix2.txt 2008-06-19 23:45:27
ComboFix3.txt 2008-06-19 05:08:40

Pre-Run: 51,589,992,448 bytes free
Post-Run: 51,576,909,824 bytes free

ComboFix 08-06-30.2 - B-K 2008-07-01 19:11:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2608 [GMT -7:00]
Running from: C:\Documents and Settings\B-K\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 18:52 . 2008-07-01 18:52 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-30 14:12 . 2008-06-30 14:12 <DIR> d-------- C:\Documents and Settings\B-K-2\Application Data\AVGTOOLBAR
2008-06-18 21:12 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-06-18 21:12 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-06-18 21:12 . 2004-08-04 00:56 516,768 --a--c--- C:\WINDOWS\system32\dllcache\ativvaxx.dll
2008-06-18 21:12 . 2004-08-04 00:56 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2008-06-17 14:03 . 2008-06-17 14:03 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-17 14:03 . 2008-06-17 14:05 <DIR> d-------- C:\WINDOWS\NV32883292.TMP
2008-06-17 11:08 . 2008-06-17 20:02 <DIR> d-------- C:\WINDOWS\system32\Color
2008-06-17 11:08 . 2008-06-17 11:14 <DIR> d-------- C:\Program Files\E-Color
2008-06-17 11:08 . 2001-05-07 16:43 61,440 --a------ C:\WINDOWS\system32\3Deep.dll
2008-06-17 11:06 . 2008-06-17 11:06 <DIR> d-------- C:\Program Files\MSI
2008-06-17 11:01 . 2008-06-17 11:04 <DIR> d-------- C:\WINDOWS\NV36283896.TMP
2008-06-17 11:01 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-17 11:00 . 2008-06-17 11:00 <DIR> d-------- C:\NVIDIA
2008-06-17 10:23 . 2008-06-17 10:23 <DIR> d-------- C:\WINDOWS\RaidTool
2008-06-17 10:19 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-06-17 10:19 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoi.dll
2008-06-17 10:19 . 2007-08-08 20:11 102,400 -ra------ C:\WINDOWS\system32\drivers\nvgts.sys
2008-06-17 10:18 . 2007-09-26 01:07 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-06-17 10:18 . 2007-10-12 01:14 194,048 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-06-17 10:18 . 2007-10-12 01:14 194,048 --a------ C:\WINDOWS\system32\fdco1.dll
2008-06-17 10:18 . 2007-10-12 01:15 54,144 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-06-17 10:18 . 2007-09-26 01:05 5,847 -ra------ C:\WINDOWS\system32\nvnrm.nvu
2008-06-17 10:18 . 2007-10-12 01:01 3,276 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-06-17 10:17 . 2007-10-12 01:15 942,080 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2008-06-17 10:17 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-17 10:17 . 2007-09-28 11:32 356,352 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-06-17 10:17 . 2007-09-26 01:07 37,376 -ra------ C:\WINDOWS\system32\nvconrm.dll
2008-06-17 10:17 . 2007-10-12 01:15 22,016 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2008-06-17 10:17 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-06-17 10:17 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1.dll
2008-06-17 10:17 . 2006-10-18 19:36 1,864 -ra------ C:\WINDOWS\system32\nvsmb.nvu
2008-06-17 10:01 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-06-17 10:01 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-06-16 10:21 . 2008-06-16 10:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 10:16 . 2008-06-16 10:16 <DIR> d-------- C:\Deckard
2008-06-10 07:47 . 2008-06-13 23:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-09 21:55 . 2008-06-09 21:55 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-09 21:55 . 2008-06-09 21:55 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-09 21:55 . 2008-06-09 21:55 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-09 21:54 . 2008-07-01 17:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 21:54 . 2008-06-09 21:54 <DIR> d-------- C:\Program Files\AVG
2008-06-09 21:54 . 2008-06-09 21:57 <DIR> d-------- C:\Documents and Settings\B-K\Application Data\AVGTOOLBAR
2008-06-09 21:54 . 2008-06-09 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 01:18 --------- d-----w C:\Program Files\City of Heroes
2008-06-19 04:11 --------- d-----w C:\Program Files\Lavasoft
2008-06-19 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 17:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 17:08 7,168 -csha-w C:\Program Files\Thumbs.db
2008-06-15 17:38 --------- d-----w C:\Program Files\EQ2MAP Updater
2008-06-15 17:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-29 23:32 --------- d-----w C:\Documents and Settings\B-K-2\Application Data\ATI
2008-05-24 21:20 --------- d-----w C:\Program Files\Sony
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2006-04-22 03:31 10,865 ----a-w C:\Documents and Settings\B-K\ChatMessageRegExs.dat
2005-04-16 09:12 4,827,008 -c--a-w C:\Program Files\Firefox Setup 1.0.3.exe
2004-09-08 21:12 18,147 -c--a-w C:\Program Files\README.TXT
2004-09-02 03:11 2,196 -c--a-w C:\Program Files\Setup.ini
2004-09-02 03:07 863,483 -c--a-w C:\Program Files\DATA1.CAB
2004-09-02 03:07 512 -c--a-w C:\Program Files\DATA2.CAB
2004-09-02 03:07 422 -c--a-w C:\Program Files\LAYOUT.BIN
2004-09-02 03:07 29,654 -c--a-w C:\Program Files\DATA1.HDR
2004-09-02 03:07 172,077 -c--a-w C:\Program Files\SETUP.INX
2004-09-02 03:04 139,264 -c--a-w C:\Program Files\ALCRMV.EXE
2004-09-02 02:58 208,896 -c--a-w C:\Program Files\ALCUPD.EXE
2004-03-11 20:27 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe
2003-11-21 23:57 126,976 -c--a-w C:\Program Files\ALCRMV9X.EXE
2003-11-21 22:48 110,592 -c--a-w C:\Program Files\ALCCHKID.EXE
2003-11-04 19:55 31,388 -c--a-w C:\Program Files\ALCXDEV.EXE
2003-08-08 22:41 40,448 -c--a-w C:\Program Files\GETDXVER.EXE
2002-12-03 20:33 538 -c--a-w C:\Program Files\SETUP.ISS
2002-09-05 00:39 1,078 -c--a-w C:\Program Files\SOUNDMAN.ICO
2001-12-03 08:27 23,552 -c--a-w C:\Program Files\SetCDfmt.exe
2001-09-05 11:24 344,923 -c--a-w C:\Program Files\IKERNEL.EX_
2000-01-10 21:52 139,264 -c--a-w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_22.08.29.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 05:05:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 02:04:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 15:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-04-14 11:01:02 272,128 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
+ 2008-06-13 13:10:50 272,128 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 18:06 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-23 12:19 180269]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-09 21:54 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 13:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dv/fNb9C:\Program Files\ISTsvc]
[BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\City of Heroes\\CityOfHeroes.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Documents and Settings\\B-K\\Desktop\\dss.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-08 20:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-09 21:55]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-09 21:54]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-09 21:54]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-09 21:55]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 00:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 04:32:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
MSConfigStartUp-istsvc - C:\WINDOWS\aqrcufs.exe
MSConfigStartUp-= - (no file)
MSConfigStartUp-fNb9C: - (no file)
MSConfigStartUp-Program Files - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 19:12:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-01 19:14:27
ComboFix-quarantined-files.txt 2008-07-02 02:14:25
ComboFix2.txt 2008-06-19 23:45:27
ComboFix3.txt 2008-06-19 05:08:40

Pre-Run: 51,589,992,448 bytes free
Post-Run: 51,576,909,824 bytes free

175 --- E O F --- 2008-06-20 05:11:35

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 02 July 2008 - 04:23 PM

Can I have an HJT log please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Barnabaskirk

Barnabaskirk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 02 July 2008 - 09:12 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:31 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.cityofheroes.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113626695546
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7800 bytes

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 04 July 2008 - 02:58 PM

Things are starting to look better now, but can you run one more scanner for me please:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Edited by rookie147, 04 July 2008 - 02:58 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Barnabaskirk

Barnabaskirk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 06 July 2008 - 10:55 AM

Malwarebytes' Anti-Malware 1.19
Database version: 927
Windows 5.1.2600 Service Pack 2

8:54:48 AM 7/6/2008
mbam-log-7-6-2008 (08-54-48).txt

Scan type: Quick Scan
Objects scanned: 53037
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000162-9980-0010-8000-00aa00389b71} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WinSys2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 06 July 2008 - 11:19 AM

How do things seem to be running for you now?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 Barnabaskirk

Barnabaskirk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 07 July 2008 - 07:47 AM

Yes, Seams Great.

Thanks so Much.
BK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users